AES_CMAC

[5Anfoussa]

Hi,

I am working on a new project and I am using CMAC AES-128. I wanted to use pycryptoki lib. I didn't find any indication. Can I have any help please ?

Thank you in advance.

[rosennej]

Hi,

I am not a member of the team, but I do see that CKM_AES_CMAC is defined. The key size is not a parameter. See https://docs.oasis-open.org/pkcs11/pkcs11-curr/v2.4,0/pkcs11-curr-v2.40.html, look for CKM_AES_CMAC_GENERAL and CKM_AES_CMAC.

Best Regards,

Jonathan Rosenne @.***https://www.qsm.co.il/

From: 5Anfoussa @.> Sent: Thursday, December 21, 2023 5:01 PM To: ThalesGroup/pycryptoki @.> Cc: Subscribed @.***> Subject: [ThalesGroup/pycryptoki] AES_CMAC (Issue #45)

Hi,

I am working on a new project and I am using CMAC AES-128. I wanted to use pycryptoki lib. I didn't find any indication. Can I have any help please ?

Thank you in advance.

— Reply to this email directly, view it on GitHubhttps://github.com/ThalesGroup/pycryptoki/issues/45, or unsubscribehttps://github.com/notifications/unsubscribe-auth/ACFKVDPFG4BUKU5NJT2MEYTYKRFLNAVCNFSM6AAAAABA6Q5GR2VHI2DSMVQWIX3LMV43ASLTON2WKOZSGA2TENJYGY4TANY. You are receiving this because you are subscribed to this thread.Message ID: @.***>

[5Anfoussa]

Hi Jonathan,

Thank you for your reply. Do you have any examples please ? Actually I am working to use AES CMAC and AES ECB. I am a beginner at developpement.

Best regards

[astraw38]

AES keys are AES keys - you don't need to generate an AES_CMAC key. You would just generate an AES key.

The examples from the docs show how to encrypt using AES_CBC_PAD: https://pycryptoki.readthedocs.io/en/latest/examples.html#encrypting-data-with-aes-cbc-pad.

Using a different AES mechanism is pretty straightforward too - swap out CKM_AES_CBC_PAD -> CKM_AES_ECB (highly recommend not using ECB in general though).

CMAC is slightly different, in that you would create the mechanism, set the mech code = CKM_AES_CMAC, and the parameters would a pointer to CK_MAC_GENERAL_PARAMS. I'll reply again with a more detailed example here shortly.

[astraw38]

mech = CK_MECHANISM()

mech.mechanism = CKM_AES_CMAC
mech_params = CK_MAC_GENERAL_PARAMS()
mech.pParameter = cast(pointer(mech_params), c_void_p)
mech.usParameterLen = CK_ULONG(sizeof(CK_MAC_GENERAL_PARAMS))

c_sign_ex(session, aes_key_handle, data_to_sign, mech)

Your MAC_GENERAL_PARAMS would need to be set as per the P11 spec ( holds the length of the MAC).

[rosennej]

CKM_AES_CMAC is supported for sign and verify, not for encrypt.

Best Regards,

Jonathan Rosenne

From: Ashley C Straw @.> Sent: Tuesday, January 2, 2024 6:17 PM To: ThalesGroup/pycryptoki @.> Cc: Jonathan Rosenne @.>; Comment @.> Subject: Re: [ThalesGroup/pycryptoki] AES_CMAC (Issue #45)

mech = CK_MECHANISM()

mech.mechanism = CKM_AES_CMAC

mech_params = CK_MAC_GENERAL_PARAMS()

mech.pParameter = cast(pointer(mech_params), c_void_p)

mech.usParameterLen = CK_ULONG(sizeof(CK_MAC_GENERAL_PARAMS))

c_encrypt_ex(session, aes_key_handle, data_to_encrypt, mech)

Your MAC_GENERAL_PARAMS would need to be set as per the P11 spec ( holds the length of the MAC).

— Reply to this email directly, view it on GitHubhttps://github.com/ThalesGroup/pycryptoki/issues/45#issuecomment-1874236512, or unsubscribehttps://github.com/notifications/unsubscribe-auth/ACFKVDOW2W2OYDSL2WQNWODYMQXGVAVCNFSM6AAAAABA6Q5GR2VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTQNZUGIZTMNJRGI. You are receiving this because you commented.Message ID: @.***>

[astraw38]

Thanks @rosennej ! I completely glossed over that when browsing the specs. Updated the example.

[5Anfoussa]

Thank you guys for these precisions. @rosennej from my understanding any type of keys could be used for encryption, signing or verification so what do you mean by CKM_AES_CMAC is supported for sign and verify, not for encrypt. please ? and where can I find P11 spec ?

[rosennej]

The version relevant to CMAC is https://docs.oasis-open.org/pkcs11/pkcs11-base/v2.40/os/pkcs11-base-v2.40-os.html

The V2.20 supported by most vendors is https://www.cryptsoft.com/pkcs11doc/STANDARD/pkcs-11v2-20.pdf

Best Regards,

Jonathan Rosenne

[5Anfoussa]

Sorry again. For AES_ECB we should use data as params (mechanism = Mechanism(mech_type=CKM_AES_ECB,params={"data": data})) ? Data should be a list or other type? or should we use same params than AES_CBC_PAD (@astraw38 ) ?

[astraw38]

AES_ECB has no parameters. The data you want to encrypt or decrypt should be passed into the c_encrypt/c_decrypt call, as seen in the example in the docs linked above.

On Wed, Jan 3, 2024, 9:26 AM 5Anfoussa @.***> wrote:

Sorry again. For AES_ECB we should use data as params (mechanism = Mechanism(mech_type=CKM_AES_ECB,params={"data": data})) ? Data should be a list or other type? or should we use same params than AES_CBC_PAD ( @astraw38 https://github.com/astraw38 ) ?

— Reply to this email directly, view it on GitHub https://github.com/ThalesGroup/pycryptoki/issues/45#issuecomment-1875456080, or unsubscribe https://github.com/notifications/unsubscribe-auth/AA5KCFTOZN7WNDZPO3GNQJDYMVS75AVCNFSM6AAAAABA6Q5GR2VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTQNZVGQ2TMMBYGA . You are receiving this because you were mentioned.Message ID: @.***>

[5Anfoussa]

Hi again,

I have a question about the use of this library. Manual installation by setup.py is deprecated in 3.x, because the old setup tool has some vulnerability + bug that cant be patched We nave another way of installing download the Built Distribution instead (wheel file , (.whl extension) use pip install with the .whl link to local folder pip install --no-index --find-links= exchangelib. However the use the wheel files for installation, can provoke the "Python wheel-jacking attacks, type of malicious code injection", demonstrated by 2021. How can procced in that case according to you ?

[astraw38]

I've not done a manual python setup.py install in years -- are you not using pip install here? Wheel-jacking is usually for things publicly hosted on pypi, so I'm not sure of the impact here. You can build a wheel directly from source and install it that way too if you want (it's what we do internally).

Even a pip install git+https://github.com/ThalesGroup/pycryptoki.git should work

[5Anfoussa]

No I am not using pip install because can not have internet connection si I am doing it manually. So packages from pypi are not trustworthy ?

[astraw38]

A pip install, of the directory, the git dir (however you get it), or a wheel created via pip all would work. And I didn't say that pypi was untrustworthy, just that your complaint is only valid for pypi.

[5Anfoussa]

I tried with pip install but needs many dependencies. As I told you I don't have internet connexion si I have to install all dependencies manually mostly from pypi that is why I asked you how to ensure that source are trustworthy or not

[astraw38]

That's more of a general question for getting dependencies from pypi, and not applicable to this project.