CKM_AES_MAC
TIP Some mechanisms in this collection have both a "general" variant and a similarly named variant without "general" in the name. Per the PKCS#11 specification the _GENERAL variant of mechanism accepts a mechanism parameter that is used to define the length of the signature that is returned. The length can typically be any value between 1 and the length of the underlying HASH algorithm.
The variants without _GENERAL do not accept any mechanism parameters and always return a fixed length signature; where the length is defined by the underlying HASH algorithm.
Firmware 7.8.7 and Newer Summary
| FIPS approved? | No |
| Supported functions | Sign | Verify |
| Functions restricted from FIPS use | N/A |
| Minimum key length (bits) | 128 |
| Minimum key length for FIPS use (bits) | N/A |
| Minimum legacy key length for FIPS use (bits) | N/A |
| Maximum key length (bits) | 256 |
| Block size | 16 |
| Digest size | 0 |
| Key types | AES |
| Algorithms | AES |
| Modes | MAC |
| Flags | Extractable |
Firmware 7.7.0-7.8.4 Summary
| FIPS approved? | Yes |
| Supported functions | Sign | Verify |
| Functions restricted from FIPS use | Cannot sign |
| Minimum key length (bits) | 128 |
| Minimum key length for FIPS use (bits) | 128 |
| Minimum legacy key length for FIPS use (bits) | N/A |
| Maximum key length (bits) | 256 |
| Block size | 16 |
| Digest size | 0 |
| Key types | AES |
| Algorithms | AES |
| Modes | MAC |
| Flags | Extractable |
NOTE To comply with FIPS SP800-131a Rev2 published in March 2019, when the HSM is in FIPS mode, this mechanism is not allowed to sign data.
Firmware 7.4.2 and Older Summary
| FIPS approved? | Yes |
| Supported functions | Sign | Verify |
| Functions restricted from FIPS use | None |
| Minimum key length (bits) | 128 |
| Minimum key length for FIPS use (bits) | 128 |
| Minimum legacy key length for FIPS use (bits) | N/A |
| Maximum key length (bits) | 256 |
| Block size | 16 |
| Digest size | 0 |
| Key types | AES |
| Algorithms | AES |
| Modes | MAC |
| Flags | Extractable |
