By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

7 tests fail when running AWS test suite for CloudHSM pkcs11 on SDK 5

0

Hello, please help with this issue:

When executing, on Amazon Linux 2023 with CloudHSM SDK 5, tests provided in: https://github.com/aws-samples/aws-cloudhsm-pkcs11-examples 7 AES-WRAPPING-related tests fail, all with the same message:

Could not determine size of wrapped key:

The following tests FAILED:

  • 12 - aes_gcm_wrapping (Failed)

  • 13 - aes_no_padding_wrapping (Failed)

  • 14 - aes_zero_padding_wrapping (Failed)

  • 15 - aes_wrapping (Failed)

  • 16 - rsa_wrapping (Failed)

  • 17 - wrap_with_template (Failed)

  • 18 - unwrap_with_template (Failed)

This is my cmake command:

cmake .. -DHSM_USER=qqq -DHSM_PASSWORD=yyy -DTRUSTED_WRAPPING_KEY_HANDLE=zzz where zzz is a decimal integer and the corresponding AWS wrap key exists in the HSM.

Here is some more log:

12/26 Testing: aes_gcm_wrapping 12/26 Test: aes_gcm_wrapping Command: "/home/ec2-user/aws-samples/aws-cloudhsm-pkcs11-examples/build/src/wrapping/aes_gcm_wrapping" "--pin" "qqq:yyy" Directory: /home/ec2-user/aws-samples/aws-cloudhsm-pkcs11-examples/build/src/wrapping "aes_gcm_wrapping" start time: Nov 17 19:14 UTC Output: Could not determine size of wrapped key: 6 Running AES-GCM wrap... end of output

I'll be very grateful if someone could provide a solution.

Topics
Security, Identity, & Compliance
Tags
AWS CloudHSM
Language
English
wwinogrodzki
asked 5 months ago246 views
1 Answer
0
Accepted Answer

Hello,

Please see the following recommendations that are based on previous testing from my side:

  1. Ensure that you are making use of the most recent version of Client SDK5 (version 5.10.0). You can download it via this download link. Install the latest version of Client SDK 5 PKCS11 library and set it up according to AWS recommendations.

  2. If you only have 1 HSM node in your CloudHSM cluster, please also disable key availability check requirement by running the command "sudo /opt/cloudhsm/bin/configure-pkcs11 --disable-key-availability-check".

With the recommendations above, I only expect that 2 test will fail:

     18 - unwrap_with_template (Failed)
     21 - ecdh (Failed)

SDK 5 does not use the same key handles across different sessions (test 18) and the PKCS#11 mechanism used for key derivation is CKM_ECDH1_DERIVE which is not supported by SDK 5 (test 21).

It is important to use the latest version of client SDK5 because some earlier versions (for example version 5.0.0) were released with limited support for just a few key types, mechanisms, API operations and client attributes. Hence you will get failures if you are testing all the samples against a version of Client SDK 5 that does not support a mechanism that is being tested. In a similar way, you will also get failures for certain tests that involve API operations where the "key availability check" is performed, but you only have 1 HSM node in your cluster.

To conclude, please also note that Amazon Linux 2023 is not yet listed as an officially supported platform by AWS CloudHSM at this time. The recommendation is to use a platform that is officially supported so that you can get support from the CloudHSM support team and service team, if you run into any issues.

AWS
SUPPORT ENGINEER
Teneng_T
answered 5 months ago
profile picture
EXPERT
Giovanni Lauria
reviewed a month ago
  • wwinogrodzki
    5 months ago

    Thank you, Teneng T, this is also related to my other question. I'm very interested in SDK 5 and this is the first time I'm giving it a try. Also, we only have 1 HSM in the cluster because it is not a production environment. Would you recommend SoftHSM for "cost-free" testing?

  • Teneng_T SUPPORT ENGINEER
    5 months ago

    Hello,

    I understand this is not a production environment but if your end goal of the tests you are performing is to finally integrate your applications/workloads with AWS CloudHSM, then I will suggest that you continue testing with CloudHSM. You will find some best practices to Reduce costs by scaling to your needs in the public documentation. https://docs.aws.amazon.com/cloudhsm/latest/userguide/best-practices.html#bp-reduce-cost

    In essence, you can delete the HSM(s) in your cluster when not in use in order to save on cost.

    However if you are just using your environment to test PKCS11 APIs, then a "cost free" option such as SoftHSM might be best for you.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content