Cannot get HMAC to use secret OID, and which functions to use?

[antfarmer]

I have ported the library to a PIC24 environment and have most functions working, however when I try to compute HMAC, I always get an invalid OID (0x8001) response. I've used ECDH, and TLS PRF to derive a key in OPTIGA_KEY_ID_SESSION_BASED, and I've also tried putting random data in arbitrary data objects such as 0xF1D0, and even generating a key in OPTIGA_KEY_ID_SECRET_BASED. Does the secret need to be a specific size that might be causing this?

Here is the core code for the HMAC operation:
`

// update metadata for secret
if (ctx->secretOid != OPTIGA_KEY_ID_SESSION_BASED) {
	optiga_wrapper_setUtilStatus(OPTIGA_LIB_BUSY);
	status = optiga_util_write_metadata(app,
			ctx->secretOid,
			hmacMetadata,             // { 0x20, 0x06, 0xD3, 0x01, 0x00, 0xE8, 0x01, 0x21 }
			sizeof(hmacMetadata)
	);
	status = optiga_wrapper_utilWait(status);
	if (status != OPTIGA_LIB_SUCCESS) {
		println("%s metadata: 0x%02X", __FUNCTION__, status);
		return status;
	}
}

// HMAC
optiga_wrapper_setCryptStatus(OPTIGA_LIB_BUSY);
status = optiga_crypt_hmac(crypt,
		ctx->hmacType,
		ctx->secretOid,       // OPTIGA_KEY_ID_SESSION_BASED
		ctx->input,
		(uint32_t)ctx->inputLength,
		ctx->mac,
		&ctx->macLength
);
status = optiga_wrapper_cryptWait(status);

if (status == OPTIGA_LIB_SUCCESS) {
	println("HMAC:");
	optiga_lib_print_array_hex_format(ctx->mac, ctx->macLength, OPTIGA_LIB_LOGGER_COLOR_CYAN);
}
else {
	println("%s error: 0x%02X", __FUNCTION__, status);
}

// update metadata to default
if (ctx->secretOid != OPTIGA_KEY_ID_SESSION_BASED) {
	optiga_wrapper_setUtilStatus(OPTIGA_LIB_BUSY);
	status = optiga_util_write_metadata(app,
			ctx->secretOid,
			defaultMetadata,            // { 0x20, 0x06, 0xE8, 0x01, 0x00, 0xD3, 0x01, 0xFF }
			sizeof(defaultMetadata)
	);
	status = optiga_wrapper_utilWait(status);
	if (status != OPTIGA_LIB_SUCCESS) {
		println("%s default metadata: 0x%02X", __FUNCTION__, status);
		return status;
	}
}

`

Also, I'm unclear from the documentation on which function to use. Right now, I'm using optiga_crypt_hmac, but I have also tried optiga_crypt_hmac_start/update/final methods. When should I choose one vs the other set of methods? I would like to use the single optiga_crypt_hmac method for simplicity, but I'm not sure if there are any limitations on the input data size. If there are limits on the input size, say 128 bytes, which methods should be called for data that is 127, 128, and 129 bytes?

Any help much appreciated.

[ayushev]

Hi there,

you asked a couple of questions. I'll try to focus at least on the code snippet you have provided.
Hete you try to calculate an hmac using OPTIGA_KEY_ID_SESSION_BASED, for this you get an invalid OID error.
Invalid OID error means (in this particlar case) that the OID you are using doesn't contain a pre-shared secret and probably can't be used internally (EXECUTE access condition). You indicate that the OID is a pre-shared secret by setting up a corresponing metadata.

static const uint8_t metadata [] = {
    //Metadata tag in the data object
    0x20, 0x06,
        //Data object type set to PRESSEC
        0xE8, 0x01, 0x21,
       // Execute Access condition descriptor set to ALWAYS
        0xD3, 0x01, 0x00,
};

with a secret stored in a data object you might get a different error, can you show it here, what error do you get?

Also, I'm unclear from the documentation on which function to use. Right now, I'm using optiga_crypt_hmac, but I have also tried optiga_crypt_hmac_start/update/final methods. When should I choose one vs the other set of methods? I would like to use the single optiga_crypt_hmac method for simplicity, but I'm not sure if there are any limitations on the input data size. If there are limits on the input size, say 128 bytes, which methods should be called for data that is 127, 128, and 129 bytes?

The difference is that you might do hmac continiously in different points of time (so the patter here would be one start, many updates and one finalize inthe end), or you might do an hmac in one shot.
The input size generally should not be more than a maximum communication buffer size (which is 0x615 by default), if you need more data you might opt to the start/update/finalize version.

[antfarmer]

Hi, thanks for the reply. Yes, I've tried to write metadata to the OPTIGA_KEY_ID_SESSION_BASED OID, however I get an error when doing that, so that's why in the code above I have a condition to skip setting metadata if the oid is session based. Maybe there is something wrong with the way I'm trying to set the metadata for the session oid? As in my CMAC question, I'd like to be able to change the secret relatively frequently for each session, so I need to avoid NVM due to the write endurance limitations. The arbitrary objects might be ok to use, but this also produces the error. Even this is not ideal as the key has to be exported to the host and then stored back to the NVM area. Ideally, the result of the ECDH and KDF in the session oid should be the source.

[ayushev]

The Session Objects in optiga are a special RAM like objects which can temporaly store data. This content of this data can be feeded to functions like key dereviation or hmac. However in this case, the data there should be provided as result of either ECDHE, or ECDHE + key dereviation function (HKDF or TLS PRF)). In tis case the data there will be configured properly.
So there are two options:
Option 1.
Step 1. Do ECDHE (ths is typically done with one private key and public key from a different entity). The size of the resulting secret here depends on the key length of a used curve (NISTP256) - 32 bytes. Store the resul in one of Session OIDs
Step 2. (Optional) Do key dereviation, wither hkdf or TLS PRF. Reuse the same session OID
Step 3. Do HMAC using as a secret the same session OID

Option 2.
Step 1. Preporogram the secret to the one of Data Object, this can be done over a data object protected update from a remote server, during production or manually in the code for poc. Here the size should not be more than 64 bytes (Note: use Erase and Write option for writing).
Step 2. Change Data Type in the metadata of the data object to the PRESSEC
Step 3. Call the hmac function with Data Object based as a secret

[ayushev]

One correction to the question of the function choice and data limit. If user provided data is longer than the internal buffer it will be internally fragmented.

[antfarmer]

OK, got it working. I think I was getting some errors because I mixed up the constants between HKDF and HMAC. Seems to be working well now. Good to know about the size constraints and proper usage of the functions. Thanks.