Skip to content

Add support fot CKM_HOTP and OTP key factory#461

Open
simo5 wants to merge 2 commits into
latchset:mainfrom
simo5:OTP_keys
Open

Add support fot CKM_HOTP and OTP key factory#461
simo5 wants to merge 2 commits into
latchset:mainfrom
simo5:OTP_keys

Conversation

@simo5

@simo5 simo5 commented Jun 16, 2026

Copy link
Copy Markdown
Member

Description

I was curious to implement HOTP because it was the simplest thing that would allow me to consider the problem of stateful keys (keys that need to update state on token after an operation)

This PR implements OTP Keys factory and provide a simple implementation of an HOTP token mechanism that uses Sign/Verify APIs to generate/verify an HOTP using a CKK_HOTP key object as the HOTP token state.

Checklist

  • Test suite updated
  • Rustdoc string were added or updated
  • CHANGELOG and/or other documentation added or updated
  • This is not a code change

Reviewer's checklist:

  • Any issues marked for closing are fully addressed
  • There is a test suite reasonably covering new functionality or modifications
  • This feature/change has adequate documentation added
  • A changelog entry is added if the change is significant
  • Code conform to coding style that today cannot yet be enforced via the check style test
  • Commits have short titles and sensible text
  • Doc string are properly updated

simo5 added 2 commits June 5, 2026 15:28
@simo5
Add OTP key object factory and attributes
1480d10 
Introduce the `OTPKeyFactory` trait and implement handling for `CKO_OTP_KEY`
objects. This adds support for One-Time Password keys by defining their
specific PKCS#11 attributes and applying standard key protections (e.g.,
sensitivity and extractability defaults) similar to private and secret keys.

Assisted-by: Gemini <gemini@google.com>
Signed-off-by: Simo Sorce <simo@redhat.com>
@simo5
Implement HOTP mechanism
46501ee 
This introduces support for the HMAC-based One-Time Password (HOTP) mechanism
behind a new `hotp` feature flag. It implements `CKM_HOTP_KEY_GEN` for key
generation and `CKM_HOTP` for generating and verifying OTP signatures.

To support the stateful nature of HOTP keys, which require incrementing a
counter (`CKA_OTP_COUNTER`) upon usage, a new `updates_object` method is added
to the `Sign` and `Verify` traits. This allows mechanisms to request attribute
updates on the underlying token objects after an operation completes.
Integration tests are also added to ensure correct generation, verification,
and look-ahead functionality.

Assisted-by: Gemini <gemini@google.com>
Signed-off-by: Simo Sorce <simo@redhat.com>
@simo5 simo5 requested a review from Jakuje June 16, 2026 18:37
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Jakuje Jakuje Awaiting requested review from Jakuje

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@simo5