mirrors/vault
1
0
Fork 0
mirror of https://github.com/hashicorp/vault.git synced 2025-11-29 14:41:09 +01:00
Code Issues Projects Releases Wiki Activity

fix incorrect HSM mechanisms (#16081)

Browse Source
This commit is contained in:
Rachel Culpepper 2022-06-21 11:13:30 -04:00 committed by GitHub
parent 70f19e2298
commit f9532fed61
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 2 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
website/content/docs/secrets/transit.mdx
View File

@ -257,11 +257,11 @@ as described below. In the below, the target key refers to the key being importe
If the key is being imported from an HSM that supports PKCS#11, there are If the key is being imported from an HSM that supports PKCS#11, there are
two possible scenarios: two possible scenarios:
- If the HSM supports the CKM_AES_KEY_WRAP_KWP mechanism, that can be used to wrap the - If the HSM supports the CKM_RSA_AES_KEY_WRAP mechanism, that can be used to wrap the
target key using the wrapping key. target key using the wrapping key.
- Otherwise, two mechanisms can be combined to wrap the target key. First, an AES key should - Otherwise, two mechanisms can be combined to wrap the target key. First, an AES key should
be generated and then used to wrap the target key using the CKM_AES_KEY_WRAP_PAD mechanism. be generated and then used to wrap the target key using the CKM_AES_KEY_WRAP_KWP mechanism.
Then the AES key should be wrapped under the wrapping key using the CKM_RSA_PKCS_OAEP mechanism Then the AES key should be wrapped under the wrapping key using the CKM_RSA_PKCS_OAEP mechanism
using MGF1 and either SHA-1, SHA-224, SHA-256, SHA-384, or SHA-512. using MGF1 and either SHA-1, SHA-224, SHA-256, SHA-384, or SHA-512.