PKEY for CMAC: operation not supported for this keytype.

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

PKEY for CMAC: operation not supported for this keytype.

Hal Murray
I can't get CMAC to work via PKEY.  I get the same error on 1.1.1g and 3.0.0

I'm using a cipher that works with the CMAC interface.

Can anybody see what I'm missing?


--
These are my opinions.  I hate spam.


pkey.c (1K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: PKEY for CMAC: operation not supported for this keytype.

Richard Levitte - VMS Whacker-2
On Sun, 14 Jun 2020 07:16:27 +0200,
Hal Murray wrote:
>
> I can't get CMAC to work via PKEY.  I get the same error on 1.1.1g and 3.0.0
>
> I'm using a cipher that works with the CMAC interface.
>
> Can anybody see what I'm missing?

Yup.  It's designed to work with the set of functions EVP_DigestSign*.

Attached is the diff of your program, rewritten to use that.

Cheers,
Richard

--
Richard Levitte         [hidden email]
OpenSSL Project         http://www.openssl.org/~levitte/

===File /tmp/pkey.c.diff====================================
--- /home/levitte/tmp/pkey.c 2020-06-14 14:18:14.351804812 +0200
+++ test-cmac.c 2020-06-14 14:20:04.473406566 +0200
@@ -17,7 +17,7 @@
     const unsigned char key[16];
     const EVP_CIPHER *cipher;
     EVP_PKEY *pkey;
-    EVP_PKEY_CTX *ctx;
+    EVP_MD_CTX *mctx;
 
     printf("Build: %lx, %s\n", \
         OPENSSL_VERSION_NUMBER, OPENSSL_VERSION_TEXT);
@@ -34,18 +34,18 @@
         return 1;
     }
 
-    ctx = EVP_PKEY_CTX_new(pkey, NULL);
-    if (NULL == ctx) {
+    mctx = EVP_MD_CTX_new();
+    if (NULL == mctx) {
         unsigned long err = ERR_get_error();
         char * str = ERR_error_string(err, NULL);
         printf("## Oops, EVP_PKEY_CTX_new() failed:\n    %s.\n", str);
         return 1;
     }
 
-    if (1 != EVP_PKEY_sign_init(ctx)) {
+    if (1 != EVP_DigestSignInit(mctx, NULL, NULL, NULL, pkey)) {
         unsigned long err = ERR_get_error();
         char * str = ERR_error_string(err, NULL);
-        printf("## Oops, EVP_PKEY_sign_init() failed:\n    %s.\n", str);
+        printf("## Oops, EVP_PKEY_DigestSignInit() failed:\n    %s.\n", str);
         return 1;
     }
 
============================================================
Reply | Threaded
Open this post in threaded view
|

Re: PKEY for CMAC: operation not supported for this keytype.

Hal Murray
In reply to this post by Hal Murray
Thanks.  It's working now.  Timings soon.

The first paragraph in the man page for EVP_DigestSign and friends says:

The EVP signature routines are a high level interface to digital signatures.
Input data is digested first before the signing takes place.

Down at the bottom, under CMAC, it says:
    Will ignore any digest provided.

So I assume the first paragraph doesn't apply for CMAC.



--
These are my opinions.  I hate spam.