Skip to content

Commit

Permalink
Merge pull request #181 from xaqq/main
Browse files Browse the repository at this point in the history 
Expose AES-CMAC algorithm
  • Loading branch information
@wiktor-k
wiktor-k authored Nov 3, 2023
2 parents d7ea453 + bd5ded9 commit c68fdf2
Show file tree
Hide file tree
Showing 2 changed files with 75 additions and 0 deletions.
7 changes: 7 additions & 0 deletions cryptoki/src/mechanism/mod.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -71,6 +71,9 @@ impl MechanismType {
val: CKM_AES_CBC_ENCRYPT_DATA,
};

/// AES-CMAC mechanism
pub const AES_CMAC: MechanismType = MechanismType { val: CKM_AES_CMAC };

// RSA
/// PKCS #1 RSA key pair generation mechanism
pub const RSA_PKCS_KEY_PAIR_GEN: MechanismType = MechanismType {
Expand Down Expand Up @@ -710,6 +713,8 @@ pub enum Mechanism<'a> {
/// For derivation, the message length must be a multiple of the block
/// size. See <https://www.cryptsoft.com/pkcs11doc/v220/>.
AesCbcEncryptData(ekdf::AesCbcDeriveParams<'a>),
/// AES CMAC
AesCMac,

// RSA
/// PKCS #1 RSA key pair generation mechanism
Expand Down Expand Up @@ -854,6 +859,7 @@ impl Mechanism<'_> {
Mechanism::AesKeyWrapPad => MechanismType::AES_KEY_WRAP_PAD,
Mechanism::AesGcm(_) => MechanismType::AES_GCM,
Mechanism::AesCbcEncryptData(_) => MechanismType::AES_CBC_ENCRYPT_DATA,
Mechanism::AesCMac => MechanismType::AES_CMAC,
Mechanism::RsaPkcsKeyPairGen => MechanismType::RSA_PKCS_KEY_PAIR_GEN,
Mechanism::RsaPkcs => MechanismType::RSA_PKCS,
Mechanism::RsaPkcsPss(_) => MechanismType::RSA_PKCS_PSS,
Expand Down Expand Up @@ -936,6 +942,7 @@ impl From<&Mechanism<'_>> for CK_MECHANISM {
| Mechanism::AesEcb
| Mechanism::AesKeyWrap
| Mechanism::AesKeyWrapPad
| Mechanism::AesCMac
| Mechanism::RsaPkcsKeyPairGen
| Mechanism::RsaPkcs
| Mechanism::RsaX509
Expand Down
68 changes: 68 additions & 0 deletions cryptoki/tests/basic.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1187,3 +1187,71 @@ fn ekdf_aes_cbc_encrypt_data() -> TestResult {

Ok(())
}

#[test]
#[serial]
fn aes_cmac_sign() -> TestResult {
let (pkcs11, slot) = init_pins();
let session = pkcs11.open_rw_session(slot)?;
session.login(UserType::User, Some(&AuthPin::new(USER_PIN.into())))?;
let key: [u8; 16] = [
0x2b, 0x7e, 0x15, 0x16, 0x28, 0xae, 0xd2, 0xa6, 0xab, 0xf7, 0x15, 0x88, 0x09, 0xcf, 0x4f,
0x3c,
];
let message: [u8; 16] = [
0x6b, 0xc1, 0xbe, 0xe2, 0x2e, 0x40, 0x9f, 0x96, 0xe9, 0x3d, 0x7e, 0x11, 0x73, 0x93, 0x17,
0x2a,
];
let expected_mac: [u8; 16] = [
0x07, 0x0a, 0x16, 0xb4, 0x6b, 0x4d, 0x41, 0x44, 0xf7, 0x9b, 0xdd, 0x9d, 0xd0, 0x4a, 0x28,
0x7c,
];

let key_template = vec![
Attribute::Class(ObjectClass::SECRET_KEY),
Attribute::KeyType(KeyType::AES),
Attribute::Token(true),
Attribute::Sensitive(true),
Attribute::Private(true),
Attribute::Value(key.into()),
Attribute::Sign(true),
];
let key = session.create_object(&key_template)?;
let signature = session.sign(&Mechanism::AesCMac, key, &message)?;

assert_eq!(expected_mac.as_slice(), signature.as_slice());
Ok(())
}

#[test]
#[serial]
fn aes_cmac_verify() -> TestResult {
let (pkcs11, slot) = init_pins();
let session = pkcs11.open_rw_session(slot)?;
session.login(UserType::User, Some(&AuthPin::new(USER_PIN.into())))?;
let key: [u8; 16] = [
0x2b, 0x7e, 0x15, 0x16, 0x28, 0xae, 0xd2, 0xa6, 0xab, 0xf7, 0x15, 0x88, 0x09, 0xcf, 0x4f,
0x3c,
];
let message: [u8; 16] = [
0x6b, 0xc1, 0xbe, 0xe2, 0x2e, 0x40, 0x9f, 0x96, 0xe9, 0x3d, 0x7e, 0x11, 0x73, 0x93, 0x17,
0x2a,
];
let expected_mac: [u8; 16] = [
0x07, 0x0a, 0x16, 0xb4, 0x6b, 0x4d, 0x41, 0x44, 0xf7, 0x9b, 0xdd, 0x9d, 0xd0, 0x4a, 0x28,
0x7c,
];

let key_template = vec![
Attribute::Class(ObjectClass::SECRET_KEY),
Attribute::KeyType(KeyType::AES),
Attribute::Token(true),
Attribute::Sensitive(true),
Attribute::Private(true),
Attribute::Value(key.into()),
Attribute::Verify(true),
];
let key = session.create_object(&key_template)?;
session.verify(&Mechanism::AesCMac, key, &message, &expected_mac)?;
Ok(())
}

0 comments on commit c68fdf2

Please sign in to comment.