I would like to know if it's possible to make a key derivation using AES_CMAC mechanism.
I have an AES master key (key) and I want to generate an AES key : key2 = AES_CMAC(key, data). And ofcourse I want to get only key2 holder, not the value.
when I do like this :
public long derive_key(long key, byte[] data, String label) {
long p_key = -1L;
CK_MECHANISM mec = new CK_MECHANISM();
mec.mechanism = PKCS11Constants.CKM_AES_CMAC;
SecretKey keyTemplate = new AESSecretKey();
fill(keyTemplate, label);
((AESSecretKey) keyTemplate).getValueLen().setLongValue(16L);
((AESSecretKey) keyTemplate).getValue().setByteArrayValue(data);
CK_ATTRIBUTE[] attr = iaik.pkcs.pkcs11.objects.Object.getSetAttributes(keyTemplate);
return cryptoki.C_DeriveKey(ckiSession, mec, key, attr, true);
I get CKR_MECHANISM_INVALID error.
And I can't use cryptoki.C_Sign(...) because it outputs the key value.
Thank you!
PKCS#11 does define CKM_SP800-108_COUNTER_KDF (and _FEEDBACK_KDF and DOUBLE_PIPELINE_KDF), which does allow you to use AES_CMAC as the underlying algorithm used. Does that meet your needs? There may be other key derivation mechanisms that may let you use CMAC as well.
But a more general question is what are you trying to achieve. Typically derivation is done following the requirements of a larger scheme with additional requirements. If you are requesting CMAC specifically, i suspect you have other requirements to meet?