Failed to initialize barrier: failed to persist keyring: unexpected signature length 35 from hmac operation

Hi,

I am using PKCS11 wrapper for Master key wrapping with version key.
Vault.hcl

    listener "tcp" {
      address = "127.0.0.1:8200"
      tls_disable ="true"
    }
    storage "file" {
      path = "/root/jiten/data"
    }
    ui = true
    seal "pkcs11" {
      lib = "/root/jiten/PKCS11.so"
      slot = "0"
      pin = "username:123456"
      key_label = "aes_ver"
      hmac_key_label ="hamc_ver#2"
      generate_key = "false"
    }

Due to some internal logic of HSM,
For version key, HSM return 3 byte header.
AES crypto operation return 19(16 byte + 3 byte[header]).
hmac operation return 35 byte(32 byte + 3 byte[header]).

Command:

./vault operator init -recovery-shares=1 -recovery-threshold=1

Result:

Error initializing: Error making API request.

URL: PUT http://127.0.0.1:8200/v1/sys/init
Code: 400. Errors:

* failed to initialize barrier: failed to persist keyring: unexpected signature length 35 from hmac operation

It is clear that vault expecting 32 byte hmac data.(Init command was successful when used non version hmac key which return 32 byte data.)

Is vault not check the length of AES crypto data. Only check the length of hmac data.
So how to handle this issue

Apologies, but support for enterprise customers needs to go through our enterprise support portal. Reporting through our enterprise support portal ensures that we can comply with contractually obligated SLAs around customer support requests, and that a support engineer or technical account manager can track the issue from report to resolution.

Hi Jeff,
Need to know one thing, Is Vault only check hmac operation result size(i.e. 35 byte) because in my case AES return 3 extra byte but vault return an error only for HMAC.

@VikkyM, I stumbled across this Github repo that outlines very simple steps to configure Vault Enterprise + HSM with SoftHSM2.

The trial license works for only 30 minutes at a time, but that’s enough to play around with the technology if you are evaluating it.