1--TEST-- 2Derive using X25519 3--SKIPIF-- 4<?php 5 6require_once 'require-userpin-login.skipif.inc'; 7 8if (!in_array(Pkcs11\CKM_ECDH1_DERIVE, $module->getMechanismList((int)getenv('PHP11_SLOT')))) { 9 echo 'skip: CKM_ECDH1_DERIVE not supported '; 10} 11 12if (!in_array(Pkcs11\CKM_EC_EDWARDS_KEY_PAIR_GEN, $module->getMechanismList((int)getenv('PHP11_SLOT')))) { 13 echo 'skip: CKM_EC_EDWARDS_KEY_PAIR_GEN not supported '; 14} 15 16require_once 'require-generate-key-pair.skipif.inc'; 17 18?> 19--FILE-- 20<?php 21 22declare(strict_types=1); 23 24$module = new Pkcs11\Module(getenv('PHP11_MODULE')); 25$session = $module->openSession((int)getenv('PHP11_SLOT'), Pkcs11\CKF_RW_SESSION); 26$session->login(Pkcs11\CKU_USER, getenv('PHP11_PIN')); 27 28$domainParameters = hex2bin('06032B656E'); // X25519 29$rawPublickeyOther = hex2bin('0420715bbc7a82f99613f23580cdf87e0ff179524201fdad7d7d389529e6cb0ad25c'); 30 31// SoftHSMv2 uses CKM_EC_EDWARDS_KEY_PAIR_GEN instead of CKM_EC_MONTGOMERY_KEY_PAIR_GEN 32$keypair = $session->generateKeyPair(new Pkcs11\Mechanism(Pkcs11\CKM_EC_EDWARDS_KEY_PAIR_GEN), [ 33 Pkcs11\CKA_LABEL => "Test X25519 Public", 34 Pkcs11\CKA_EC_PARAMS => $domainParameters, 35],[ 36 Pkcs11\CKA_TOKEN => false, 37 Pkcs11\CKA_PRIVATE => true, 38 Pkcs11\CKA_SENSITIVE => true, 39 Pkcs11\CKA_DERIVE => true, 40 Pkcs11\CKA_LABEL => "Test X25519 Private", 41]); 42 43var_dump(bin2hex($keypair->pkey->getAttributeValue([ 44 Pkcs11\CKA_EC_POINT, 45])[Pkcs11\CKA_EC_POINT])); 46 47$shared = ''; 48 49// SoftHSM2 only supports CKD_NULL 50$params = new Pkcs11\Ecdh1DeriveParams(Pkcs11\CKD_NULL, $shared, $rawPublickeyOther); 51$mechanism = new Pkcs11\Mechanism(Pkcs11\CKM_ECDH1_DERIVE, $params); 52$secret = $keypair->skey->derive($mechanism, [ 53 Pkcs11\CKA_TOKEN => false, 54 Pkcs11\CKA_CLASS => Pkcs11\CKO_SECRET_KEY, 55 Pkcs11\CKA_KEY_TYPE => Pkcs11\CKK_AES, 56 Pkcs11\CKA_SENSITIVE => false, 57 Pkcs11\CKA_EXTRACTABLE => true, 58 Pkcs11\CKA_ENCRYPT => true, 59 Pkcs11\CKA_DECRYPT => true, 60]); 61 62var_dump(bin2hex($secret->getAttributeValue([ 63 Pkcs11\CKA_VALUE, 64])[Pkcs11\CKA_VALUE])); 65 66$iv = random_bytes(16); 67$data = 'Hello World!'; 68$mechanism = new Pkcs11\Mechanism(Pkcs11\CKM_AES_CBC_PAD, $iv); 69$ciphertext = $secret->encrypt($mechanism, $data); 70var_dump(bin2hex($ciphertext)); 71 72$session->logout(); 73 74?> 75--EXPECTF-- 76string(68) "%x" 77string(64) "%x" 78string(32) "%x" 79