nCipher HSM doesn't like CKA_ENCRYPT/CKA_DECRYPT when deriving a generic secret...

[jimvert]

Hi,

I'm using libp11-0.4.12 and OpenSSL-1.1.1t against an nCipher HSM running client software version 12.81 and firmware version 12.72. I'm attempting to perform CMS ECDH-based decryption. Here's the basic decryption command being issued along with its failure:

openssl cms -decrypt -in test.enc -inform der -engine pkcs11 -inkey "pkcs11:token=accelerator;object=Gx1EncryptionTest;type=private" -keyform engine -recip Gx1EncryptionTest.pem
engine "pkcs11" set.
Error decrypting CMS using private key
140295955737664:error:82067006:PKCS#11 module:pkcs11_ecdh_derive:Function failed:p11_ec.c:635:

I turned on HSM traces and see the following:

2023-05-04 11:22:36 [28556] t40ac2687b07f0000: pkcs11: 000008CB <    rv 0x00000000 (CKR_OK)
2023-05-04 11:22:36 [28556] t40ac2687b07f0000: pkcs11: 000008CB >>   C_DeriveKey
2023-05-04 11:22:36 [28556] t40ac2687b07f0000: pkcs11: 000008CB >    hSession 0x000008CB
2023-05-04 11:22:36 [28556] t40ac2687b07f0000: pkcs11: 000008CB >    pMechanism->mechanism 0x00001050 (CKM_ECDH1_DERIVE)
2023-05-04 11:22:36 [28556] t40ac2687b07f0000: pkcs11: 000008CB >    hBaseKey 0x000004EF
2023-05-04 11:22:36 [28556] t40ac2687b07f0000: pkcs11: 000008CB >    CKA_TOKEN: false
2023-05-04 11:22:36 [28556] t40ac2687b07f0000: pkcs11: 000008CB >    CKA_CLASS:  CKO_SECRET_KEY
2023-05-04 11:22:36 [28556] t40ac2687b07f0000: pkcs11: 000008CB >    CKA_KEY_TYPE:  CKK_GENERIC_SECRET
2023-05-04 11:22:36 [28556] t40ac2687b07f0000: pkcs11: 000008CB >     32
2023-05-04 11:22:36 [28556] t40ac2687b07f0000: pkcs11: 000008CB >    CKA_SENSITIVE: false
2023-05-04 11:22:36 [28556] t40ac2687b07f0000: pkcs11: 000008CB >    CKA_EXTRACTABLE: true
2023-05-04 11:22:36 [28556] t40ac2687b07f0000: pkcs11: 000008CB >    CKA_ENCRYPT: true
2023-05-04 11:22:36 [28556] t40ac2687b07f0000: pkcs11: 000008CB >    CKA_DECRYPT: true
2023-05-04 11:22:36 [28556] t40ac2687b07f0000: pkcs11: 000008CB Error: Generic stub command DeriveKey returned 45
2023-05-04 11:22:36 [28556] t40ac2687b07f0000: pkcs11: 000008CB Error: Status_InvalidACL
2023-05-04 11:22:36 [28556] t40ac2687b07f0000: pkcs11: 000008CB <    *phKey 0x00000000
2023-05-04 11:22:36 [28556] t40ac2687b07f0000: pkcs11: 000008CB <    rv 0x00000006 (CKR_FUNCTION_FAILED)
Error decrypting CMS using private key
140396158430272:error:82067006:PKCS#11 module:pkcs11_ecdh_derive:Function failed:p11_ec.c:635:

I modified P11_ec.c to remove CKA_ENCRYPT and CKA_DECRYPT from the template at https://github.com/OpenSC/libp11/blob/libp11-0.4.12/src/p11_ec.c#L587. The change eliminated the error and allowed the decryption to proceed successfully.

There's some evidence that generic secrets don't support encryption/decryption: https://www.cryptsoft.com/pkcs11doc/v220/group__SEC__12__7__2__GENERIC__SECRET__KEY__OBJECTS.html. It would seem that the nCipher libraries are enforcing these constraints.

[dengert]

The same language is in:
https://docs.oasis-open.org/pkcs11/pkcs11-curr/v3.0/os/pkcs11-curr-v3.0-os.html "2.8.2 Generic secret key objects" "These keys do not support encryption or decryption; however, other keys can be derived..."

[mtrojnar]

@jimvert CKA_ENCRYPT and CKA_DECRYPT attributes were added to the template by @dengert in 2c6af01. I suppose some use cases may require them.

[jimvert]

Yep, I can appreciate that, and up until recently, the nCipher code ignored those attributes. Here's an example trace from their older client code:

2023-05-04 18:02:01 [13479] tc011a5185a7f0000: pkcs11: 000008CB Application error: Generic secret key can only be used for derivation
2023-05-04 18:02:01 [13479] tc011a5185a7f0000: pkcs11: 000008CB Application error: But we'll let you get away with setting other attributes for now

As of their latest client code, those attributes are no longer allowed. They likewise pointed to https://docs.oasis-open.org/pkcs11/pkcs11-curr/v3.0/os/pkcs11-curr-v3.0-os.html#_Toc30061230 as justification.

I'm uncomfortable having local code on our server as a workaround. Is there some reasonable solution to this problem?

[dengert]

I am on vacation. But it looks like the template for generic secret key should not set encrypt or decrypt TRUE. Submit a PR.
An AES or other secret key can be derived from a generic secret key with the flags set to TRUE.

[dengert]

The other thing to look at is if a KDF is used with input of generic secret, then the derived key could have other attributes. I would assume the HSM would be doing that to create an AES key from generic secret.

[ojw-nc]

For assistance with nShield devices and including information regarding supported mechanisms, please request via: https://nshieldsupport.entrust.com/hc/en-us

[dengert]

@jimvert You are correct, pkcs11-curr-v3.0-os "2.8.2 Generic secret key objects", "These keys do not support encryption or decryption". The pkcs11_ecdh_derive should have an additional parameter for newkey_type and if it is CKK_GENERIC_SECRET drop the CKA_ENCRYPT and CKA_DECRYPT from the template.

Please submit a Pull request.