tpm2-pkcs11
tpm2-pkcs11 copied to clipboard
Published
20 hours ago •
tpm2-software
tpm2-software
Support importing HMAC keys
FR to support importing HMAC key and using it via PKCS11, eg, with SoftHSM, i'd define something like the following to import an external HMAC key:
hmacKeyTemplate := []*pkcs11.Attribute{
pkcs11.NewAttribute(pkcs11.CKA_CLASS, pkcs11.CKO_SECRET_KEY),
pkcs11.NewAttribute(pkcs11.CKA_KEY_TYPE, pkcs11.CKK_SHA256_HMAC),
pkcs11.NewAttribute(pkcs11.CKA_SIGN, true),
pkcs11.NewAttribute(pkcs11.CKA_VERIFY, true),
pkcs11.NewAttribute(pkcs11.CKA_ENCRYPT, false),
pkcs11.NewAttribute(pkcs11.CKA_DECRYPT, false),
pkcs11.NewAttribute(pkcs11.CKA_WRAP, false),
pkcs11.NewAttribute(pkcs11.CKA_UNWRAP, false),
pkcs11.NewAttribute(pkcs11.CKA_TOKEN, true),
pkcs11.NewAttribute(pkcs11.CKA_PRIVATE, true),
pkcs11.NewAttribute(pkcs11.CKA_EXTRACTABLE, false), // we do need to extract this
pkcs11.NewAttribute(pkcs11.CKA_SENSITIVE, true),
pkcs11.NewAttribute(pkcs11.CKA_VALUE, []byte("change this password to a secret")), // make([]byte, 32)), /* KeyLength */
pkcs11.NewAttribute(pkcs11.CKA_LABEL, "HMACKey"), /* Name of Key */
pkcs11.NewAttribute(pkcs11.CKA_ID, id),
}
hmacKey, err := p.CreateObject(session, hmacKeyTemplate)
if err != nil {
panic(fmt.Sprintf("GenerateKey() failed %s\n", err))
}
depends on https://github.com/tpm2-software/tpm2-tools/issues/1597
With some recent commits on master and PR #715 you can add a TPM generated HMAC key or import an existing HMAC key. You can even you tpm2-tools and link it in.
The one thing not supported, yet is doing it through PKCS11, so for now ill leave this open until that part is complete.
