User Agent: Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:72.0) Gecko/20100101 Firefox/72.0
Steps to reproduce:
I messed up (again).
Attempted to use new AES-CMAC code via PKCS#11 with nCipher HSM.
Failed -- token reported CKM_AES_CMAC wasn't supported.
This is because I swapped the value of CKM_AES_CMAC from what is in the spec:
/* AES-CMAC values copied from v2.40 errata 1 header file */
#define CKM_AES_CMAC_GENERAL 0x0000108A
#define CKM_AES_CMAC 0x0000108B
What PKCS#11's spec actually says:
published/2-40-errata-1/pkcs11t.h:#define CKM_AES_CMAC 0x0000108AUL
published/2-40-errata-1/pkcs11t.h:#define CKM_AES_CMAC_GENERAL 0x0000108BUL
working/3-00-current/pkcs11t.h:#define CKM_AES_CMAC 0x0000108AUL
working/3-00-current/pkcs11t.h:#define CKM_AES_CMAC_GENERAL 0x0000108BUL
working/3-00-wd-01/pkcs11t.h:#define CKM_AES_CMAC 0x0000108AUL
working/3-00-wd-01/pkcs11t.h:#define CKM_AES_CMAC_GENERAL 0x0000108BUL
This was introduced in the following revision and shipped in v3.48 onwards:
user: Alexander Scheel <firstname.lastname@example.org>
date: Fri Aug 30 12:16:11 2019 +1000
summary: Bug 1570501 - Expose AES-CMAC in PKCS #11 API, r=mt
CKM_AES_CMAC should've been supported and understood by the HSM
This is because of a bug I made when introducing this code. What's the procedure for fixing this? Will I need to add fallback detection for when
CKM_AES_CMAC_GENERAL is utilized (with a parameter spec) but the value
CKM_AES_CMAC is used?