<html>
<head>
<meta http-equiv="Content-Type" content="text/html;
charset=windows-1252">
</head>
<body>
<p>Hi, Justin,<br>
</p>
<p>Most callers just wrap the HMAC key bytes into a java SecretKey
object, e.g. new SecretKeySpec(keyBytes, "HmacSHA256"), pass that
into the HMAC impl from SunPKCS11 provider which will then convert
it into a CKK_GENERIC_SECRET key and passing that to underlying
PKCS11 library.</p>
<p>Maybe for some very specific cases, support
CKM_GENERIC_SECRET_KEY_GEN is necessary and I can look into that.
For determining the priority on this, would the java SecretKey
object address your need? Or is there other reason requiring 3rd
party utility?</p>
Thanks,<br>
Valerie
<p><br>
</p>
<div class="moz-cite-prefix">On 10/21/2020 8:44 PM, Justin Cranford
wrote:<br>
</div>
<blockquote type="cite"
cite="mid:MN2PR11MB452079B3FFDAD45F14B50805FA1D0@MN2PR11MB4520.namprd11.prod.outlook.com">
<meta name="Generator" content="Microsoft Word 15 (filtered
medium)">
<div class="WordSection1">
<p class="MsoNormal">Compare SunPKCS11 support for AES vs HMAC</p>
<ul type="disc">
<li class="MsoListParagraph">AES => keygen is supported,
and AES key can be used for encrypt and decrypt.</li>
<li class="MsoListParagraph">HMAC => keygen is not
supported, but HMAC key can be used for MAC.</li>
</ul>
<p class="MsoNormal"> </p>
<p class="MsoNormal">This does not make sense. A third-party
utility is required for HMAC keygen, but not for AES keygen.</p>
<p class="MsoNormal"> </p>
<p class="MsoNormal">Use case:</p>
<ul type="disc">
<li class="MsoListParagraph">PKCS#11 driver is v2.20.</li>
<li class="MsoListParagraph">This means AES-256-GCM is not
available for confidentiality and integrity, because GCM
supported was only added in PKCS#11 v2.40.</li>
<li class="MsoListParagraph">Fallback to AES-256-CBC and
HmacSha256 is required for confidentiality and integrity,
respectively.</li>
<li class="MsoListParagraph">Java can trigger AES keygen, but
not HMAC keygen. A third-party utility is required to
trigger HMAC keygen before running Java.</li>
</ul>
<p class="MsoNormal"> </p>
<p class="MsoNormal">Would it be possible to add the missing
GENERIC-SECRET-KEY-GEN mechanism to SunPKCS11? Notice how that
mechanism is missing from the documented SunPKCS11 algorithms
and mechanisms. It is the same in Java 8 all the way up to 15.</p>
<ul type="disc">
<li class="MsoListParagraph"><a
href="https://docs.oracle.com/javase/8/docs/technotes/guides/security/p11guide.html#ALG"
moz-do-not-send="true">https://docs.oracle.com/javase/8/docs/technotes/guides/security/p11guide.html#ALG</a></li>
</ul>
<p class="MsoNormal"> </p>
<p class="MsoNormal"> </p>
<p class="MsoNormal"> </p>
<p class="MsoNormal">To reproduce and demonstrate the missing
HMAC keygen issue, here is a small Java Maven project.</p>
<ul type="disc">
<li class="MsoListParagraph"><a
href="https://github.com/justincranford/pkcs11"
moz-do-not-send="true">https://github.com/justincranford/pkcs11</a></li>
</ul>
<p class="MsoNormal"> </p>
<p class="MsoNormal">The readme shows the commands to initialize
the SoftHSM2 token, and use a third-party OpenSC utility to
trigger HMAC keygen. It also shows how to set the required
SoftHSM2 env variable and run the Maven build.</p>
<p class="MsoNormal"> </p>
<p class="MsoNormal">The Maven build will execute the
ITPkcs11.java integration test class. The tests demonstrate:</p>
<ul type="disc">
<li class="MsoListParagraph">Successful SunPKCS11 login to
SoftHSM2 and list any existing keys</li>
<li class="MsoListParagraph">Successful AES keygen, encrypt,
decrypt</li>
<li class="MsoListParagraph">Successful HMAC mac</li>
<li class="MsoListParagraph">Failed HMAC keygen (because
SunPKCS11 does not support GENERIC-SECRET-KEY-GEN mechanism
yet)</li>
</ul>
<p class="MsoNormal"> </p>
<p class="MsoNormal"> </p>
<p class="MsoNormal"> </p>
<p class="MsoNormal">Thank you,</p>
<p class="MsoNormal">Justin Cranford</p>
</div>
</blockquote>
</body>
</html>