PKCS11 - 为 SHA256_HMAC 生成密钥
[英]PKCS11 - Generate key for SHA256_HMAC
问题描述
I use Botan2 library to access SoftHSM2.
我使用 Botan2 库来访问 SoftHSM2。 I managed to generatesome AES/DES keys, yet I would like to generate a secret for SHA256 HMAC.我设法生成了一些 AES/DES 密钥,但我想为 SHA256 HMAC 生成一个秘密。
My code (after creating session, logging in and detecting my token):我的代码(创建 session,登录并检测我的令牌后):
namespace p11 = Botan::PKCS11;
p11::SecretKeyProperties propsOtpGen(p11::KeyType::Sha256Hmac);
propsOtpGen.set_label("OTPGEN");
propsOtpGen.set_modifiable(false);
propsOtpGen.set_private(true);
propsOtpGen.set_token(true);
propsOtpGen.set_sensitive(true);
propsOtpGen.set_sign(true);
propsOtpGen.set_verify(true);
propsOtpGen.add_numeric(p11::AttributeType::ValueLen, 16UL);
p11::Mechanism m {static_cast<CK_MECHANISM_TYPE >::MechanismType::GenericSecretKeyGen), NULL_PTR, 0};
11::ObjectHandle keyHandle;
const std::vector<p11::Attribute> vec = propsOtpGen.attributes();
module->C_GenerateKey(session.handle(), &m, const_cast<CK_ATTRIBUTE*>(&vec[0]), vec.size(), &keyHandle);
throws 0xd1 CKR_TEMPLATE_INCONSISTENT .抛出 0xd1 CKR_TEMPLATE_INCONSISTENT 。
I checked SofthHSM2 logs, yet there is no further information.我检查了 SofthHSM2 日志,但没有更多信息。
EDIT编辑
I had some other sample implementation that used nCipher, and similar attitude worked with vendor mechanism CKM_NC_SHA256_HMAC_KEY_GEN .我有一些使用 nCipher 的其他示例实现,并且类似的态度与供应商机制CKM_NC_SHA256_HMAC_KEY_GEN一起使用。 This one, however, is not in the pkcs11 standard, thus I cannot use it.但是,这个不在 pkcs11 标准中,因此我不能使用它。
1 个解决方案
解决方案1
0 已采纳 2020-05-12 11:39:49
After trying all calls imaginable, i still haven't made it work with SHA256HMAC key type.在尝试了所有可以想象的调用之后,我仍然没有让它与 SHA256HMAC 密钥类型一起工作。 Seems like there is no generator for it.好像没有生成器。
The onlu workaround I found is using the GenericSecret key type.我发现的 onlu 解决方法是使用 GenericSecret 密钥类型。
namespace p11 = Botan::PKCS11;
p11::SecretKeyProperties propsOtpGen(p11::KeyType::GenericSecret);
//...
This generates the key, later the object handle can be passed to sign/verify with proper mechanism这会生成密钥,稍后可以传递 object 句柄以使用适当的机制进行签名/验证
CK_MECHANISM mechanism{CKM_SHA256_HMAC, NULL_PTR, 0};
module->C_SignInit(session.handle(), &mechanism, keyHandle);
module->C_Sign(session.handle(), data, signature);
However, the abovementioned operation will still fail under SoftHSM2 that I am using, since it doesn't support the supplied key size (this can be read from slot's get_mechanism_info ) - supported range is <32,512>.但是,在我使用的 SoftHSM2 下,上述操作仍然会失败,因为它不支持提供的密钥大小(可以从插槽的get_mechanism_info读取) - 支持的范围是 <32,512>。 Final touch therefore will be patching因此最后的接触将是修补
propsOtpGen.add_numeric(p11::AttributeType::ValueLen, 32UL);
I have tried to apply the different key size back to Sha256Hmac key type, yet it doesn't seem to solve the problem.我尝试将不同的密钥大小应用回 Sha256Hmac 密钥类型,但似乎并没有解决问题。 (I assumed that the template inconsistence may be caused by this attribute). (我假设模板不一致可能是由这个属性引起的)。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.