From 693a196d4d62f0dc95dd587512aa26ea0916ddca Mon Sep 17 00:00:00 2001 From: Rob Austein Date: Sat, 20 May 2017 15:23:43 -0400 Subject: HMAC notes. --- pkcs11.c | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/pkcs11.c b/pkcs11.c index 0be7513..f3ac77b 100644 --- a/pkcs11.c +++ b/pkcs11.c @@ -4289,7 +4289,15 @@ CK_RV C_GetMechanismInfo(CK_SLOT_ID slotID, #if 0 /* - * We have Verilog and libhal for these, but no PKCS #11 support (yet). + * libhal supports HMAC, but we have no PKCS #11 HMAC support (yet). + * + * HMAC in PKCS #11 is a bit weird (what a surprise). It uses the + * C_Sign*()/C_Verify*() API, with "generic secret key" objects + * (CKO_SECRET_KEY, CKK_GENERIC_SECRET): these can be created with + * C_CreateObject() (user-supplied HMAC key) or C_GenerateKey() + * (HSM-generated HMAC key, probably from TRNG). The CKM_*_HMAC + * mechanisms have fixed-length output; the CKM_*_HMAC_GENERAL + * mechanisms are variable-width output. */ case CKM_SHA_1_HMAC: case CKM_SHA224_HMAC: -- cgit v1.2.3