Closed athoelke closed 6 months ago
At the time an HMAC key is constructed, the implementation does not know which Hash will parameterise the algorithm that the key is used with.
Technically, this has to be the same algorithm as the permitted algorithm policy, but up to now, we have only used the policy for authorising use, not for modifying key construction. I do not propose to change this approach for HMAC keys.
We need to revise the documentation about HMAC keys. My suggestion is:
While providing such guidance, we should also recommend against using keys that are shorter than the associated hash output size.
I will include a fix for this as part of the reorganisation of the key format and derivation material in v1.3.
Is it important to also fix this as a patch to earlier versions of the specification (e.g. v1.2)?
While reworking the key formats and derivation methods (see the open issue in #177), I have noticed a long-term anomaly in the specification. HMAC keys describe being truncated on import, based on the block size of the associated hash algorithm. See
PSA_KEY_TYPE_HMAC
, and also the entry for HMAC keys in Key formats.The latter is written as if the HMAC key is parameterised:
This is clearly wrong. Only the HMAC algorithm is parameterised.