Add SHA256-HMAC mechanism.

Signed-off-by: Jippe Holwerda <[email protected]>
parallaxsecond · Nov 1, 2023 · ac9e33b · ac9e33b
1 parent d7ea453
commit ac9e33b
Show file tree

Hide file tree

Showing 2 changed files with 39 additions and 1 deletion.
diff --git a/cryptoki/src/mechanism/mod.rs b/cryptoki/src/mechanism/mod.rs
@@ -248,6 +248,10 @@ impl MechanismType {
     pub const SHA512_RSA_PKCS_PSS: MechanismType = MechanismType {
         val: CKM_SHA512_RSA_PKCS_PSS,
     };
+    /// SHA256-HMAC mechanism
+    pub const SHA256_HMAC: MechanismType = MechanismType {
+        val: CKM_SHA256_HMAC,
+    };
     /// GENERIC-SECRET-KEY-GEN mechanism
     pub const GENERIC_SECRET_KEY_GEN: MechanismType = MechanismType {
         val: CKM_GENERIC_SECRET_KEY_GEN,
@@ -660,6 +664,7 @@ impl TryFrom<CK_MECHANISM_TYPE> for MechanismType {
             CKM_SHA256_RSA_PKCS => Ok(MechanismType::SHA256_RSA_PKCS),
             CKM_SHA384_RSA_PKCS => Ok(MechanismType::SHA384_RSA_PKCS),
             CKM_SHA512_RSA_PKCS => Ok(MechanismType::SHA512_RSA_PKCS),
+            CKM_SHA256_HMAC => Ok(MechanismType::SHA256_HMAC),
             CKM_GENERIC_SECRET_KEY_GEN => Ok(MechanismType::GENERIC_SECRET_KEY_GEN),
             other => {
                 error!("Mechanism type {} is not supported.", other);
@@ -837,7 +842,8 @@ pub enum Mechanism<'a> {
     Sha384RsaPkcsPss(rsa::PkcsPssParams),
     /// SHA256-RSA-PKCS-PSS mechanism
     Sha512RsaPkcsPss(rsa::PkcsPssParams),
-
+    /// SHA256-HMAC mechanism
+    Sha256Hmac,
     /// GENERIC-SECRET-KEY-GEN mechanism
     GenericSecretKeyGen,
 }
@@ -899,6 +905,8 @@ impl Mechanism<'_> {
             Mechanism::Sha384RsaPkcsPss(_) => MechanismType::SHA384_RSA_PKCS_PSS,
             Mechanism::Sha512RsaPkcsPss(_) => MechanismType::SHA512_RSA_PKCS_PSS,
 
+            Mechanism::Sha256Hmac => MechanismType::SHA256_HMAC,
+
             Mechanism::GenericSecretKeyGen => MechanismType::GENERIC_SECRET_KEY_GEN,
         }
     }
@@ -964,6 +972,7 @@ impl From<&Mechanism<'_>> for CK_MECHANISM {
             | Mechanism::Sha256RsaPkcs
             | Mechanism::Sha384RsaPkcs
             | Mechanism::Sha512RsaPkcs
+            | Mechanism::Sha256Hmac
             | Mechanism::GenericSecretKeyGen => CK_MECHANISM {
                 mechanism,
                 pParameter: null_mut(),

diff --git a/cryptoki/tests/basic.rs b/cryptoki/tests/basic.rs
@@ -1187,3 +1187,32 @@ fn ekdf_aes_cbc_encrypt_data() -> TestResult {
 
     Ok(())
 }
+
+#[test]
+#[serial]
+fn sign_verify_sha256_hmac() -> TestResult {
+    let (pkcs11, slot) = init_pins();
+    let session = pkcs11.open_rw_session(slot)?;
+    session.login(UserType::User, Some(&AuthPin::new(USER_PIN.into())))?;
+
+    let priv_key_template = vec![
+        Attribute::Token(true),
+        Attribute::Private(true),
+        Attribute::Sensitive(true),
+        Attribute::Sign(true),
+        Attribute::KeyType(KeyType::GENERIC_SECRET),
+        Attribute::Class(ObjectClass::SECRET_KEY),
+        Attribute::ValueLen(256.into()),
+    ];
+
+    let private = session.generate_key(&Mechanism::GenericSecretKeyGen, &priv_key_template)?;
+
+    let data = vec![0xAA, 0xBB, 0xCC, 0xDD, 0xEE, 0xFF];
+
+    let signature = session.sign(&Mechanism::Sha256Hmac, private, &data)?;
+
+    session.verify(&Mechanism::Sha256Hmac, private, &data, &signature)?;
+
+    session.destroy_object(private)?;
+    Ok(())
+}