stackoom
  简体   繁体   中英

PKCS11 - Generate key for SHA256_HMAC

 原文  2020-05-12 07:10:59       c++/ pkcs#11/ botan/ softhsm

Question

I use Botan2 library to access SoftHSM2. I managed to generatesome AES/DES keys, yet I would like to generate a secret for SHA256 HMAC.

My code (after creating session, logging in and detecting my token):

namespace p11 = Botan::PKCS11;
p11::SecretKeyProperties propsOtpGen(p11::KeyType::Sha256Hmac);
propsOtpGen.set_label("OTPGEN");
propsOtpGen.set_modifiable(false);
propsOtpGen.set_private(true);
propsOtpGen.set_token(true);
propsOtpGen.set_sensitive(true);
propsOtpGen.set_sign(true);
propsOtpGen.set_verify(true);
propsOtpGen.add_numeric(p11::AttributeType::ValueLen, 16UL);

p11::Mechanism m {static_cast<CK_MECHANISM_TYPE >::MechanismType::GenericSecretKeyGen), NULL_PTR, 0};
11::ObjectHandle keyHandle;
const std::vector<p11::Attribute> vec = propsOtpGen.attributes();

module->C_GenerateKey(session.handle(), &m, const_cast<CK_ATTRIBUTE*>(&vec[0]), vec.size(), &keyHandle);

throws 0xd1 CKR_TEMPLATE_INCONSISTENT .

I checked SofthHSM2 logs, yet there is no further information.

EDIT

I had some other sample implementation that used nCipher, and similar attitude worked with vendor mechanism CKM_NC_SHA256_HMAC_KEY_GEN . This one, however, is not in the pkcs11 standard, thus I cannot use it.

1 answers

solution1
 0 ACCPTED  2020-05-12 11:39:49

After trying all calls imaginable, i still haven't made it work with SHA256HMAC key type. Seems like there is no generator for it.

The onlu workaround I found is using the GenericSecret key type.

namespace p11 = Botan::PKCS11;
p11::SecretKeyProperties propsOtpGen(p11::KeyType::GenericSecret);
//...

This generates the key, later the object handle can be passed to sign/verify with proper mechanism

CK_MECHANISM mechanism{CKM_SHA256_HMAC, NULL_PTR, 0};
module->C_SignInit(session.handle(), &mechanism, keyHandle);
module->C_Sign(session.handle(), data, signature);

However, the abovementioned operation will still fail under SoftHSM2 that I am using, since it doesn't support the supplied key size (this can be read from slot's get_mechanism_info ) - supported range is <32,512>. Final touch therefore will be patching

propsOtpGen.add_numeric(p11::AttributeType::ValueLen, 32UL);

I have tried to apply the different key size back to Sha256Hmac key type, yet it doesn't seem to solve the problem. (I assumed that the template inconsistence may be caused by this attribute).

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Generate HMAC SHA256 hash using key in C++ HMAC SHA256 in C++ (DynamoDB) What is wrong in C++ struct reading from PKCS11? Is Rfc2898DeriveBytes equivalent to PKCS5_PBKDF2_HMAC_SHA1? Different result HMAC SHA-256 in C++ and PHP Generate SHA256 in c++ Generate sha256 with OpenSSL and C++ HMAC SHA256 sign on Java, Verify on C++ private-public keys How use custom key in HMAC-SHA1 Crypto++ realisation How to generate RSA-SHA256 digital signature with OpenSSL libraries?
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM