botan
botan copied to clipboard
randombit
Attribute Invalid when trying to Generate an AES Key with LowLevel API
Using the same parameters as with the raw PKCS11 library I get a PKCS11 error 19 (Attribute Invalid) when trying to generate an AES key with the LowLevel API of Botan wrapping the same SoftHSM2 library. The difference is that the raw PKCS11 lib is running on Windows and the Botan code under Linux.
I have successfully used the high-level API of Botan to generate RSAKey Pairs to do encryption and signature.
The code of raw PKCS11 is:
extractable is TRUE, token is FALSE, keyLen is 32, keyLabel is AES-KEY-REF CK_MECHANISM ckMechanism; ckMechanism.mechanism = CKM_AES_KEY_GEN; ckMechanism.pParameter = NULL; ckMechanism.ulParameterLen = 0;
CK_ULONG secretKeyClass = CKO_SECRET_KEY;
CK_BBOOL isToken = token;
CK_BBOOL isSensitive = (CK_TRUE == extractable) ? CK_FALSE : CK_TRUE;
CK_BBOOL isExtractable = extractable;
CK_BBOOL isTrue = CK_TRUE;
CK_BBOOL isFalse = CK_FALSE;
CK_ULONG keyAes = CKK_AES;
CK_ATTRIBUTE aesTempl[] = {
{ CKA_CLASS, &secretKeyClass, sizeof(CK_ULONG) },
{ CKA_KEY_TYPE, &keyAes, sizeof(CK_ULONG) },
{ CKA_TOKEN, &isToken, sizeof(CK_BBOOL) },
{ CKA_VALUE_LEN, &keyLen, sizeof(CK_ULONG) },
{ CKA_LABEL, (CK_VOID_PTR)keyLabel, (CK_ULONG) strlen(keyLabel) },
{ CKA_PRIVATE, &isTrue, sizeof(CK_BBOOL) },
{ CKA_SENSITIVE, &isSensitive, sizeof(CK_BBOOL) },
{ CKA_EXTRACTABLE, &isExtractable, sizeof(CK_BBOOL) },
{ CKA_ENCRYPT, &isTrue, sizeof(CK_BBOOL) },
{ CKA_DECRYPT, &isTrue, sizeof(CK_BBOOL) }
};
CK_RV rv = pkcs11fcts->C_GenerateKey(hSession, &ckMechanism, aesTempl, sizeof(aesTempl) / sizeof(CK_ATTRIBUTE), phAesKey);
The code using Botan LowLevel API is, with all the same parameters
PKCS11::ObjectHandle hAesKey;
PKCS11::Mechanism ckMechanism;
ckMechanism.mechanism = CKM_AES_KEY_GEN;
ckMechanism.pParameter = nullptr;
ckMechanism.ulParameterLen = 0L;
CK_ULONG secretKeyClass = CKO_SECRET_KEY;
CK_BBOOL isTrue = CK_TRUE;
CK_BBOOL isFalse = CK_FALSE;
CK_ULONG keyAes = CKK_AES;
PKCS11::Attribute aesAttributes[] { { CKA_CLASS, &secretKeyClass, sizeof(CK_ULONG) },
{ CKA_KEY_TYPE, &keyAes, sizeof(CK_ULONG) },
{ CKA_TOKEN, &isFalse, sizeof(CK_BBOOL) },
{ CKA_VALUE_LEN, &keySize, sizeof(CK_ULONG) },
{ CKA_LABEL, (CK_VOID_PTR)keyLabel.c_str(),
(CK_ULONG)keyLabel.size() },
{ CKA_PRIVATE, &isTrue, sizeof(CK_BBOOL) },
{ CKA_SENSITIVE, &isFalse, sizeof(CK_BBOOL) },
{ CKA_EXTRACTABLE, &isTrue, sizeof(CK_BBOOL) },
{ CKA_ENCRYPT, &isTrue, sizeof(CK_BBOOL) },
{ CKA_DECRYPT, &isTrue, sizeof(CK_BBOOL) } };
PKCS11::ReturnValue pkcsRet;
(*m_pkcsModule)
->C_GenerateKey(m_pkcsSession->handle(), &ckMechanism, aesAttributes,
sizeof(aesAttributes) / sizeof(CK_ATTRIBUTE), &hAesKey, &pkcsRet);
pkcsRet = Botan::PKCS11::ReturnValue::AttributeValueInvalid
I have compared all the parameters one by one and I couldn't find any difference, except that sizeof(CK_ULONG) is 8 under Linux and 4 under Windows, both codes compiled for 64 bits.
Unfortunately, I have no way to know which Attribute is supposed to be incorrect. For both programs, the session is created and logged in. I haven't tried yet the Botan code used on Linux with the version of Softhsm2 on Windows.
If anyone could see something wrong with my Botan code, I'll appreciate it, or a working code that generates an AES key with the Botan LowLevel API.
Thanks for any help.
