使用AWS re:Post即您表示您同意 AWS re:Post 使用条款
AWS re:Postre:Post

7 tests fail when running AWS test suite for CloudHSM pkcs11 on SDK 5

0

Hello, please help with this issue:

When executing, on Amazon Linux 2023 with CloudHSM SDK 5, tests provided in: https://github.com/aws-samples/aws-cloudhsm-pkcs11-examples 7 AES-WRAPPING-related tests fail, all with the same message:

Could not determine size of wrapped key:

The following tests FAILED:

  • 12 - aes_gcm_wrapping (Failed)

  • 13 - aes_no_padding_wrapping (Failed)

  • 14 - aes_zero_padding_wrapping (Failed)

  • 15 - aes_wrapping (Failed)

  • 16 - rsa_wrapping (Failed)

  • 17 - wrap_with_template (Failed)

  • 18 - unwrap_with_template (Failed)

This is my cmake command:

cmake .. -DHSM_USER=qqq -DHSM_PASSWORD=yyy -DTRUSTED_WRAPPING_KEY_HANDLE=zzz where zzz is a decimal integer and the corresponding AWS wrap key exists in the HSM.

Here is some more log:

12/26 Testing: aes_gcm_wrapping 12/26 Test: aes_gcm_wrapping Command: "/home/ec2-user/aws-samples/aws-cloudhsm-pkcs11-examples/build/src/wrapping/aes_gcm_wrapping" "--pin" "qqq:yyy" Directory: /home/ec2-user/aws-samples/aws-cloudhsm-pkcs11-examples/build/src/wrapping "aes_gcm_wrapping" start time: Nov 17 19:14 UTC Output: Could not determine size of wrapped key: 6 Running AES-GCM wrap... end of output

I'll be very grateful if someone could provide a solution.

主题
安全、身份和合规性
标签
AWS CloudHSM
语言
English
wwinogrodzki
已提问 6 个月前259 查看次数
1 回答
0
已接受的回答

Hello,

Please see the following recommendations that are based on previous testing from my side:

  1. Ensure that you are making use of the most recent version of Client SDK5 (version 5.10.0). You can download it via this download link. Install the latest version of Client SDK 5 PKCS11 library and set it up according to AWS recommendations.

  2. If you only have 1 HSM node in your CloudHSM cluster, please also disable key availability check requirement by running the command "sudo /opt/cloudhsm/bin/configure-pkcs11 --disable-key-availability-check".

With the recommendations above, I only expect that 2 test will fail:

     18 - unwrap_with_template (Failed)
     21 - ecdh (Failed)

SDK 5 does not use the same key handles across different sessions (test 18) and the PKCS#11 mechanism used for key derivation is CKM_ECDH1_DERIVE which is not supported by SDK 5 (test 21).

It is important to use the latest version of client SDK5 because some earlier versions (for example version 5.0.0) were released with limited support for just a few key types, mechanisms, API operations and client attributes. Hence you will get failures if you are testing all the samples against a version of Client SDK 5 that does not support a mechanism that is being tested. In a similar way, you will also get failures for certain tests that involve API operations where the "key availability check" is performed, but you only have 1 HSM node in your cluster.

To conclude, please also note that Amazon Linux 2023 is not yet listed as an officially supported platform by AWS CloudHSM at this time. The recommendation is to use a platform that is officially supported so that you can get support from the CloudHSM support team and service team, if you run into any issues.

AWS
支持工程师
Teneng_T
已回答 6 个月前
profile picture
专家
Giovanni Lauria
已审核 2 个月前
  • wwinogrodzki
    6 个月前

    Thank you, Teneng T, this is also related to my other question. I'm very interested in SDK 5 and this is the first time I'm giving it a try. Also, we only have 1 HSM in the cluster because it is not a production environment. Would you recommend SoftHSM for "cost-free" testing?

  • Teneng_T 支持工程师
    6 个月前

    Hello,

    I understand this is not a production environment but if your end goal of the tests you are performing is to finally integrate your applications/workloads with AWS CloudHSM, then I will suggest that you continue testing with CloudHSM. You will find some best practices to Reduce costs by scaling to your needs in the public documentation. https://docs.aws.amazon.com/cloudhsm/latest/userguide/best-practices.html#bp-reduce-cost

    In essence, you can delete the HSM(s) in your cluster when not in use in order to save on cost.

    However if you are just using your environment to test PKCS11 APIs, then a "cost free" option such as SoftHSM might be best for you.

您未登录。 登录 发布回答。

一个好的回答可以清楚地解答问题和提供建设性反馈,并能促进提问者的职业发展。

回答问题的准则

相关内容