Hide Forgot
CMAC is checked into upstream, release v4.6.2+: > commit bf65e0f80fc0ac0349f888860035d7b95117df25 > Author: Alexander Scheel <ascheel@redhat.com> > Date: Wed Sep 25 12:09:06 2019 -0400 > > Add tests for CMAC via JSS Provider > > These tests are from NIST's Examples with Intermediate Values page: > https://csrc.nist.gov/projects/cryptographic-standards-and-guidelines/example-values > > Signed-off-by: Alexander Scheel <ascheel@redhat.com> > > commit 69cefe1ef489ff498750fe78cb112c94ee5d85b5 > Author: Alexander Scheel <ascheel@redhat.com> > Date: Wed Sep 18 14:06:30 2019 -0400 > > Add CMAC algorithm to JSSProvider > > CMAC is a form of MAC that utilizes a block cipher instead of a hash > function. Support for CMAC via PKCS#11 was recently introduced to NSS > allowing us to add support for it here. > > Related: https://bugzilla.mozilla.org/show_bug.cgi?id=1570501 > > Signed-off-by: Alexander Scheel <ascheel@redhat.com>
KBKDF was also checked into JSS: commit 3720c4bfb1901cd348dc422ba25a3f7e3270dacc Author: Alexander Scheel <ascheel@redhat.com> Date: Wed Feb 12 14:10:41 2020 -0500 Add KBKDF design documentation Signed-off-by: Alexander Scheel <ascheel@redhat.com> commit c2744a3dc9a7ab19b641e938728d57d9f33935d3 Author: Alexander Scheel <ascheel@redhat.com> Date: Tue Jan 14 14:23:14 2020 -0500 Add KBKDF Usage Documentation Signed-off-by: Alexander Scheel <ascheel@redhat.com> commit 02f498aff17698c24536ff0939b8e4a835ea96c9 Author: Alexander Scheel <ascheel@redhat.com> Date: Wed Dec 18 16:31:12 2019 -0500 Disable additional derived key tests In the version of NSS shipped in RHEL 8.2, the KBKDF patch doesn't support additional derived keys. Until NSS upstream ships the finished KBKDF patch, drop additional derived key support. Signed-off-by: Alexander Scheel <ascheel@redhat.com> commit c046dab10c785ae71c87e6ca044b1614df468f29 Author: Alexander Scheel <ascheel@redhat.com> Date: Wed Dec 18 15:21:04 2019 -0500 Add tests for NIST SP800-108 KBKDFs Signed-off-by: Alexander Scheel <ascheel@redhat.com> commit 8df0ec084c425591b1b925bdd2a2b6b01057d5de Author: Alexander Scheel <ascheel@redhat.com> Date: Wed Dec 18 10:09:43 2019 -0500 Add NIST SP800-108 KBKDF PKCS#11 Support This introduces initial support for NIST SP800-108 KBKDFs via PKCS#11. Support for all three NIST KBKDFs are included: counter mode, feedback mode, and double pipeline mode. Additionally, NSS includes support for data based derivations: variants of the KDFs which derive data objects instead of keys. This allows them to be used for SCP03 challenges. This builds upon previous commits which add support for the underlying PKCS#11 constants and data parameters. Signed-off-by: Alexander Scheel <ascheel@redhat.com>
Per Comment #12 above, this patch will not be needed until HSMs implement the desired algorithms; moving to RHEL Backlog.