Dieter, all,
Since CKF_HKDF_SALT_NULL,
CKF_HKDF_SALT_DATA and CKF_HKDF_SALT_KEY are mutually exclusive I suggest to use 0, 1, 2 for the values. With 1,2,4 people think of a bit field.
CKM_ECDSA_KEY_PAIR_GEN still appears in 2.3.9 and B.4.
Best,
Daniel
From: pkcs11@lists.oasis-open.org <pkcs11@lists.oasis-open.org>
On Behalf Of Dieter Bong
Sent: Montag, 29. April 2019 14:29
To: Robert Relyea <rrelyea@redhat.com>
Cc: pkcs11@lists.oasis-open.org
Subject: [pkcs11] Alignment between header files and PKCS#11 3.00 mechanism spec.
Importance: High
Hi Bob,
working through the PKCS#11 3.00 mechanism spec WD10 and comparing with the header files, I noticed the following:
- CKM_ECDSA_KEY_PAIR_GEN is deprecated since PKCS#11 2.11, and I have removed it from the mechanism spec 3.00 as agreed. I suggest to remove it from the header files
as well.
- In the mechanism spec, we have the note:
“CKF_EC_NAMEDCURVE is deprecated with PKCS#11 3.00. It is replaced by CKF_EC_OID.”
In the header file, you have mapped CKF_EC_NAMEDCURVE to CKF_EC_OID. I suggest to add a comment
“deprecated since PKCS#11 3.00” to CKF_EC_NAMEDCURVE in the header
file.
- I noticed that the following flags are missing in the header file: CKF_HKDF_SALT_NULL, CKF_HKDF_SALT_DATA and CKF_HKDF_SALT_KEY. I have taken the freedom to assign
them the values 1,2 and 4 (in the order in which they appear in the spec). In case they should get different values, I will update the spec.
- I have removed all occurrences of CKK_ECDSA / CKA_ECDSA_PARAMS and added a notice that they are deprecated and replaced by CKK_EC / CKA_EC_PARAMS. Also remove CKK_ECDSA
and CKA_ECDSA_PARAMS from header files?
- CK_AES_GCM_PARAMS and CK_AES_CCM_PARAMS do not anymore appear in the PKCS#11 spec. since version 2.30 (actually I haven’t
found any official version using these definitions, the official structures have always ben CK_GCM_PARAMS and CK_CCM_PARAMS). I therefore suggest to remove CK_AES_GCM_PARAMS and CK_AES_CCM_PARAMS from the header files now.
- CKA_SECONDARY_AUTH, CKA_AUTH_PIN_FLAGS and CKA_ALWAYS_AUTHENTICATE do not anymore appear in the PKCS#11 spec. since version 2.30. The must have been deprecated long
ago. I therefore suggest to remove them from the header files now. CKA_SECONDARY_AUTH and CKA_AUTH_PIN_FLAGS are already marked as deprecated in the header file, CKA_ALWAYS_AUTHENTICATE is not but I haven’t
found any occurrence.
- I have removed all #define’s wrt. CAST5 from the mechanism spec,
as these have been superseded by CAST128 and marked deprecated since version 2.11. I have also removed CAST5 from the Historical mechanisms document. I suggest to also remove all CAST5 definitions from the header file; some of them were already marked as deprecated
in the header file, some (CKM_CAST5_KEY_GEN, CKM_CAST_ECB) weren’t.
Best regards,
Dieter
Utimaco IS GmbH
Germanusstr. 4, D.52080 Aachen, Germany, Tel: +49-241-1696-0,
www.utimaco.com
Seat: Aachen – Registergericht Aachen HRB 18922
VAT ID No.: DE 815 496 496
Managementboard: Stefan Auerbach (Chairman) CEO, Malte Pollmann CSO, Dr. Frank J. Nellissen CFO
This communication is confidential. If you are not the intended recipient, any use, interference with, disclosure or copying of this material is unauthorised and prohibited. Please inform us immediately and destroy the email.
Utimaco IS GmbH
Germanusstr. 4, D.52080 Aachen, Germany, Tel: +49-241-1696-0, www.utimaco.com
Seat: Aachen – Registergericht Aachen HRB 18922
VAT ID No.: DE 815 496 496
Managementboard: Stefan Auerbach (Chairman) CEO, Malte Pollmann CSO, Dr. Frank J. Nellissen CFO
This communication is confidential. If you are not the intended recipient, any use, interference with, disclosure or copying of this material is unauthorised and prohibited. Please inform us immediately and destroy the email.
|