Comments (5)
jariq
commented on May 28, 2024
Hello Armando,
you did not provide any code so I can only guess that you are referring to the CKA_CHECK_VALUE attribute of the secret key. PKCS#11 implementation is not required to support this attribute so it may not be supported by the SafeNet PKCS#11 implementation. You should consult HSM documentation or contact vendor support to check if this is the case.
Anyway it seems that alternatively the value of this attribute can be easily acquired by encrypting single block of null bytes. There is following statement about the value of CKA_CHECK_VALUE attribute in PKCS#11 specification:
Unless otherwise specified for the object definition, the value of this attribute is derived from the key object by taking the first three bytes of an encryption of a single block of null (0x00) bytes, using the default cipher and mode (e.g. ECB) associated with the key type of the secret key object.
More detailed explanation can also be found at stackoverflow.com. Please let me know if this helped.
from pkcs11interop.
inorton
commented on May 28, 2024
On 4 June 2014 21:29, Jaroslav Imrich [email protected] wrote:
CKA_CHECK_VALUE
I think you can prevent CKA_CHECK_VALUE from being created by setting a
template value.
from pkcs11interop.
inorton
commented on May 28, 2024
Yes, if you set CKA_CHECK_VALUE to nothing in the template when
creating the key, or set it using C_SetAttributeValue() then it will
be wiped out.
The CKA_CHECK_VALUE for symmetric operations is the first three bytes
of an ECB encrypt, for certificate objects i think it the first three
bytes of the sha1 hash of the object data.
On 5 June 2014 20:14, Ian Norton [email protected] wrote:
On 4 June 2014 21:29, Jaroslav Imrich [email protected] wrote:
CKA_CHECK_VALUE
I think you can prevent CKA_CHECK_VALUE from being created by setting a
template value.
from pkcs11interop.
inorton
commented on May 28, 2024
Another possibility is that the safenet box doesn't support it (it was
introduced in v2.20) I just tested my ncipher card and it doesn't
support CKA_CHECK_VALUE yet either but responds with
CKR_ATTRIBUTE_TYPE_INVALID. Some vendors simply return nothing if they
don't support the attribute fully.
On 5 June 2014 20:17, Ian Norton [email protected] wrote:
Yes, if you set CKA_CHECK_VALUE to nothing in the template when
creating the key, or set it using C_SetAttributeValue() then it will
be wiped out.The CKA_CHECK_VALUE for symmetric operations is the first three bytes
of an ECB encrypt, for certificate objects i think it the first three
bytes of the sha1 hash of the object data.On 5 June 2014 20:14, Ian Norton [email protected] wrote:
On 4 June 2014 21:29, Jaroslav Imrich [email protected] wrote:
CKA_CHECK_VALUE
I think you can prevent CKA_CHECK_VALUE from being created by setting a
template value.
from pkcs11interop.
armando-basile
commented on May 28, 2024
thanks to all :) i added check value generation in my class, so i don't use CKA_CHECK_VALUE anymore.
from pkcs11interop.
Related Issues (20)
- Private key is not in certificate
- Method C_OpenSession returned CKR_CRYPTOKI_NOT_INITIALIZED
- Pkcs11Interop is not supported on this platform HOT 25
- Missing attribute CKA_NAME_HASH_ALGORITHM
- problem in Pkcs11Interop with new dll from epass 2003
- CKR_OPERATION_NOT_INITIALIZED in multithreaded application
- Missing param represents object handle
- Method C_Login returned CKR_SESSION_HANDLE_INVALID
- Incorrect CK_VERSION string value
- Get Key Value From HSM
- Not able to use C_Sign with yubikey PIV slot with CKA_ALWAYS_AUTHENTICATE HOT 5
- Linux : NativeULong as System.UInt32 causes error while accessing CK_GCM_PARAMS structure from PKCS11 standards HOT 2
- mac os compile problem MAUI .net core 7.0 how to fix ?
- SafeNet Data Objects HOT 7
- ComputeDigest/CreateDigestInfo - with newest Pkcs11Interop - how to ?
- C_Sign returned CKR_OPERATION_NOT_INITIALIZED in multithreaded application
- C_Encrypt with AES mechanism always returns with CKR_GENERAL_ERROR HOT 1
- C_FindObjects does return with nothing while running application in docker
- C_FindObjects does return with nothing while running application in docker HOT 3
- session.Decrypt returning garbage characters appended in PKCS#11 Multipart Decryption with Pkcs11Interop v 4.x.x
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from pkcs11interop.