diff options
| author | Rob Austein <sra@hactrn.net> | 2017-05-20 15:23:43 -0400 |
|---|---|---|
| committer | Rob Austein <sra@hactrn.net> | 2017-05-20 15:23:43 -0400 |
| commit | 693a196d4d62f0dc95dd587512aa26ea0916ddca (patch) | |
| tree | 43dfb4fe3efc446d9c2bc3f9603b4882dd09ee9f | |
| parent | 88603b2c457591c9522883bd2354c56640ecd4c1 (diff) | |
HMAC notes.
| -rw-r--r-- | pkcs11.c | 10 |
1 files changed, 9 insertions, 1 deletions
@@ -4289,7 +4289,15 @@ CK_RV C_GetMechanismInfo(CK_SLOT_ID slotID, #if 0 /* - * We have Verilog and libhal for these, but no PKCS #11 support (yet). + * libhal supports HMAC, but we have no PKCS #11 HMAC support (yet). + * + * HMAC in PKCS #11 is a bit weird (what a surprise). It uses the + * C_Sign*()/C_Verify*() API, with "generic secret key" objects + * (CKO_SECRET_KEY, CKK_GENERIC_SECRET): these can be created with + * C_CreateObject() (user-supplied HMAC key) or C_GenerateKey() + * (HSM-generated HMAC key, probably from TRNG). The CKM_*_HMAC + * mechanisms have fixed-length output; the CKM_*_HMAC_GENERAL + * mechanisms are variable-width output. */ case CKM_SHA_1_HMAC: case CKM_SHA224_HMAC: |