Hi All,
I have some problems in initializing a MAC-based signing operation. Here
is the code snippet (nothing special, mostly put together from the PKCS
spec samples):
#define BLOCKSIZE 16;
CK_ULONG ulMacLen=BLOCKSIZE;
CK_BYTE mac[ulMacLen];
CK_BYTE data[] = {"aaaaaaaaaaaaaaa"};
CK_ULONG datalen=BLOCKSIZE;
CK_OBJECT_HANDLE hKey;
CK_MECHANISM keygenmecha = {
CKM_AES_KEY_GEN, NULL_PTR, 0
};
CK_ULONG valueLen= BLOCKSIZE;
CK_ATTRIBUTE template[] = {
{CKA_TOKEN, &false, sizeof(false)},
{CKA_SIGN, &true, sizeof(true)},
{CKA_ENCRYPT, &false, sizeof(false)},
{CKA_VALUE_LEN, &valueLen, sizeof(valueLen)},
};
printf("C_GenerateKey\n");
rv=pFunctionList->C_GenerateKey(hSession, &keygenmecha,
template,4,&hKey);
if (rv != CKR_OK) {
printf("error: %lx\n", rv);
}
CK_MECHANISM macMecha = {
CKM_AES_MAC, NULL_PTR, 0
};
printf("C_SignInit\n");
rv =pFunctionList->C_SignInit(hSession, &macMecha, hKey);
if (rv != CKR_OK) {
printf("error: %lx\n", rv);
}
C_SignInit returns CKR_MECHANISM_INVALID.
According to the PKCS11 list of mechanism capabilities, I should be able
to use this mechanism for signing and verification. I also checked the
MECHANISM_INFO structure which states 16 bytes min key size, 32 bytes
max key size, and the flags 0x2800 (sign and verify), so everything
seems green.
I'm using NSS version 3.12 in FIPS-mode.
Any help is appreciated.
--
Sebastian
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
