Mechanism Remap for FIPS Compliance
Under FIPS 186-3/4, the only RSA methods permitted for generating keys are 186-3 with primes and 186-3 with aux primes. This means that RSA PKCS and X9.31 key generation is no longer approved for operation in a FIPS-compliant HSM.
| Supported Mechanisms | FIPS-mode Allowed Mechanisms |
|---|---|
| PKCS, X9.31, 186-3 with primes, 186-3 with aux primes | 186-3 with primes, 186-3 with aux primes |
Mechanism Remap Configuration Settings
Two configuration settings are available in the Chrystoki.conf (Linux/UNIX) or Crystoki.ini (Windows) configuration file installed with Luna PCIe HSM Client, to deal with calls to newer-firmware HSMs for outdated mechanisms, or calls to older-firmware HSMs for newer mechanisms that they do not support. The configuration settings control redirecting or mapping of mechanism calls.
NOTE This remapping is automatic if you are using Luna HSM Client 10.1 or newer, and the configuration file entry is ignored.
In FIPS mode
When RSAKeyGenMechRemap is enabled:
1.CKM_RSA_PKCS_KEY_PAIR_GEN is inserted into the C_GetMechanismList output by the client library, as the HSM does not return it in FIPS mode.
2.C_GetMechanismInfo for CKM_RSA_PKCS_KEY_PAIR_GEN returns the default Mechanism information from the client library. In FIPS mode, the HSM does not return it.
When RSAKeyGenMechRemap is disabled:
1.CKM_RSA_PKCS_KEY_PAIR_GEN is not returned by C_GetMechanismList.
2.C_GetMechanismInfo for CKM_RSA_PKCS_KEY_PAIR_GEN results in an Invalid Mechanism Attribute error.
