OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

pkcs11 message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: v2.40: C_DeriveKey with CKM_TLS12_KDF

Hi TC,
In the PKCS #11 v2.40 spec, I could not find a detailed description of the use of C_DeriveKey with CKM_TLS12_KDF.
For example, back in the v2.20 spec for CKM_TLS_PRF, we have a paragraph that says: 

=======================================================================
12.32.3
TLS PRF (pseudorandom function)
PRF (pseudo random function) in TLS,...... during a C_DeriveKey function call, which means the template shall be a NULL_PTR. For most key-derivation mechanisms, C_DeriveKey returns a single key handle as a result of a successful completion.
However, since the CKM_TLS_PRF mechanism returns the requested number of output bytes in the CK_TLS_PRF_PARAMS structure specified as the mechanism parameter, the parameter phKey passed to C_DeriveKey is unnecessary, and should be a NULL_PTR. 
=======================================================================

Questions:
1) do we expect the same for CKM_TLS12_KDF where we can say the followings ?
"However, since the CKM_TLS12_KDF mechanism returns the requested number of output bytes in the CK_TLS12_KDF_PARAMS structure specified as the mechanism parameter, the parameter phKey passed to C_DeriveKey is unnecessary, and should be a NULL_PTR." 

2) if Question 1) is correct, for its parameter definition:

typedef struct CK_TLS_KDF_PARAMS {
   CK_MECHANISM_TYPE prfMechanism;
   CK_BYTE_PTR pLabel;
   CK_ULONG ulLabelLength;
   CK_SSL3_RANDOM_DATA RandomInfo;
   CK_BYTE_PTR pContextData;
   CK_ULONG ulContextDataLength;
} CK_TLS_KDF_PARAMS;
It should have two more fields (i.e. pOutput and pulOutputLen) such as in CK_TLS_PRF_PARAMS. 

typedef struct CK_TLS_PRF_PARAMS {
   CK_BYTE_PTR pSeed;
   CK_ULONG
   ulSeedLen;
   CK_BYTE_PTR pLabel;
   CK_ULONG
   ulLabelLen;
   CK_BYTE_PTR pOutput;
   CK_ULONG_PTR pulOutputLen;
} CK_TLS_PRF_PARAMS;

Therefore, CK_TLS_KDF_PARAMS should be defined as follow:

typedef struct CK_TLS_KDF_PARAMS {
   CK_MECHANISM_TYPE prfMechanism;
   CK_BYTE_PTR pLabel;
   CK_ULONG ulLabelLength;
   CK_SSL3_RANDOM_DATA RandomInfo;
   CK_BYTE_PTR pContextData;
   CK_ULONG ulContextDataLength;
   CK_BYTE_PTR pOutput;  <--------- extra
   CK_ULONG_PTR pulOutputLen; <---- extra
} CK_TLS_KDF_PARAMS;


Any comments ?

Thanks,
Oscar

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]