The PKCS#11 backend key-wraps (encrypts) the project-specific Key
Encryption Keys (pKEKs) using the master encryption key (MKEK).
The mechanism for wrapping/unwrapping the keys was hard-coded to use
CKM_AES_CBC_PAD. This patch refactors the pkcs11 module to make this
mechanism configurable.
This is necessary to fix Bug #2036506 because some PKCS#11 devices and
software implementations no longer allow CKM_AES_CBC_PAD to be used for
key wrapping.
Supported key wrap mechanisms now include:
* CKM_AES_CBC_PAD
* CKM_AES_KEY_WRAP_PAD
* CKM_AES_KEY_WRAP_KWP
This patch also includes two additional patches so they can all be
tested at the same time:
Fix typo in wrap_key function
This patch fixes a typo in one of the mechanisms in the
PKCS11.wrap_key() function in the pkcs11 module.
and
Increase unit testing coverage for PKCS#11
This patch adds a few tests to increase the test coverage for the
PKCS#11 backend.
Closes-Bug: #2036506
Change-Id: Ic2009a2a55622bb707e884d6a960c044b2248f52
(cherry picked from commit 0d4101fa5da52f242ab0a52955f67769b23485a1)
(cherry picked from commit 7b36764cd12781bdb1acc37dcd52dd4e6637171e)
(cherry picked from commit bae6737cb33ebe47c0655a704ff434539db3dc00)
(cherry picked from commit b5841df387e5ab38caf173950a1d98ab37a51453)
6945564c4c