CKM_AES_CMAC_GENERAL
This section provides a summary of CKM_AES_CMAC_GENERAL.
Note
This section describes the behavior of CKM_AES_CMAC_GENERAL from ProtectToolkit 7.1.0 onwards, which matches PKCS#11 2.40. If you are using ProtectToolkit 7.0.0, this mechanism behaves as defined in PKCS#11 2.30. For information about this mechanism's compatibility with ProtectToolkit 7.0.0 applications, refer to Compatibility with ProtectToolkit 7.0.0 Applications.
Supported operations
Operation | Support |
---|---|
Encrypt and Decrypt | No |
Sign and Verify | Yes |
SignRecover and VerifyRecover | No |
Digest | No |
Generate Key/Key-Pair | No |
Wrap and Unwrap | No |
Derive | No |
FIPS Mode support
Available in FIPS Mode | Restrictions in FIPS Mode |
---|---|
Yes | None |
Key size range (bytes) and parameters
Key size minimum/maximum | Value |
---|---|
Minimum | 16 |
FIPS Minimum | 16 |
Maximum | 32 |
Parameter
CK_MAC_GENERAL_PARAMS
Mechanism description
For a full description of this mechanism, refer to the PKCS#11 version 2.40 documentation from RSA Laboratories.
Compatibility with ProtectToolkit 7.0.0 Applications
PKCS#11 2.40 (Errata 01) swapped the values for CKM_AES_CMAC_GENERAL and CKM_AES_CTS.
Applications using CKM_AES_CMAC_GENERAL on ProtectToolkit 7.1.0 should be recompiled with the PTK SDK from ProtectToolkit 7.1.0.
If the application cannot be changed, then the configuration item ET_PTKC_GENERAL_LEGACY_CMAC can be used. For more information about this configuration item, refer to ProtectToolkit-C mechanism configuration items.
Example:
$ export ET_PTKC_GENERAL_LEGACY_CMAC=YES
Return to ProtectToolkit-C mechanisms.