From 693a196d4d62f0dc95dd587512aa26ea0916ddca Mon Sep 17 00:00:00 2001
From: Rob Austein <sra@hactrn.net>
Date: Sat, 20 May 2017 15:23:43 -0400
Subject: HMAC notes.

---
 pkcs11.c | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/pkcs11.c b/pkcs11.c
index 0be7513..f3ac77b 100644
--- a/pkcs11.c
+++ b/pkcs11.c
@@ -4289,7 +4289,15 @@ CK_RV C_GetMechanismInfo(CK_SLOT_ID slotID,
 
 #if 0
     /*
-     * We have Verilog and libhal for these, but no PKCS #11 support (yet).
+     * libhal supports HMAC, but we have no PKCS #11 HMAC support (yet).
+     *
+     * HMAC in PKCS #11 is a bit weird (what a surprise).  It uses the
+     * C_Sign*()/C_Verify*() API, with "generic secret key" objects
+     * (CKO_SECRET_KEY, CKK_GENERIC_SECRET): these can be created with
+     * C_CreateObject() (user-supplied HMAC key) or C_GenerateKey()
+     * (HSM-generated HMAC key, probably from TRNG).  The CKM_*_HMAC
+     * mechanisms have fixed-length output; the CKM_*_HMAC_GENERAL
+     * mechanisms are variable-width output.
      */
   case CKM_SHA_1_HMAC:
   case CKM_SHA224_HMAC:
-- 
cgit v1.2.3