Cannot generate 32 bytes AES Secret using pkcs11js

The name of the pictureThe name of the pictureThe name of the pictureClash Royale CLAN TAG#URR8PPP



Cannot generate 32 bytes AES Secret using pkcs11js



I wanted to generate a 32 bytes AES Secret Key with the code below. I am using the node module pkcs11js as I need to connect to HSM. However, when I printed the length of the key, it is showing 8 instead of 32.


var path = require('path');
var pkcs11js = require("pkcs11js");
var crypto = require('crypto');
process.env['SOFTHSM2_CONF'] = path.resolve(__dirname, '../softhsm2.conf');

var pkcs11 = new pkcs11js.PKCS11();
pkcs11.load("/usr/local/Cellar/softhsm/2.4.0/lib/softhsm/libsofthsm2.so");

pkcs11.C_Initialize();

const _pkcs11FindObjects = (pkcs11, pkcs11Session, pkcs11Template) =>
pkcs11.C_FindObjectsInit(pkcs11Session, pkcs11Template);
var objs = ;
var obj = pkcs11.C_FindObjects(pkcs11Session);
while (obj)
objs.push(obj);
obj = pkcs11.C_FindObjects(pkcs11Session);

pkcs11.C_FindObjectsFinal(pkcs11Session);
return objs;


const _pkcs11Login = (slotNumber, pin) =>

let s = null;
try
const slots = pkcs11.C_GetSlotList(true);
const slot = slots[slotNumber];
var token_info = pkcs11.C_GetTokenInfo(slot);
s = pkcs11.C_OpenSession(slot, pkcs11js.CKF_RW_SESSION catch (e)
if (s != null)
pkcs11.C_CloseSession(s);

pkcs11.C_Finalize();




const _findAESKey = (session, ski) =>
var secretKeyHandle = _pkcs11FindObjects(pkcs11, session, [
type: pkcs11js.CKA_ID,
value: ski
,

type: pkcs11js.CKA_CLASS,
value: pkcs11js.CKO_SECRET_KEY

]);

if (secretKeyHandle.length == 1)
return secretKeyHandle[0];
else
return null;



const _createAESKey = (session, ski) =>

let key = _findAESKey(session, ski);
if (key && key !== null)
console.log('Key already exists. No need to re-create');
return;


var template = [
type: pkcs11js.CKA_ID,
value: ski
,

type: pkcs11js.CKA_CLASS,
value: pkcs11js.CKO_SECRET_KEY
,

type: pkcs11js.CKA_TOKEN,
value: true
,

type: pkcs11js.CKA_LABEL,
value: "My AES Key"
,

type: pkcs11js.CKA_VALUE_LEN,
value: 32
,

type: pkcs11js.CKA_ENCRYPT,
value: true
,

type: pkcs11js.CKA_DECRYPT,
value: true
,

type: pkcs11js.CKA_PRIVATE,
value: true

];
pkcs11.C_GenerateKey(session,
mechanism: pkcs11js.CKM_AES_KEY_GEN
, template);


let session = _pkcs11Login(0, '98765432');
_createAESKey(session, `9Rf3uJ7CEdKIhUvQu/2KN8hK0Kce0zYfPXSc8xAK4Oc=`);
let key = _findAESKey(session, `9Rf3uJ7CEdKIhUvQu/2KN8hK0Kce0zYfPXSc8xAK4Oc=`);
console.log(`key length: $key.length`); //key length: 8



The reason is I want to encrypt data using the function below which requires a key length of 32.


const encryptString = (s, secret) =>
const iv = crypto.randomBytes(16).toString('hex').slice(0, 16);
const cipher = crypto.createCipheriv('aes-256-ctr', secret, iv);
const encrypted = cipher.update(String(s), 'utf8', 'hex') + cipher.final('hex');
return iv + encrypted;


let e = encryptString('shezhuan sauce', key);
console.log(`encrypted string: $e`);



The above code will generate Invalid key length error.




2 Answers
2



Based on the answer here: https://github.com/PeculiarVentures/pkcs11js/issues/34, I am able to extract the secret key by using getting the CKA_VALUE attribute but I need to set the following during key generation: pkcs11js.CKA_EXTRACTABLE, value: true . I understand that this of course defeats the purpose of HSM which is not to expose the secret.


pkcs11js.CKA_EXTRACTABLE, value: true



The core issue here is the mechanism that is used is not supported by SoftHSM which is why only the get/set attribute approach is used. It is possible to get the length of a value without setting it to extractable but only if the mechanism is supported by the HSM/PKCS11 implementation.






By clicking "Post Your Answer", you acknowledge that you have read our updated terms of service, privacy policy and cookie policy, and that your continued use of the website is subject to these policies.

-

Popular posts from this blog

make 2 or more post in bootsrap

Image
Clash Royale CLAN TAG #URR8PPP make 2 or more post in bootsrap I am making a CMS and I want to add two or more content post in every row, I can made one post in one columns, please see my code below. I am using PHP , HTML and bootstrap . CMS PHP HTML bootstrap How can I add two or more content post in every row? Code: <div class="container"> <div class="row"> <!-- Post Content Column --> <div class="col-lg-4 border border-dark rounded"> <?php $query = "SELECT * FROM POSTS"; $run_query_post = mysqli_query($connection, $query); while ($row = mysqli_fetch_assoc($run_query_post)) $post_id = $row['post_id']; $post_title = $row['post_title']; $post_author = $row['post_author']; $post_date = $row['post_date']; $post_image = $row['post_image']; $post_content = substr($row['post_content'], 0, 50); $post_status = $row['post_status']; if ($post_status !=...
Read more

Store custom data using WC_Cart add_to_cart() method in Woocommerce 3

Image
Clash Royale CLAN TAG #URR8PPP Store custom data using WC_Cart add_to_cart() method in Woocommerce 3 I am creating a membership site and totally created static pages for each Membership plans (have only 3 plans). However, I have added products for each plan and when I hit SELECT PLAN button I redirect to some custom form where I ask users range of info we are going to use to fulfil the plan (same as sneakertub.com). I have written code into the PHP page which will handle SUBMIT action of the form. This PHP file, infopage.php , will process POST data I sent via POST call and stores these all data into WC session. infopage.php $customer_name = $_POST["customer_name"]; $customer_email = $_POST["customer_email"]; $customer_sex = $_POST["customer_sex"]; $customer_age = $_POST["customer_age"]; $product_id = $_POST["product_id"]; global $wp_session; $data = array( 'customer_name' => $customer_name, 'customer_email' =...
Read more

Firebase Auth - with Email and Password - Check user already registered

Image
Clash Royale CLAN TAG #URR8PPP Firebase Auth - with Email and Password - Check user already registered I want to check when a user attempts to signup with createUserWithEmailAndPassword() in Firebase user Authentication method, this user is already registered with my app. createUserWithEmailAndPassword() 8 Answers 8 To detect whether a user with that email address already exists, you can detect when the call to createUserWithEmailAndPassword () fails with auth/email-already-in-use . I see that @Srinivasan just posted an answer for this. createUserWithEmailAndPassword () auth/email-already-in-use Alternatively, you can detect that an email address is already used by calling fetchSignInMethodsForEmail() (previous called fetchProvidersForEmail() ). fetchSignInMethodsForEmail() fetchProvidersForEmail() When the user trying to create an user with same email address, the task response will be "Response: The email address is already in use by another account." mFirebas...
Read more