SafeNET PKCS Keypair generation failed

If you run a SafeNET HSM box with soft 6 and firmware 6.22 in FIPS mode you will meet errors while generating RSA PKCS keypair. As you can see on the following test, PKCS mechanism gives “Key pair generation failed” .
Also, HSM always returns CKR_MECHANISM_INVALID to your requesting application. For example, SUN Java PKCS provider should return something like this.
sun.security.pkcs11.wrapper.PKCS11Exception: CKR_MECHANISM_INVALID

C:\Program Files\SafeNet\LunaClient>Cmu.exe gen
Please enter password for token in slot 0 : ****************
Enter key type – [1] RSA [2] DSA [3] ECDSA : 1

Select RSA Mechanism Type –
[1] PKCS [2] FIPS 186-3 Only Primes [3] FIPS 186-3 Auxiliary Primes : 1
Enter modulus length (8 bit multiple) : 2048
Select public exponent – [1] 3 [2] 17 [3] 65537 : 3
Key pair generation failed

CKM_RSA_PKCS_KEY_PAIR_GEN is disabled in FIPS mode in 6.0/6.22. I havent tried but you have an option “Mechanism Remap for FIPS Compliance” please refer to your HSM guide. But if you get an firmware software update, be careful with this setting, which makes it appear you are getting a new, secure mechanism, when really you are getting an outdated, insecure mechanism. Anyway, it is better to run what FIPS says. Don’t play around :)

Here are the supported mechasims chart
HSMFIPS

Leave a Reply