RSA key pair generation fails when offloading Key management to external HSM using Managed Keys

Problem

Creating managed key to offload Key management to external HSM key generation may fail with following error

{"@level":"error","@message":"Key generation for managed key XXXX failed: no supported rsa key generation mechanisms found","@module":"managedKeyRegistry","@timestamp":"2022-08-17T11:41:55.938617+02:00"}

Prerequisites (if applicable)

• Related Vault Versions: 1.10.x & higher
• HSM with FIPS enabled

Cause

After invoking the vault sys/managed-key/... API the responses noted above is observed. The failure occurs due to incompatibility between Vaults algorithms and those of HSM that's not supporting the required RSA method.
As stated in the FIPS enabled Luna HSM guide:

> only RSA methods permitted for generating keys are 186-3 with primes and 186-3 with aux primes

The methods available to Luna HSM are limited to:

• CKM_RSA_FIPS_186_3_AUX_PRIME_KEY_PAIR_GEN
• CKM_RSA_FIPS_186_3_PRIME_KEY_PAIR_GEN.

However - Vault only supports:

• CKM_RSA_X9_31_KEY_PAIR_GEN
• CKM_RSA_PKCS_KEY_PAIR_GEN

Solutions:

• Disable FIPS mode and retry key generation

• Luna HSM has Remap Mechanism to circumvent this limitation

Outcome

A solution is achieved using a Remap Mechanism to generate Key pair instead.

Additional Information

• CKM_RSA_PKCS_KEY_PAIR_GEN

• CKM_RSA_X9_31_KEY_PAIR_GEN
• CKM_RSA_FIPS_186_3_AUX_PRIME_KEY_PAIR_GEN
• CKM_RSA_FIPS_186_3_PRIME_KEY_PAIR_GEN
• g-k-w-e thales_rsa
• g-k-w-e rsa_ent