Add more setters for EcKdf. #292
Conversation
|
Code wise looks good. I would prefer to have some test prepared so we can enable it once the kryoptic version will get updated in Fedora, if nothing to prevent the case of having mechanisms like the sha256 added without any testing. I do not think it needs to be full coverage of all combinations, but at least one test with NIST SP800 and one with ANSI with known answer test to make sure it works. |
|
Thanks for this, looks good! Agree with @Jakuje about adding two simple tests where this is available in Fedora! |
|
I've updated the MR to include a test that uses known good values. I created the test vector by instrumenting Sequoia OpenPGP and dumping the relevant values. The test vector is for SHA256-SP800. It would be straightforward (although still some work) to create test vectors for SHA384-SP800 and SHA512-SP800. As Sequoia does not use the ANSI functions, I cannot create test vectors for them without a lot of work. That said, I'm not sure of the value of additional test vectors: I think the test suite is about testing the library, not the underlying token implementation. The test demonstrates that the shape of the API is correct, and that the shared value is passed correctly. Thoughts? |
|
Regarding the ANSI variant, I think its ok to skip it as it is mostly the same (for the rust-cryptoki). |
cryptoki/tests/basic.rs
Outdated
| &[ | ||
| Attribute::Class(ObjectClass::SECRET_KEY), | ||
| Attribute::KeyType(KeyType::GENERIC_SECRET), | ||
| Attribute::ValueLen((derivation.len() as u64).into()), |
There was a problem hiding this comment.
This still does not work on 32b arch. We had more of them fixed recently in 80b22b2, but I think all of them are constants.
Not sure what would be the cleanest way to do this, but probably some From for u32 to keep it safe? Or just Ulong::new(derivation.len()), but it makes the API ugly, i think...
There was a problem hiding this comment.
Thanks for the hint. I switched to Ulong::new(derivation.len()).
There was a problem hiding this comment.
Still it probably needs
Attribute::ValueLen(Ulong::new(derivation.len() as u64)),
or the try_into().unwrap() as suggested by the rust ...
Adds setters for the ANSI X9.63 KDFs (`EcKdf::sha1`, etc) and the NIST SP800-56A KDFs (`EcKdf::sha1_sp800`) to `EcKdf`. Fixes `EcKdf::sha256`. Fixes parallaxsecond#281. Signed-off-by: Neal H. Walfield <[email protected]>
Adds setters for the ANSI X9.63 KDFs (
EcKdf::sha1, etc) and the NIST SP800-56A KDFs (EcKdf::sha1_sp800) toEcKdf.Fixes
EcKdf::sha256.Fixes #281.
The SP800 variants were recently added to Kryoptic.
I've tested this using Sequoia, but I haven't included any unit tests. First, the unit tests will fail, because the current released version of Kryoptic doesn't include support for the SP800 yet. Second, creating test vectors will be a huge amount of work. Given how simple the implementation is, do you want unit tests for these functions?
Thanks for taking a look.