Closed ubushan closed 2 years ago
I don't know what you call GOST-2012.
What is the exact PKCS#11 name for that mechanism? It should be something like CKM_GOSTRxyz
Could it be one of the CKR_VENDOR_DEFINED_xxx
values?
@LudovicRousseau Thanks for the quick response.
What is the exact PKCS#11 name for that mechanism? It should be something like CKM_GOSTRxyz
Something like that "GOSTR3410-2012"
Could it be one of the CKR_VENDOR_DEFINED_xxx values?
Yeah, I think so too, but which of CKR_VENDOR_DEFINED is "GOSTR3410-2012"?
Thanks.
If you can find the PKCS#11 specification that defines GOSTR3410-2012 then I will add support for it.
Hi, new GOST in PKCS11 specification published only in russian. I can post link on it if you need. There are constant defines that your looking at.
#define NSSCK_VENDOR_PKCS11_RU_TEAM 0xD4321000 /* 0x80000000 | 0x54321000 */
#define CK_VENDOR_PKCS11_RU_TEAM_TC26 NSSCK_VENDOR_PKCS11_RU_TEAM
/* GOST KEY TYPES */
#define CKK_GOSTR3410_256 CKK_GOSTR3410
#define CKK_GOSTR3410_512 (CK_VENDOR_PKCS11_RU_TEAM_TC26 |0x003)
#define CKK_KUZNECHIK (CK_VENDOR_PKCS11_RU_TEAM_TC26 |0x004)
/* GOST OBJECT ATTRIBUTES */
#define CKA_GOSTR3410_256PARAMS CKA_GOSTR3410PARAMS
/* PKCS #5 PRF Functions */
#define CKP_PKCS5_PBKD2_HMAC_GOSTR3411_2012_512 (CK_VENDOR_PKCS11_RU_TEAM_TC26 |0x003)
/* GOST MECHANISMS */
#define CKM_GOSTR3410_256_KEY_PAIR_GEN CKM_GOSTR3410_KEY_PAIR_GEN
#define CKM_GOSTR3410_512_KEY_PAIR_GEN (CK_VENDOR_PKCS11_RU_TEAM_TC26 |0x005)
#define CKM_GOSTR3410_256 CKM_GOSTR3410
#define CKM_GOSTR3410_512 (CK_VENDOR_PKCS11_RU_TEAM_TC26 |0x006)
#define CKM_GOSTR3410_2012_DERIVE (CK_VENDOR_PKCS11_RU_TEAM_TC26 |0x007)
#define CKM_GOSTR3410_12_DERIVE CKM_GOSTR3410_2012_DERIVE
#define CKM_GOSTR3410_WITH_GOSTR3411_94 CKM_GOSTR3410_WITH_GOSTR3411
#define CKM_GOSTR3410_WITH_GOSTR3411_2012_256 (CK_VENDOR_PKCS11_RU_TEAM_TC26 |0x008)
#define CKM_GOSTR3410_WITH_GOSTR3411_2012_512 (CK_VENDOR_PKCS11_RU_TEAM_TC26 |0x009)
#define CKM_GOSTR3410_WITH_GOSTR3411_12_256 CKM_GOSTR3410_WITH_GOSTR3411_2012_256
#define CKM_GOSTR3410_WITH_GOSTR3411_12_512 CKM_GOSTR3410_WITH_GOSTR3411_2012_512
#define CKM_GOSTR3410_PUBLIC_KEY_DERIVE (CK_VENDOR_PKCS11_RU_TEAM_TC26 |0x00A)
#define CKM_GOSTR3411_94 CKM_GOSTR3411
#define CKM_GOSTR3411_2012_256 (CK_VENDOR_PKCS11_RU_TEAM_TC26 |0x012)
#define CKM_GOSTR3411_2012_512 (CK_VENDOR_PKCS11_RU_TEAM_TC26 |0x013)
#define CKM_GOSTR3411_12_256 CKM_GOSTR3411_2012_256
#define CKM_GOSTR3411_12_512 CKM_GOSTR3411_2012_512
#define CKM_GOSTR3411_94_HMAC CKM_GOSTR3411_HMAC
#define CKM_GOSTR3411_2012_256_HMAC (CK_VENDOR_PKCS11_RU_TEAM_TC26 |0x014)
#define CKM_GOSTR3411_2012_512_HMAC (CK_VENDOR_PKCS11_RU_TEAM_TC26 |0x015)
#define CKM_GOSTR3411_12_256_HMAC CKM_GOSTR3411_2012_256_HMAC
#define CKM_GOSTR3411_12_512_HMAC CKM_GOSTR3411_2012_512_HMAC
#define CKM_TLS_GOST_PRF_2012_256 (CK_VENDOR_PKCS11_RU_TEAM_TC26 |0x016)
#define CKM_TLS_GOST_PRF_2012_512 (CK_VENDOR_PKCS11_RU_TEAM_TC26 |0x017)
#define CKM_TLS_GOST_PRE_MASTER_KEY_GEN CKM_GOST28147_KEY_GEN
#define CKM_TLS_GOST_MASTER_KEY_DERIVE_2012_256 (CK_VENDOR_PKCS11_RU_TEAM_TC26 |0x018)
#define CKM_KUZNECHIK_KEY_GEN (CK_VENDOR_PKCS11_RU_TEAM_TC26 |0x019)
#define CKM_KUZNECHIK_ECB (CK_VENDOR_PKCS11_RU_TEAM_TC26 |0x01A)
#define CKM_KUZNECHIK_CTR (CK_VENDOR_PKCS11_RU_TEAM_TC26 |0x01B)
#define CKM_KUZNECHIK_CFB (CK_VENDOR_PKCS11_RU_TEAM_TC26 |0x01C)
#define CKM_KUZNECHIK_OFB (CK_VENDOR_PKCS11_RU_TEAM_TC26 |0x01D)
#define CKM_KUZNECHIK_CBC (CK_VENDOR_PKCS11_RU_TEAM_TC26 |0x01E)
#define CKM_KUZNECHIK_MAC (CK_VENDOR_PKCS11_RU_TEAM_TC26 |0x01F)
#define CKM_MAGMA_ECB CKM_GOST28147_ECB
#define CKM_MAGMA_CTR (CK_VENDOR_PKCS11_RU_TEAM_TC26 |0x020)
#define CKM_MAGMA_CFB (CK_VENDOR_PKCS11_RU_TEAM_TC26 |0x021)
#define CKM_MAGMA_OFB (CK_VENDOR_PKCS11_RU_TEAM_TC26 |0x022)
#define CKM_MAGMA_CBC (CK_VENDOR_PKCS11_RU_TEAM_TC26 |0x023)
#define CKM_MAGMA_MAC (CK_VENDOR_PKCS11_RU_TEAM_TC26 |0x024)
#define CKM_KDF_4357 (CK_VENDOR_PKCS11_RU_TEAM_TC26 |0x025)
#define CKM_KDF_GOSTR3411_2012_256 (CK_VENDOR_PKCS11_RU_TEAM_TC26 |0x026)
Document in russian. http://wwwold.tc26.ru/methods/project/v6.P11_RusExt_12.pdf
These tags are in the range of CKM_VENDOR_DEFINED
values. I imagine the "real" values in the PKCS#11 standard will be different.
I use this algos via PyKCS11, and use, for example, CKR_VENDOR_DEFINED_54321012 for GOSTR3411_2012_256 hash.
Looks like I found technical details.
Specs:
Other implementations:
Thanks for the links @eugene-bright. What I need is the PKCS#11 (not GOST) specification with the constants names and values for the GOST algorithms.
Ok. Does this OASIS spec looks like that you are looking for?
Ctrl+F for 2.45 GOST R 34.10-2001
.
Can't find anything fresh for year 2012 version. Would dump of exported symbols of proprietary library that implement standard be sufficient?
@eugene-bright yes, I am looking for something like this
This specification does not define CKK_GOSTR3410_256
or CKM_GOSTR3410_256_KEY_PAIR_GEN
or CKM_GOSTR3411_94
as listed by @nekolyanich.
The problem reported by @ubushan is that his PKCS#11 library reports values that are NOT defined in an Oasis standard (that is why PyKCS11 uses CKR_VENDOR_DEFINED_*
)
CKR_VENDOR_DEFINED_
values in PyKCS11.CKR_VENDOR_DEFINED_
valuesConclusion: I don't see a solution to that conflict
What I can propose you is to create a PyKCS11_GOST.py
file with the constant names and functions you want in order to extend PyKCS11 with GOST support.
I'm new for this area. Thanks to this communication with you I've realized that there is major lacking of standards for PKCS11 for GOST family crypto. And now I'm more enlightened. Thanks for your clarifications.
@siyavashi Still not a PKCS#11 standard. It does not really help.
What I do is I just at the start of my program I add vendor constants to the PyKCS11.CKR
/PyKCS11.CKM
tables depending on the token I am using.
If you read Russian https://habr.com/ru/post/549198/
The latest working link to the TC26 document is as follows:
Unfortunately, it seems that it still didn't make it into the OASIS standard.
It's completely irrelevant now https://youtu.be/rS3QSDXh9Ic
Hello there! When I call function C_GetMechanismList (from your example) I can't find there algorithm GOST-2012 in this the list. My token supports algorithm GOST-2012. This algorithm GOST-2012 is not supported? Will there be support in the near future? Or am I doing anything wrong?
Thanks!
Mechanism list: ['CKM_RSA_PKCS_KEY_PAIR_GEN', 'CKM_RSA_PKCS', 'CKM_RSA_PKCS_OAEP', 'CKM_MD5', 'CKM_SHA_1', 'CKM_GOSTR3410_KEY_PAIR_GEN', 'CKM_GOSTR3410', 'CKM_GOSTR3410_DERIVE', 'CKR_VENDOR_DEFINED_54321005', 'CKR_VENDOR_DEFINED_54321006', 'CKR_VENDOR_DEFINED_54321007', 'CKM_GOSTR3411', 'CKR_VENDOR_DEFINED_54321012', 'CKR_VENDOR_DEFINED_54321013', 'CKM_GOSTR3410_WITH_GOSTR3411', 'CKR_VENDOR_DEFINED_54321008', 'CKR_VENDOR_DEFINED_54321009', 'CKM_GOST28147_KEY_WRAP', 'CKM_GOST28147_ECB', 'CKM_GOST28147', 'CKM_GOST28147_KEY_GEN', 'CKM_GOST28147_MAC']