-
Notifications
You must be signed in to change notification settings - Fork 85
Feat: Add mechanisms for simple key derivations #310
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Feat: Add mechanisms for simple key derivations #310
Conversation
dcb3208
to
0be833d
Compare
I just pushed update of kryoptic 1.3.1 into Fedora so next time you run the CI, you should have these algorithms supported. |
0be833d
to
e68cea7
Compare
@Jakuje sorry for the delay! I haven't had much time recently. It seems the tests I've added are all failing due to an incomplete template error from Kryoptic. I'll look into it more when I have the chance. |
The unique-id test is fixed with #313. I will try to check the other failures when I will get some time. We have some test coverage in kryoptic, but its always better when somebody else reads through the specs and writes the tests. |
Looks like I tested this in kryoptic testsuite only with the session object (CKA_TOKEN=FALSE) and it fails only when we try to create a database object from this for some reason. Workaround here would be then to do the session objects (as you usually really want these to be ephemeral), but indeed, this is something we need to fix. With the reproducer, I hope I will be able to figure out how to get this fixed. I will keep you updated. |
I retested with current main of kryoptic and with the following patch, all the tests are passing (except for the one fixed in #313). I will likely update Fedora package with the recent fixes on top of the release:
|
Actually the PR is not yet merged, but the changes posted above are still needed. I will update fedora after the PR will get merged. |
These include the CKM_{CONCATENATE,XOR}_{BASE,DATA}_AND_{DATA,BASE}, CKM_CONCATENATE_BASE_AND_KEY and CKM_EXTRACT_KEY_FROM_KEY mechanisms Signed-off-by: Jacob Prud'homme <[email protected]>
Signed-off-by: Jacob Prud'homme <[email protected]>
Signed-off-by: Jacob Prud'homme <[email protected]>
Despite the fact that we can use `make_mechanism()` to create a `CK_MECHANISM` object from the GcmParams and GcmMessageParams, we were not doing so. This fixes this Signed-off-by: Jacob Prud'homme <[email protected]>
Signed-off-by: Jacob Prud'homme <[email protected]>
Signed-off-by: Jacob Prud'homme <[email protected]>
Signed-off-by: Jacob Prud'homme <[email protected]>
The latest version of Kryoptic released to Fedora actually supports them now Signed-off-by: Jacob Prud'homme <[email protected]>
They were missing the object class attribute Signed-off-by: Jacob Prud'homme <[email protected]>
0bda081
to
728b7ac
Compare
I just updated Fedora package kryoptic to contain the fix from latchset/kryoptic#343 so please, fix the DCO CI and kryoptic should start working once the update will land in mirrors: |
This is needed for allowing people to use them as the secondary key in one of the simple key derivation mechanisms that take two keys Signed-off-by: Jacob Prud'homme <[email protected]>
0a02b5d
to
098d6d1
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ci is happy now. Code looks good. Thank you for the contribution and finding bugs in kryoptic!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thank you!!
Sorry I couldn't be more active on this one, but it's finally through. Thanks y'all! |
Author: Jacob Prud'homme
Email: [email protected]
Description
This PR adds support for the simple key derivation mechanisms (defined in section 6.43 of v3.1 of PKCS#11)
Motivation
We would like to use some of these mechanisms in a cryptography library we are building, and figured it would make sense to add support for all for them since they are all simple
Summary of Changes
CONCATENATE_BASE_AND_KEY
,CONCATENATE_BASE_AND_DATA
,CONCATENATE_DATA_AND_BASE
,XOR_BASE_AND_DATA
,EXTRACT_KEY_FROM_KEY
mechanism types and their correspondingMechanism
variants, as well as new parameter types for some of these (in a newmisc
module)make_mechanism()
forGcmParams
andGcmMessageParams
, for some reason this was not the case before)