Add more setters for EcKdf.

nwalfield · nwalfield · commit fb1efbc04a39 · 2025-06-30T12:12:56.000+02:00
Adds setters for the ANSI X9.63 KDFs (`EcKdf::sha1`, etc) and the NIST SP800-56A KDFs (`EcKdf::sha1_sp800`) to `EcKdf`. Fixes `EcKdf::sha256`. Fixes #281. Signed-off-by: Neal H. Walfield <neal@sequoia-pgp.org>
diff --git a/cryptoki/src/mechanism/elliptic_curve.rs b/cryptoki/src/mechanism/elliptic_curve.rs
@@ -82,7 +82,45 @@ pub struct EcKdf<'a> {
     shared_data: Option<&'a [u8]>,
 }
 
-impl EcKdf<'_> {
+macro_rules! ansi {
+    { $func_name: ident, $algo: ident, $algo_name: literal } => {
+        #[doc = "The key derivation function based on "]
+        #[doc = $algo_name]
+        #[doc = " as defined in the ANSI X9.63 standard. The
+                 derived key is produced by concatenating hashes of
+                 the shared value followed by 00000001, 00000002,
+                 etc. until we find enough bytes to fill the
+                 `CKA_VALUE_LEN` of the derived key."]
+        pub fn $func_name(shared_data: &'a [u8]) -> Self {
+            Self {
+                kdf_type: $algo,
+                shared_data: Some(shared_data),
+            }
+        }
+    }
+}
+
+macro_rules! sp800 {
+    { $func_name: ident, $algo: ident, $algo_name: literal } => {
+        #[doc = "The key derivation function based on "]
+        #[doc = $algo_name]
+        #[doc = " as defined in the [NIST SP800-56A standard, revision
+                 2](http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-56Ar2.pdf),
+                 section 5.8.1.1. The derived key is produced by
+                 concatenating hashes of 00000001, 00000002,
+                 etc. followed by the shared value until we find
+                 enough bytes to fill the `CKA_VALUE_LEN` of the
+                 derived key."]
+        pub fn $func_name(shared_data: &'a [u8]) -> Self {
+            Self {
+                kdf_type: $algo,
+                shared_data: Some(shared_data),
+            }
+        }
+    }
+}
+
+impl<'a> EcKdf<'a> {
     /// The null transformation. The derived key value is produced by
     /// taking bytes from the left of the agreed value. The new key
     /// size is limited to the size of the agreed value.
@@ -93,16 +131,25 @@ impl EcKdf<'_> {
         }
     }
 
-    /// The key derivation function based on sha256 as defined in the ANSI X9.63 standard. The
-    /// derived key is produced by concatenating hashes of the shared
-    /// value followed by 00000001, 00000002, etc. until we find
-    /// enough bytes to fill the `CKA_VALUE_LEN` of the derived key.
-    pub fn sha256() -> Self {
-        Self {
-            kdf_type: CKD_SHA256_KDF,
-            shared_data: None,
-        }
-    }
+    ansi!(sha1, CKD_SHA1_KDF, "SHA1");
+    ansi!(sha224, CKD_SHA224_KDF, "SHA224");
+    ansi!(sha256, CKD_SHA256_KDF, "SHA256");
+    ansi!(sha384, CKD_SHA384_KDF, "SHA384");
+    ansi!(sha512, CKD_SHA512_KDF, "SHA512");
+    ansi!(sha3_224, CKD_SHA3_224_KDF, "SHA3_224");
+    ansi!(sha3_256, CKD_SHA3_256_KDF, "SHA3_256");
+    ansi!(sha3_384, CKD_SHA3_384_KDF, "SHA3_384");
+    ansi!(sha3_512, CKD_SHA3_512_KDF, "SHA3_512");
+
+    sp800!(sha1_sp800, CKD_SHA1_KDF_SP800, "SHA1");
+    sp800!(sha224_sp800, CKD_SHA224_KDF_SP800, "SHA224");
+    sp800!(sha256_sp800, CKD_SHA256_KDF_SP800, "SHA256");
+    sp800!(sha384_sp800, CKD_SHA384_KDF_SP800, "SHA384");
+    sp800!(sha512_sp800, CKD_SHA512_KDF_SP800, "SHA512");
+    sp800!(sha3_224_sp800, CKD_SHA3_224_KDF_SP800, "SHA3_224");
+    sp800!(sha3_256_sp800, CKD_SHA3_256_KDF_SP800, "SHA3_256");
+    sp800!(sha3_384_sp800, CKD_SHA3_384_KDF_SP800, "SHA3_384");
+    sp800!(sha3_512_sp800, CKD_SHA3_512_KDF_SP800, "SHA3_512");
 
     // The intention here is to be able to support other methods with
     // shared data, without it being a breaking change, by just adding
diff --git a/cryptoki/tests/basic.rs b/cryptoki/tests/basic.rs
@@ -2,7 +2,7 @@
 // SPDX-License-Identifier: Apache-2.0
 mod common;
 
-use crate::common::{get_pkcs11, is_softhsm, SO_PIN, USER_PIN};
+use crate::common::{get_firmware_version, get_pkcs11, is_kryoptic, is_softhsm, SO_PIN, USER_PIN};
 use common::init_pins;
 use cryptoki::context::Function;
 use cryptoki::error::{Error, RvError};
@@ -687,6 +687,94 @@ fn derive_key() -> TestResult {
     Ok(())
 }
 
+#[test]
+#[serial]
+fn derive_key_sp800() -> TestResult {
+    if is_softhsm() {
+        return Ok(());
+    }
+
+    use cryptoki::mechanism::elliptic_curve::*;
+
+    let (pkcs11, slot) = init_pins();
+
+    if is_kryoptic() {
+        let (major, minor) = get_firmware_version(&pkcs11, slot);
+        // Kryoptic added support for sha256_sp800 in version 1.3.
+        if !(major > 1 || minor >= 3) {
+            eprintln!(
+                "Skipping test: Kryoptic is too old (need 1.3, got {}.{})",
+                major, minor
+            );
+            return Ok(());
+        }
+    }
+
+    // open a session
+    let session = pkcs11.open_rw_session(slot)?;
+
+    // log in the session
+    session.login(UserType::User, Some(&AuthPin::new(USER_PIN.into())))?;
+
+    // sha256_sp800
+    let key = hex::decode("F00670C5F139E7E6C2511EA04FF507AFBBE237CE3C71A89CA59A1C5CF8856562")
+        .expect("valid hex");
+    let ephemeral_key =
+        hex::decode("533B3F09E53B3DEED661A13F7A7D9694AB71CE156C728E00DEE87A1EE3A14C4A")
+            .expect("valid hex");
+    let kdf_param = hex::decode("0A2B0601040197550105011203010807416E6F6E796D6F75732053656E646572202020205633A4C5AE4305BC0FE2ABB699A8EE54632790A0").expect("valid hex");
+    let derivation = hex::decode("AF8CE51D0139A6D60831A9BABAB20186").expect("valid hex");
+
+    let template = [
+        Attribute::Class(ObjectClass::PRIVATE_KEY),
+        Attribute::KeyType(KeyType::EC_MONTGOMERY),
+        Attribute::EcParams(vec![
+            0x13, 0x0a, 0x63, 0x75, 0x72, 0x76, 0x65, 0x32, 0x35, 0x35, 0x31, 0x39,
+        ]),
+        Attribute::Value(key),
+        Attribute::Id(b"foo".to_vec()),
+        Attribute::Label(b"bar".to_vec()),
+        Attribute::Sensitive(true),
+        Attribute::Token(true),
+        Attribute::Derive(true),
+    ];
+
+    let private = session.create_object(&template)?;
+
+    let kdf = EcKdf::sha256_sp800(&kdf_param);
+
+    let params = Ecdh1DeriveParams::new(kdf, &ephemeral_key);
+
+    let shared_secret = session.derive_key(
+        &Mechanism::Ecdh1Derive(params),
+        private,
+        &[
+            Attribute::Class(ObjectClass::SECRET_KEY),
+            Attribute::KeyType(KeyType::GENERIC_SECRET),
+            Attribute::ValueLen(Ulong::new(derivation.len().try_into().unwrap())),
+            Attribute::Sensitive(false),
+            Attribute::Extractable(true),
+            Attribute::Token(false),
+        ],
+    )?;
+
+    let value_attribute = session
+        .get_attributes(shared_secret, &[AttributeType::Value])?
+        .remove(0);
+    let value = if let Attribute::Value(value) = value_attribute {
+        value
+    } else {
+        panic!("Expected value attribute.");
+    };
+
+    assert_eq!(value, derivation);
+
+    // delete keys
+    session.destroy_object(private)?;
+
+    Ok(())
+}
+
 #[test]
 #[serial]
 fn import_export() -> TestResult {
