Add support for AES_GCM

Open andreastedile opened this issue 9 months ago • 0 comments

In the documentation, I see that mechanism AES_GCM is not supported.

OpenCryptoki added support for CKM_AES_GCM a few days ago.

If I try to use that feature, python-pkcs11 raises pkcs11.exceptions.MechanismParamInvalid:

import argparse

import pkcs11
from pkcs11 import KeyType, Attribute, Mechanism, Token, WrapMixin

if __name__ == "__main__":
    parser = argparse.ArgumentParser(description="PKCS#11 automaton learning")

    parser.add_argument("so", help="Shared object")
    parser.add_argument("token_label", help="Token label")
    parser.add_argument("user_pin", help="User PIN")

    args = parser.parse_args()

    so = args.so
    token_label = args.token_label
    user_pin = args.user_pin

    lib = pkcs11.lib(so)
    token: Token = lib.get_token(token_label=token_label)

    with token.open(user_pin=user_pin) as session:
        # opencryptoki: CKM_RSA_PKCS_KEY_PAIR_GEN 512-4096 bits	
        pub, priv = session.generate_keypair(KeyType.RSA,
                                             key_length=512 * 8,
                                             private_template={Attribute.EXTRACTABLE: True, Attribute.SENSITIVE: False},
                                             mechanism=Mechanism.RSA_PKCS_KEY_PAIR_GEN)

        # opencryptoki: CKM_AES_KEY_GEN	16-32 bytes	
        secret = session.generate_key(KeyType.AES,
                                      key_length=32 * 8,
                                      template={Attribute.SENSITIVE: False},
                                      mechanism=Mechanism.AES_KEY_GEN)

        secret: WrapMixin
        iv = session.generate_random(128)
        wrapped = secret.wrap_key(priv, mechanism=Mechanism.AES_GCM, mechanism_param=iv)

What are the steps required to support this mechanism?

Mar 31 '25 09:03 andreastedile