On 05/07/2015 11:49 AM, Andrew Cagney wrote:
I'm not sure CKM_VENDOR_DEFINED will be the right thing. The intermediate values are likely CKK_SECRET_KEYS with CKA_DERIVE set to true, It's probably best if you want to use the same value to use something like CKM_XOR_BASE_AND_DATA or something similiar.[inline]On 5 May 2015 at 13:18, Robert Relyea <rrel...@redhat.com> wrote: The target Mechanism is the operation you are going to use the target keyfor, It shouldn't match the mechanism used to derive the key. It is basically used to set the appropriate key type and flags on the resultant key. Example psuedo code: key1 = derive(keybase, mech=CKM_XOR_BASE_AND_DATA, target=CKM_SHA1_KEY_DERIVATION, data); key2 = derive(key1, mech=CKM_SHA1_KEY_DERIVATION, target=CKM_AES_CBC, NULL); decrypt(key2, mech=CKM_AES_CBC, input, output); Ideally you should try to keep it consistent with how your are planning on using the key, but in practice as long as the key is basically the same kind of key, the extact value of target is not necessary (You can use a key generated with target CKM_AES_CBC on an CKM_AES_ECB operation, for instance). Target may also be used to try to set the appropriate key length (if key length isn't supplied).Thanks for the clarification; my reading of the documentation wasn't too far off. For the intermediate values I think I'll try something like CKM_VENDOR_DEFINED; and, to your point, ensure all the final keys have meaningful values.
bob
smime.p7s
Description: S/MIME Cryptographic Signature
-- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto