Ask Your Question

Revision history [back]

click to hide/show revision 1
initial version

HSM returned response code: 0x70 CKR_MECHANISM_INVALID

when I use pkcs11 crypto interface in barbican, the barbican will report WARNING:

WARNING barbican.plugin.crypto.p11_crypto [req-dee0ad0f-9ed8-4fa9-adb5-91945242ce74 - a8b9d5eb-f14d-4f52-82cb-2fb1e74eceb3 - - -] Reinitializing PKCS#11 library: HSM returned response code: 0x70 CKR_MECHANISM_INVALID: barbican.common.exception.P11CryptoPluginException: HSM returned response code: 0x70 CKR_MECHANISM_INVALID


An invalid mechanism was specified to the cryptographic operation. This error code is an appropriate return value if an unknown mechanism was specified or if the mechanism specified cannot be used in the selected token with the selected function.

My barbican.conf setting is(almost the default value):


The CKM_AES_CBC is default encryption encryption_mechanism, CKM_AES_KEY_GEN is default hmac_keygen_mechanism, CKM_SHA256_HMAC is default hmac_keywrap_mechanism, I've checked these three mechanisms are supported in softhsm by p11tool. BUT the default value is for SafeNet HSM, I don't know the right config for softhsm. I tried some CKM in pkcs11 spec, but it reported INVALID PARAMETER in barbican. MAYBE what I need is just a correct config for softhsm.

My Environment:

No auth barbican(stein and master), installed as

It could work well to operating secret data through simple_crypto plugin.

python 2.7.5


OpenSSL 1.0.2g( I tried 1.1.1d, it didn't work)

Slot is assigned and mkek/hmac is generated successfully using barbican-manager hsm command.

WHAT should I do to modify the p11_crypto_plugin section of barbican.conf to make softhsm work through pkcs11 interface? Or any other method, thanks!