Failed to initialize barrier: failed to persist keyring: unexpected signature length 35 from hmac operation

Hi,

I am using PKCS11 wrapper for Master key wrapping with version key.
Vault.hcl

    listener "tcp" {
      address = "127.0.0.1:8200"
      tls_disable ="true"
    }
    storage "file" {
      path = "/root/jiten/data"
    }
    ui = true
    seal "pkcs11" {
      lib = "/root/jiten/PKCS11.so"
      slot = "0"
      pin = "username:123456"
      key_label = "aes_ver"
      hmac_key_label ="hamc_ver#2"
      generate_key = "false"
    }

Due to some internal logic of HSM,
For version key, HSM return 3 byte header.
AES crypto operation return 19(16 byte + 3 byte[header]).
hmac operation return 35 byte(32 byte + 3 byte[header]).

Command:

./vault operator init -recovery-shares=1 -recovery-threshold=1

Result:

Error initializing: Error making API request.

URL: PUT http://127.0.0.1:8200/v1/sys/init
Code: 400. Errors:

* failed to initialize barrier: failed to persist keyring: unexpected signature length 35 from hmac operation

It is clear that vault expecting 32 byte hmac data.(Init command was successful when used non version hmac key which return 32 byte data.)

Is vault not check the length of AES crypto data. Only check the length of hmac data.
So how to handle this issue

Apologies, but support for enterprise customers needs to go through our enterprise support portal. Reporting through our enterprise support portal ensures that we can comply with contractually obligated SLAs around customer support requests, and that a support engineer or technical account manager can track the issue from report to resolution.

Hi Jeff,
Need to know one thing, Is Vault only check hmac operation result size(i.e. 35 byte) because in my case AES return 3 extra byte but vault return an error only for HMAC.