Bug 1730767 - JSS: Wrap NSS CMAC + KDF implementations
Summary: JSS: Wrap NSS CMAC + KDF implementations
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: jss
Version: 8.2
Hardware: Unspecified
OS: Unspecified
Target Milestone: rc
: 8.2
Assignee: Alex Scheel
QA Contact: PKI QE
Depends On: 1730765
Blocks: 1730769
TreeView+ depends on / blocked
Reported: 2019-07-17 14:53 UTC by Alex Scheel
Modified: 2021-01-19 18:00 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed: 2021-01-19 18:00:30 UTC
Type: Bug
Target Upstream Version:

Attachments (Terms of Use)

Comment 3 Alex Scheel 2019-10-29 15:12:26 UTC
CMAC is checked into upstream, release v4.6.2+:

> commit bf65e0f80fc0ac0349f888860035d7b95117df25
> Author: Alexander Scheel <ascheel@redhat.com>
> Date:   Wed Sep 25 12:09:06 2019 -0400
>     Add tests for CMAC via JSS Provider
>     These tests are from NIST's Examples with Intermediate Values page:
>     https://csrc.nist.gov/projects/cryptographic-standards-and-guidelines/example-values
>     Signed-off-by: Alexander Scheel <ascheel@redhat.com>
> commit 69cefe1ef489ff498750fe78cb112c94ee5d85b5
> Author: Alexander Scheel <ascheel@redhat.com>
> Date:   Wed Sep 18 14:06:30 2019 -0400
>     Add CMAC algorithm to JSSProvider
>     CMAC is a form of MAC that utilizes a block cipher instead of a hash
>     function. Support for CMAC via PKCS#11 was recently introduced to NSS
>     allowing us to add support for it here.
>     Related: https://bugzilla.mozilla.org/show_bug.cgi?id=1570501
>     Signed-off-by: Alexander Scheel <ascheel@redhat.com>

Comment 14 Alex Scheel 2020-03-02 17:13:12 UTC
KBKDF was also checked into JSS:

commit 3720c4bfb1901cd348dc422ba25a3f7e3270dacc
Author: Alexander Scheel <ascheel@redhat.com>
Date:   Wed Feb 12 14:10:41 2020 -0500

    Add KBKDF design documentation
    Signed-off-by: Alexander Scheel <ascheel@redhat.com>

commit c2744a3dc9a7ab19b641e938728d57d9f33935d3
Author: Alexander Scheel <ascheel@redhat.com>
Date:   Tue Jan 14 14:23:14 2020 -0500

    Add KBKDF Usage Documentation
    Signed-off-by: Alexander Scheel <ascheel@redhat.com>

commit 02f498aff17698c24536ff0939b8e4a835ea96c9
Author: Alexander Scheel <ascheel@redhat.com>
Date:   Wed Dec 18 16:31:12 2019 -0500

    Disable additional derived key tests
    In the version of NSS shipped in RHEL 8.2, the KBKDF patch doesn't
    support additional derived keys. Until NSS upstream ships the finished
    KBKDF patch, drop additional derived key support.
    Signed-off-by: Alexander Scheel <ascheel@redhat.com>

commit c046dab10c785ae71c87e6ca044b1614df468f29
Author: Alexander Scheel <ascheel@redhat.com>
Date:   Wed Dec 18 15:21:04 2019 -0500

    Add tests for NIST SP800-108 KBKDFs
    Signed-off-by: Alexander Scheel <ascheel@redhat.com>

commit 8df0ec084c425591b1b925bdd2a2b6b01057d5de
Author: Alexander Scheel <ascheel@redhat.com>
Date:   Wed Dec 18 10:09:43 2019 -0500

    Add NIST SP800-108 KBKDF PKCS#11 Support
    This introduces initial support for NIST SP800-108 KBKDFs via PKCS#11.
    Support for all three NIST KBKDFs are included: counter mode, feedback
    mode, and double pipeline mode. Additionally, NSS includes support for
    data based derivations: variants of the KDFs which derive data objects
    instead of keys. This allows them to be used for SCP03 challenges.
    This builds upon previous commits which add support for the underlying
    PKCS#11 constants and data parameters.
    Signed-off-by: Alexander Scheel <ascheel@redhat.com>

Comment 15 Matthew Harmsen 2020-04-14 21:56:47 UTC
Per Comment #12 above, this patch will not be needed until HSMs implement the desired algorithms; moving to RHEL Backlog.

Note You need to log in before you can comment on or make changes to this bug.