xca PKCS11 access to AWS CloudHSM results in CKR_SLOT_ID

PKCS11 access to AWS CloudHSM results in CKR_SLOT_ID_INVALID error

Open vlady-github opened this issue 6 months ago • 0 comments

When XCA attempts to connect to AWS CloudHSM, via PKCS11 interface, an error "CKR_SLOT_ID_INVALID" gets triggered.

The error generated by AWS' "cloudhsm_pkcs11" library indicates:

"ERROR [136372] ThreadId(3) [cloudhsm_pkcs11::slots::slot_manager] BP000: Invalid slot id 1"

Inspecting the slots on AWS CloudHSM with "pkcs11-tool" returns:

pkcs11-tool -L --module /opt/cloudhsm/lib/libcloudhsm_pkcs11.so Available slots: Slot 0 (0x2000000000000001): hsm1 ...

The root cause has been identified to lie in the integer type of variables used to hold the Slot IDs. The integer type is not big enough to hold the whole number returned as a Slot ID by AWS CloudHSM (e.g. "0x2000000000000001"). As a result, the Slot ID value gets truncated (only the lower part of the number is stored, e.g. "0x00000001") and that causes invalid Slot IDs to be used (e.g. "slot id 1") for the operations against AWS CloudHSM. Respectively the error "CKR_SLOT_ID_INVALID" gets triggered for any operation.

The solution would be integer type used for variables that hold the Slot IDs to get changed to "unsigned long long".

Dec 19 '23 08:12 vlady-github

xca xca copied to clipboard

PKCS11 access to AWS CloudHSM results in CKR_SLOT_ID_INVALID error

xca
xca copied to clipboard