Hi,
I am using PKCS11 wrapper for Master key wrapping with version key.
Vault.hcl
listener "tcp" {
address = "127.0.0.1:8200"
tls_disable ="true"
}
storage "file" {
path = "/root/jiten/data"
}
ui = true
seal "pkcs11" {
lib = "/root/jiten/PKCS11.so"
slot = "0"
pin = "username:123456"
key_label = "aes_ver"
hmac_key_label ="hamc_ver#2"
generate_key = "false"
}
Due to some internal logic of HSM,
For version key, HSM return 3 byte header.
AES crypto operation return 19(16 byte + 3 byte[header]).
hmac operation return 35 byte(32 byte + 3 byte[header]).
Command:
./vault operator init -recovery-shares=1 -recovery-threshold=1
Result:
Error initializing: Error making API request.
URL: PUT http://127.0.0.1:8200/v1/sys/init
Code: 400. Errors:
* failed to initialize barrier: failed to persist keyring: unexpected signature length 35 from hmac operation
It is clear that vault expecting 32 byte hmac data.(Init command was successful when used non version hmac key which return 32 byte data.)
Is vault not check the length of AES crypto data. Only check the length of hmac data.
So how to handle this issue