Menu
▾
▴
[Opensc-commits] [OpenSC/OpenSC] adbd9f: pkcs11-tool: support verifying HMAC signatures
|
From: William R. <no...@gi...> - 2021-08-24 09:50:14
|
Branch: refs/heads/master Home: https://github.com/OpenSC/OpenSC Commit: adbd9f099f23fa8a613291bcb72164a977094af1 https://github.com/OpenSC/OpenSC/commit/adbd9f099f23fa8a613291bcb72164a977094af1 Author: William Roberts <wil...@in...> Date: 2021-08-24 (Tue, 24 Aug 2021) Changed paths: M src/tools/pkcs11-tool.c Log Message: ----------- pkcs11-tool: support verifying HMAC signatures Before verification would only look for CKO_PUBLIC_KEY or CKO_PRIVATE_KEY objects, however, for HMAC to work through C_Verify it needs to look for CKO_SECRET_KEY objects as well. Before: tpm2pkcs11-tool --token-label=label --login --pin=myuserpin --verify --id='393837363534333231' --input-file=data.msg --mechanism=SHA-1-HMAC --signature-file=data.sig error: Public key nor certificate not found Aborting. After: tpm2pkcs11-tool --token-label=label --login --pin=myuserpin --verify --id='393837363534333231' --input-file=data.msg --mechanism=SHA-1-HMAC --signature-file=data.sig Using signature algorithm SHA-1-HMAC Signature is valid To help promote extensibility in the future, various bits of meta data can be associated with a mechanism via the mf_info table. The new bits of metadata are MF_FLAGS and contain information to quickly acertain what type of CKA_CLASS or C_.* interfaces are supported by the mechanism. This table can be slowly populated over time so support for other mechanisms can be added and the old code paths can be removed. Signed-off-by: William Roberts <wil...@in...> Commit: d1024494bf72b8c3db5c7ca2d79b575084885f4d https://github.com/OpenSC/OpenSC/commit/d1024494bf72b8c3db5c7ca2d79b575084885f4d Author: William Roberts <wil...@in...> Date: 2021-08-24 (Tue, 24 Aug 2021) Changed paths: M tests/common.sh M tests/test-pkcs11-tool-sign-verify.sh Log Message: ----------- test: add a an HMAC C_Sign/C_Verify test This tests that a Token with a single CKO_SECRET_KEY can be used in HMAC for SHA1, SHA256, SHA284 and SHA512 hash versions. Since pkcs11 tool does not support --id setting on CKO_SECRET_KEY nor respects the --label option for C_Sign and C_Verify, one may not get the key they expect. Signed-off-by: William Roberts <wil...@in...> Compare: https://github.com/OpenSC/OpenSC/compare/1b10f79a58f6...d1024494bf72 |
