Pkcs11Interop (C#) - Calculate HMAC Signature on Utimaco HSM Simulator

Question

I have to generate HMAC(SHA256) signature with an AES-256 key on the Utimaco HSM simulator. I use the PKCS#11 library "Pkcs11Interop" (C#) for this. My source code function:

public static byte[] GetSignatureHmacSha256(IObjectHandle secretKeyHandle, byte[] message)
        {
            ICkMacGeneralParams macParams = Settings.Factories.MechanismParamsFactory.CreateCkMacGeneralParams(32);            
            IMechanism mechanism = session.Factories.MechanismFactory.Create(CKM.CKM_SHA256_HMAC_GENERAL, macParams);
            byte[] signature = session.Sign(mechanism, secretKeyHandle, message);            
            return signature;
        }

I get this error message. Can someone help me what am I doing wrong?

"Method C_SignInit returned CKR_MECHANISM_INVALID"

Utimaco Log: "Mechanism CKM_SHA256_HMAC_GENERAL doesn't fit key t."

Answer 1

For HMAC you need to use one of:

• generic secret key (CKK_GENERIC_SECRET)

• designated HMAC-SHA256 key (CKK_SHA256_HMAC)

AES key (CKK_AES) can not be used -- citing section HMAC mechanisms in the PKCS#11 standard:

The HMAC secret key shall correspond to the PKCS11 generic secret key type or the mechanism specific key types (see mechanism definition). Such keys, for use with HMAC operations can be created using C_CreateObject or C_GenerateKey.

Just generate or import your HMAC key as CKK_GENERIC_SECRET or CKK_SHA256_HMAC.

Good luck with your project!