[openssl-users] AES-CMAC digest with EVP

Dr. Stephen Henson steve at openssl.org
Thu Aug 31 12:27:46 UTC 2017

On Wed, Aug 30, 2017, Daniel Andrade wrote:

> Hello,
> I have two buffers, one with a key and one with some data. The
> objective is to calculate the AES-CMAC of the data with this key. I
> managed to compute the AES-CMAC using type `EVP_aes_128_cbc()` with
> the low-level interface:
> 1. CMAC_CTX *ctx = CMAC_CTX_new()
> 2. CMAC_Init
> 3. CMAC_Update
> 4. CMAC_Final
> 5. CMAC_CTX_free
> Can this be done with the high-level EVP interface?
> The EVP_DigestSign* set of functions expects a type EVP_MD, but
> EVP_aes_128_cbc() is of type EVP_CIPHER.

Yes it is possible. One way is to create a new key using
EVP_PKEY_new_mac_key() with type EVP_PKEY_CMAC. You pass that key to
EVP_DigestSign*() with the digest set to NULL. You then have to set the cipher
to use with the EVP_PKEY_CTRL_CIPHER ctrl (unfortunately there is currently no
macro for this).

Then calling EVP_DigestSignUpdate() and EVP_DigestSignaFinal() should work in
the usual way and produce the correct CMAC.

Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org

More information about the openssl-users mailing list