diff options
| -rw-r--r-- | pkcs11.c | 10 |
1 files changed, 9 insertions, 1 deletions
@@ -4289,7 +4289,15 @@ CK_RV C_GetMechanismInfo(CK_SLOT_ID slotID, #if 0 /* - * We have Verilog and libhal for these, but no PKCS #11 support (yet). + * libhal supports HMAC, but we have no PKCS #11 HMAC support (yet). + * + * HMAC in PKCS #11 is a bit weird (what a surprise). It uses the + * C_Sign*()/C_Verify*() API, with "generic secret key" objects + * (CKO_SECRET_KEY, CKK_GENERIC_SECRET): these can be created with + * C_CreateObject() (user-supplied HMAC key) or C_GenerateKey() + * (HSM-generated HMAC key, probably from TRNG). The CKM_*_HMAC + * mechanisms have fixed-length output; the CKM_*_HMAC_GENERAL + * mechanisms are variable-width output. */ case CKM_SHA_1_HMAC: case CKM_SHA224_HMAC: |