PKCS#11 provider issues with min and max size

Tomas Gustavsson tomas at primekey.se
Tue Jan 30 08:22:23 UTC 2018


Hi,

At some revision in the PKCS#11 provider there was introduced checking
of C_GetMechanismInfo min and max sizes.

This has turned out to be a bit fragile. Let me give two real world
examples:

1. Amazon Cloud HSM report minSize and maxSize for EC keys to 0. The
Java PKCS#11 provider will happily take 0 as maxSize and refuse to
generate any EC keys at all. Needless to say, without the Java check it
would be no problem.

131: C_GetMechanismInfo
2018-01-30 07:52:20.740
[in] slotID = 0x1
 CKM_EC_KEY_PAIR_GEN
[out] pInfo:
CKM_EC_KEY_PAIR_GEN           : min:0 max:0 flags:0x10001 ( Hardware
KeyPair )
Returned:  0 CKR_OK

(we are reporting this to Amazon as well)

2. Thales HSMs (some?) report maxSize for RSA_PKCS key generation as
4096, but will happily generate 8192 bit keys. I.e. the reported maxSize
is not true.
We have customers who used to generate 8192 bit RSA keys, but after a
Java update can not do so anymore, because Java compares against this value.


* Suggestions:

1. In the constructor of P11KeyPairGenerator where minKeyLen and
maxKeyLen are calculated, never allow maxKeyLen to be less than minKeyLen.

I.e. change the part:
        // auto-adjust default keysize in case it's out-of-range
        if ((minKeyLen != -1) && (keySize < minKeyLen)) {
            keySize = minKeyLen;
        }
        if ((maxKeyLen != -1) && (keySize > maxKeyLen)) {
            keySize = maxKeyLen;
        }

To include something like:
        // auto-adjust default keysize in case it's out-of-range
        if ((minKeyLen != -1) && (keySize < minKeyLen)) {
            keySize = minKeyLen;
        }
        if ((maxKeyLen != -1) && (maxKeyLen < minKeyLen)) {
            maxKeyLen = minKeyLen;
        }
        if ((maxKeyLen != -1) && (keySize > maxKeyLen)) {
            keySize = maxKeyLen;
        }

2. Allow to ignore checking of maxKeyLen by some means, i.e. allow to
ignore checking against C_GetMechanismInfo if you know that the HSM does
not provide sane values. I.e. an environment variable for example
reverting back to the old behavior when these were ignored.

Regards,
Tomas Gustavsson

-- 
**********
PrimeKey Solutions AB
Lundagatan 16, 171 63 Solna, Sweden
Mob: +46 (0)707421096
Internet: www.primekey.se
Twitter: twitter.com/primekeyPKI
**********


More information about the security-dev mailing list