Hi @mode51software, great work on the plugin btw!!
Was trying to use the plugin to generate keys on the AWS cloudHSM, but I'm getting a CKR_ATTRIBUTE_VALUE_INVALID during the key creation.
> vault write hsm-pki/root/generate/internal common_name="Root CA" ttl=87600h
Error writing data to hsm-pki/root/generate/internal: Error making API request.
URL: PUT http://127.0.0.1:8200/v1/hsm-pki/root/generate/internal
Code: 400. Errors:
* pkcs11: 0x13: CKR_ATTRIBUTE_VALUE_INVALID
plugin config:
lib = "/opt/cloudhsm/lib/libcloudhsm_pkcs11.so"
slot_id = 1
pin = "vault_user:xxxxxx"
key_label = "vault"
connect_timeout_s = 10
read_timeout_s = 5
By its documentation, CloudHSM does not support all attributes https://docs.aws.amazon.com/cloudhsm/latest/userguide/pkcs11-attributes.html, https://docs.aws.amazon.com/cloudhsm/latest/userguide/ki-pkcs11-sdk.html, but I'm able to generate the keys using the pkcs11-tool, even though there is a similar warning, but the keys are created.
> pkcs11-tool --module /opt/cloudhsm/lib/libcloudhsm_pkcs11.so --login --pin "vault_user:xxxxx" --keypairgen --key-type rsa:2048 --label 'test7'
Using slot 0 with a present token (0x1)
Key pair generated:
Private Key Object; RSA
label: test7
Usage: decrypt, sign
C_GetAttributeValue failed with error CKR_ATTRIBUTE_TYPE_INVALID : 0x00000012
, unwrap
Public Key Object; RSA 2048 bits
label: test7
Usage: encrypt, verify, wrap
Any idea what could be?
Hi @mode51software, great work on the plugin btw!!
Was trying to use the plugin to generate keys on the AWS cloudHSM, but I'm getting a
CKR_ATTRIBUTE_VALUE_INVALIDduring the key creation.plugin config:
By its documentation, CloudHSM does not support all attributes https://docs.aws.amazon.com/cloudhsm/latest/userguide/pkcs11-attributes.html, https://docs.aws.amazon.com/cloudhsm/latest/userguide/ki-pkcs11-sdk.html, but I'm able to generate the keys using the pkcs11-tool, even though there is a similar warning, but the keys are created.
Any idea what could be?