Mechanism Remap for FIPS Compliance
Under FIPS 186-3/4, the only RSA methods permitted for generating keys are 186-3 with primes and 186-3 with aux primes. This means that RSA PKCS and X9.31 key generation is no longer approved for operation in a FIPS-compliant HSM.
| Supported Mechanisms | FIPS-mode Allowed Mechanisms |
|---|---|
| PKCS, X9.31, 186-3 with primes, 186-3 with aux primes | 186-3 with primes, 186-3 with aux primes |
Two configuration settings are available in the Chrystoki.conf (Linux/UNIX) or Crystoki.ini (Windows) configuration file installed with Luna HSM Client, to deal with calls to newer-firmware HSMs for outdated mechanisms, or calls to older-firmware HSMs for newer mechanisms that they do not support. The configuration settings control redirecting or mapping of mechanism calls.
NOTE Mechanism remapping is automatic, and ignores the configuration file entry if:
>you are using Luna HSM Client 10.1.0 or newer, and
>HSM firmware is older than Luna HSM Firmware 7.7.1 (which introduced FIPS mode on individual partitions; clients up to and including Luna HSM Client 10.3.0 are unaware of the independent partition setting and do not remap mechanisms).
Luna HSM Client 10.4.0 and newer are aware of the change in Luna HSM Firmware 7.7.1 and perform the mechanism remapping as expected when the current partition is in FIPS mode.
In FIPS mode
When RSAKeyGenMechRemap is enabled:
1.CKM_RSA_PKCS_KEY_PAIR_GEN is inserted into the C_GetMechanismList output by the client library, as the HSM does not return it in FIPS mode.
2.C_GetMechanismInfo for CKM_RSA_PKCS_KEY_PAIR_GEN returns the default Mechanism information from the client library. In FIPS mode, the HSM does not return it.
When RSAKeyGenMechRemap is disabled:
1.CKM_RSA_PKCS_KEY_PAIR_GEN is not returned by C_GetMechanismList.
2.C_GetMechanismInfo for CKM_RSA_PKCS_KEY_PAIR_GEN results in an Invalid Mechanism Attribute error.
