Skip to content

show 'sign' usage for secret keys #2862

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
Jakuje merged 1 commit into from
Sep 22, 2023
Merged

show 'sign' usage for secret keys #2862

Jakuje merged 1 commit into from
Sep 22, 2023

Conversation

@dlegaultbbry
Copy link
Contributor

@dlegaultbbry dlegaultbbry commented Sep 18, 2023

Secret keys can be used for signing in algorithms like HMAC and CMAC so they should display their CKA_SIGN attribute value when listing object attributes

Before

echo -n "0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b" | xxd -r -p - > key.bin
pkcs11-tool --module=... --write-object key.bin --usage-sign --type secrkey --label hmackey --id 1234
Using slot 0 with a present token (0x0)
Created secret key:
Secret Key Object; Generic secret length 20
VALUE: 0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b
label: hmackey
ID: 1234
Usage: verify
Access: never extractable

After

echo -n "0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b" | xxd -r -p - > key.bin
pkcs11-tool --module=... --write-object key.bin --usage-sign --type secrkey --label hmackey --id 1234
Using slot 0 with a present token (0x0)
Created secret key:
Secret Key Object; Generic secret length 20
VALUE: 0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b
label: hmackey
ID: 1234
Usage: sign, verify
Access: never extractable

Fixes #2851

Checklist
  • PKCS#11 module is tested (tested with my own custom PKCS#11 module)

@dlegaultbbry
show 'sign' usage for secret keys
687a22d 
Secret keys can be used for signing in algorithms like HMAC and
CMAC so they should display their CKA_SIGN attribute value
when listing object attributes

Fixes OpenSC#2851
@mouse07410
Copy link
Contributor

mouse07410 commented Sep 18, 2023

Keyed hash (HMAC, NMAC, CMAC) is a MAC, not a signature.

Therefore, I don't think attribute CKA_SIGN belongs there.

@dlegaultbbry
Copy link
Contributor Author

dlegaultbbry commented Sep 19, 2023

Well obviously, the people that wrote the spec had a different opinion and this is all related to the spec. MACs are done using the signature API.

CKA_SIGN | CK_BBOOL | CK_TRUE if key supports signatures (i.e., authentication codes) where the signature is an appendix to the data

CKA_VERIFY | CK_BBOOL | CK_TRUE if key supports verification (i.e., of authentication codes) where the signature is an appendix to the data

@frankmorgner
Copy link
Member

frankmorgner commented Sep 21, 2023

https://docs.oasis-open.org/pkcs11/pkcs11-spec/v3.1/os/pkcs11-spec-v3.1-os.html#_Toc111203232 Table 27, Common Secret Key Attributes

@Jakuje Jakuje merged commit 05c7bff into OpenSC:master Sep 22, 2023
@Jakuje
Copy link
Member

Jakuje commented Sep 22, 2023

Thank you!

@xhanulik xhanulik mentioned this pull request Sep 22, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@frankmorgner frankmorgner frankmorgner approved these changes

@Jakuje Jakuje Jakuje approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

pkcs11-tool: object usage - secret key + getSIGN

4 participants

@dlegaultbbry @mouse07410 @frankmorgner @Jakuje