Search code examples
pkcs#11pkcs11interop

Why sign method returns only four bytes?

I am trying to implement pkcs 11 standard using pkcs11interop

I have some des2 keys (16 byte) and i want use sign method

my problem is that sign method returns only four bytes. but I want 8 byte sign.

what should i do?

PS 1: the four byte result is correct. that is first bytes of my expected result.

PS 2: I know sign method is same as encrypt method. so one of my solutions is that encrypt input and get first 8 bytes of result (that is what i am already doing). but I feel bad about it and I think it is better to use Sign method itself.

PS 3: there is a "ICkMacGeneralParams" interface that can be use to select MAC size. but seems to doesnt effect AT ALL! i set it to UInt32.MaxValue and 0 and result was not different.

PS 4: I know Sign method usually used with public and private keys. but I need to use it with one key

        var data = new byte[] { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, };

        //macParams seems not to work at all! result remains same with any input of CreateCkMacGeneralParams method
        var macParams = session.Factories.MechanismParamsFactory.CreateCkMacGeneralParams(8);

        var signMechanism = session.Factories.MechanismFactory.Create(CKM.CKM_DES3_MAC, macParams);
        //handle references to some 16 byte key with CKK_DES2
        var signResult = session.Sign(signMechanism, handle, data);
        //result is always 4 bytes
Solution

  • Mechanism CKM_DES3_MAC always gives 4 bytes of output for DES, citing "PKCS #11 v2.20", section 12.13.14:

    It always produces an output of size half as large as <NAME>’s blocksize.

    You need to use CKM_DES3_MAC_GENERAL which allows signature lengths up to DES blocksize (see section 12.13.13). Desired signature length is specified in mechanism parameter CK_MAC_GENERAL_PARAMS.

    If your token supports this mechanism the following code should work:

    var data = new byte[] { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };

var macParams = session.Factories.MechanismParamsFactory.CreateCkMacGeneralParams(8);
var signMechanism = session.Factories.MechanismFactory.Create(CKM.CKM_DES3_MAC_GENERAL, macParams);
    var signResult = session.Sign(signMechanism, handle, data);

    Good luck!