How is the mechanism supposed to be formatted? I cannot get the C_Encrypt to work on the Orin even though the code works for SoftHSM and have tested AESGCM to work.
The pkcs11 mechanism definition according to the pkcs11 docs as
CK_AES_CTR_PARAMS is a structure that provides the parameters to the CKM_AES_CTR mechanism. It is defined as follows:
typedef struct CK_AES_CTR_PARAMS {
CK_ULONG ulCounterBits;
CK_BYTE cb\[16\];
} CK_AES_CTR_PARAMS;
hello kenng7183,
please check Key Derivation Function (KDF) section, it is generated by the AES-CMAC algorithm.
may I double check what’s the actual use-case?
The KDF is an OPTEE function relating to keys. PKCS11 interacts with mechanisms in the HSM. I can list the mechanisms saying that it supports aesctr, but implementation fails on initialization.
do you have AES-CTR init error/logs for reference.
This is the snippet for initialization. The error code that I get is 0x71 when C_EncryptInit is called
CK_AES_CTR_PARAMS ctr = {
.ulCounterBits = 128,
.cb = {0}
};
printf("size of CK_AES_CTR_PARAMS: %lu\n", sizeof(ctr));
memcpy(ctr.cb, iv, AES_IV_SIZE);
CK_MECHANISM mech = { CKM_AES_CTR, &ctr, sizeof(ctr) };
check(p11->C_EncryptInit(sess, &mech, key), "EncryptInit");
hello kenng7183,
please give it a try with below modification, since the PKCS11 TA supports only 1-bit increment counter.
CK_AES_CTR_PARAMS ctr = {
- .ulCounterBits = 128,
+ .ulCounterBits = 1,
.cb = {0}
};
Doesn’t work. I have it working on softhsm so its something with the orin rather than pkcs11 TA
hello kenng7183,
could you please test with PKCS11 TA directly?
I was able to get it to work but having counterbits = 1 is insecure for my application. Are there any more secure recommendations?
hello kenng7183,
please refer to previous reply..