0d4101fa5d
The PKCS#11 backend key-wraps (encrypts) the project-specific Key Encryption Keys (pKEKs) using the master encryption key (MKEK). The mechanism for wrapping/unwrapping the keys was hard-coded to use CKM_AES_CBC_PAD. This patch refactors the pkcs11 module to make this mechanism configurable. This is necessary to fix Bug #2036506 because some PKCS#11 devices and software implementations no longer allow CKM_AES_CBC_PAD to be used for key wrapping. Supported key wrap mechanisms now include: * CKM_AES_CBC_PAD * CKM_AES_KEY_WRAP_PAD * CKM_AES_KEY_WRAP_KWP Closes-Bug: #2036506 Change-Id: Ic2009a2a55622bb707e884d6a960c044b2248f52
23 lines
1.0 KiB
YAML
23 lines
1.0 KiB
YAML
---
|
|
deprecations:
|
|
- |
|
|
The `[p11_crypto_plugin]hmac_keywrap_mechanism` option has been replaced
|
|
by `[p11_crypto_plugin]hmac_mechanism`. This option was renamed to avoid
|
|
confusion since this mechanism is only used to sign encrypted data and
|
|
never used for key wrap encryption.
|
|
security:
|
|
- |
|
|
The PKCS#11 backend driver has been updated to support newer Key Wrap
|
|
mechanisms. New deployments should use CKM_AES_KEY_WRAP_KWP, but
|
|
CKM_AES_KEY_WRAP_PAD and CKM_AES_CBC_PAD are also supported for
|
|
compatibility with older devices that have not yet implemented PKCS#11
|
|
Version 3.0.
|
|
fixes:
|
|
- |
|
|
Fixed Bug #2036506 - This patch replaces the hard-coded CKM_AES_CBC_PAD
|
|
mechanism used to wrap pKEKs with an option to configure this mechanism.
|
|
Two new options have been added to the [p11_crypto_plugin] section of the
|
|
configuration file: `key_wrap_mechanism` and `key_wrap_generate_iv`. These
|
|
options default to `CKM_AES_CBC_PAD` and `True` respectively to preserve
|
|
backwards compatibility.
|