search

PeculiarVentures / graphene

A simple layer for interacting with PKCS #11 / PKCS11 / CryptoKI for Node in TypeScript. (Keywords: Javascript, PKCS#11, Crypto, Smart Card, HSM)
MIT License
169 stars 34 forks source link

HMAC key #119

Closed ToufeeqP closed 5 years ago

ToufeeqP commented 5 years ago

Hi, I am trying to compute the hmac of data with some other text as key, but I can't get the interface to use text as a key.

microshine commented 5 years ago

@ToufeeqP Can you share your code you are using to do that?

Take a look to the node-webcrypto-p11 module which implements WebCrypto API and supports HMAC

ToufeeqP commented 5 years ago

Thanks for quick response @microshine I am trying to perform HMAC-SHA512(Key = "Bitcoin seed", Data = "SOme data"). But, in graphene I can do that via createSign() function which takes key. And I want to use text "Bitcoin seed" as key. And I tried using node-webcrypto-p11 , but was facing some other issues while performing ECDSA operation.

So far, graphene is helpful so I want to continue with it.

Thanks.

microshine commented 5 years ago

HMAC example

import * as pkcs11 from "pkcs11js";
import * as graphene from "graphene-pk11";

const lib = "/usr/local/opt/nss/lib/libsoftokn3.dylib";
const initOptions: pkcs11.InitializationOptions =  {
  libraryParameters: "`configdir='' certPrefix='' keyPrefix='' secmod='' flags=readOnly,noCertDB,noModDB,forceOpen,optimizeSpace`",
}
const slotId = 0;

async function main() {

  const nss = graphene.Module.load(lib);
  nss.initialize(initOptions);

  try {
    const slot = nss.getSlots(slotId);
    const session = slot.open(graphene.SessionFlag.SERIAL_SESSION);

    const hmacKey = session.create({
      class: graphene.ObjectClass.SECRET_KEY,
      keyType: graphene.KeyType.GENERIC_SECRET,
      label: `HMAC`,
      sign: true,
      verify: true,
      value: Buffer.from("Bitcoin seed"),
    }).toType<graphene.SecretKey>();

    const signer = session.createSign({ name: "SHA512_HMAC", params: null }, hmacKey);
    const signature = signer.once("SOme data");

    console.log("Signature:", signature.toString("hex"));
  } finally {
    nss.finalize();
  }
}

main()
  .catch((e) => console.error(e));

Output

Signature: d27266a3a164414920fbd20e20337041405304cc5195108e02a74ac6283eb37bc355185d740bcfbd900b7b9800d478984d52c0fccbdcaabbef647dfb3b75fc57
ToufeeqP commented 5 years ago

Hi @microshine I need to execute the code in nodejs environment. When I am trying run the following code: var graphene = require("graphene-pk11"); var Module = graphene.Module;

console.log('Initializing HSM...'); mod = Module.load("/Users/pasha/Desktop/hsm_test/SoftHSMv2/src/lib/.libs/libsofthsm2.so", "SoftHSM"); mod.initialize(); var session = mod.getSlots(0).open(graphene.SessionFlag.SERIAL_SESSION); // Read only session

session.login("password"); console.log('HSM initializiation complete.');

// Creating HMAC const hmacKey = session.create({ class: graphene.ObjectClass.SECRET_KEY, keyType: graphene.KeyType.GENERIC_SECRET, label: HMAC, sign: true, verify: true, value: Buffer.from("Bitcoin seed") }).toType(); console.log("Signing..."); const signer = session.createSign({ name: "SHA512_HMAC", params: null }, hmacKey); const signature = signer.once("data"); console.log("Signature:", signature.toString("hex")); ` I am getting CKR_KEY_SIZE_RANGE:98 error,

this.lib.C_SignInit(this.session.handle, pMech, key.handle); ^ Error: CKR_KEY_SIZE_RANGE:98 at Error (native) crypto_init:566

microshine commented 5 years ago

SoftHSM requires a minimum size for the HMAC key which depends on a hash mechanism

https://github.com/opendnssec/SoftHSMv2/blob/develop/src/lib/SoftHSM.cpp#L3827

For SHA512 HMAC key you need to use as minimum 64 bytes. This is why I created an example based on NSS PKCS#11 lib