hanzx227
commented
3 years ago From the supported mechanism list, you should be able to find CKM_SP800_108_COUNTER_KDF for hmac_kdf.
Both the base AES key and the derived AES key are session keys, which mean that they will be deleted from the HSM after the session is closed, in this case, after the program is executed.
You can either update the sample to do a find_object after the derivation, or change the keys to be token keys. But you need to clean up the token keys properly with either C_DeleteObject or KMU.
From this link (https://docs.aws.amazon.com/cloudhsm/latest/userguide/pkcs11-mechanisms.html), only CKM_ECDH1_DERIVE is supported, and hmac_kdf is not supported. However there is an example code for HMAC KDF. After running src/derivation/hmac_kdf --pin userName:password, the handles for the base AES key and derived AES key are returned, but they cannot be found in the AWS CloudHSM using KMU command: findKey. How to make the HMAC KDF work in this case?