Skip to content

[BUG] RSA OAEP with AES-256 is forced but softhsm2 does not support it #67

New issue
New issue
Open
Bug
Open
[BUG] RSA OAEP with AES-256 is forced but softhsm2 does not support it#67
Bug
Assignees
IceManGreen
Labels
bugSomething isn't working
@IceManGreen

Description

@IceManGreen
IceManGreen
opened on Mar 3, 2025

Describe the bug

When starting k8s-kms-plugin with --algorithm rsa-oaep, the encryption is set with SHA256 mode, but SoftHSM2 does not support it :
softhsm/SoftHSMv2#474

Thus, starting kubernetes with k8s-kms-plugin serve --algorithm rsa-oaep ... ends with the following error :

panic: pkcs11: 0x7: CKR_ARGUMENTS_BAD

goroutine 12 [running]:
github.com/ThalesGroup/k8s-kms-plugin/pkg/providers.(*P11).Decrypt(0xc00015aa20, {0xb1fbc0?, 0xc000015b48?}, 0xc00022de30)
	/home/kaio/Projects/thales/k8s-kms-plugin/pkg/providers/p11.go:468 +0x7ce
github.com/ThalesGroup/k8s-kms-plugin/apis/k8s/v1beta1._KeyManagementService_Decrypt_Handler.func1({0xc5a9b8?, 0xc000243890?}, {0xafcf60?, 0xc00022de30?})
	/home/kaio/Projects/thales/k8s-kms-plugin/apis/k8s/v1beta1/service.pb.go:228 +0xcb
github.com/ThalesGroup/k8s-kms-plugin/pkg/providers.(*P11).UnaryInterceptor(0xc00015aa20?, {0xc5a9b8?, 0xc000243890?}, {0xafcf60?, 0xc00022de30?}, 0xaa95a0?, 0xc000013050?)
	/home/kaio/Projects/thales/k8s-kms-plugin/pkg/providers/p11.go:843 +0x37a
github.com/ThalesGroup/k8s-kms-plugin/apis/k8s/v1beta1._KeyManagementService_Decrypt_Handler({0xb1fbc0, 0xc00015aa20}, {0xc5a9b8, 0xc000243890}, 0xc000272280, 0xc0000129c0)
	/home/kaio/Projects/thales/k8s-kms-plugin/apis/k8s/v1beta1/service.pb.go:230 +0x143
google.golang.org/grpc.(*Server).processUnaryRPC(0xc000240000, {0xc5a9b8, 0xc000243800}, 0xc0001feae0, 0xc000242060, 0x10ad3d8, 0x0)
	/home/kaio/Projects/thales/k8s-kms-plugin/vendor/google.golang.org/grpc/server.go:1400 +0x103b
google.golang.org/grpc.(*Server).handleStream(0xc000240000, {0xc5ae28, 0xc0000cf520}, 0xc0001feae0)
	/home/kaio/Projects/thales/k8s-kms-plugin/vendor/google.golang.org/grpc/server.go:1810 +0xbaa
google.golang.org/grpc.(*Server).serveStreams.func2.1()
	/home/kaio/Projects/thales/k8s-kms-plugin/vendor/google.golang.org/grpc/server.go:1030 +0x7f
created by google.golang.org/grpc.(*Server).serveStreams.func2 in goroutine 10
	/home/kaio/Projects/thales/k8s-kms-plugin/vendor/google.golang.org/grpc/server.go:1041 +0x125

Expected behavior

k8s-kms-plugin should provide a way to support both modes SHA1 and SHA256 for rsa-oaep.

Metadata

Metadata

Assignees

Labels

bugSomething isn't working

Type

Bug

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions