Hi All, I have some problems in initializing a MAC-based signing operation. Here is the code snippet (nothing special, mostly put together from the PKCS spec samples):
#define BLOCKSIZE 16; CK_ULONG ulMacLen=BLOCKSIZE; CK_BYTE mac[ulMacLen]; CK_BYTE data[] = {"aaaaaaaaaaaaaaa"}; CK_ULONG datalen=BLOCKSIZE; CK_OBJECT_HANDLE hKey; CK_MECHANISM keygenmecha = { CKM_AES_KEY_GEN, NULL_PTR, 0 }; CK_ULONG valueLen= BLOCKSIZE; CK_ATTRIBUTE template[] = { {CKA_TOKEN, &false, sizeof(false)}, {CKA_SIGN, &true, sizeof(true)}, {CKA_ENCRYPT, &false, sizeof(false)}, {CKA_VALUE_LEN, &valueLen, sizeof(valueLen)}, }; printf("C_GenerateKey\n"); rv=pFunctionList->C_GenerateKey(hSession, &keygenmecha, template,4,&hKey); if (rv != CKR_OK) { printf("error: %lx\n", rv); } CK_MECHANISM macMecha = { CKM_AES_MAC, NULL_PTR, 0 }; printf("C_SignInit\n"); rv =pFunctionList->C_SignInit(hSession, &macMecha, hKey); if (rv != CKR_OK) { printf("error: %lx\n", rv); } C_SignInit returns CKR_MECHANISM_INVALID. According to the PKCS11 list of mechanism capabilities, I should be able to use this mechanism for signing and verification. I also checked the MECHANISM_INFO structure which states 16 bytes min key size, 32 bytes max key size, and the flags 0x2800 (sign and verify), so everything seems green. I'm using NSS version 3.12 in FIPS-mode. Any help is appreciated. -- Sebastian -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto