DES3-CMAC

DES3-CMAC, denoted CKM_DAES3_CMAC, is a special case of the general-length DES3-CMAC mechanism. DES3-MAC always produces and verifies MACs that are a full block size in length, since the DES3 block lenth is the minimum output length recommended by [NIST sp800-38b].

Constraints on key types and the length of data are summarized in the following table:

Table 254, DAES3-CMAC: Key And Data Length
Function Key type Data length Signature length

C_Sign CKK_DES3CKK_DES2 any Block size (8 bytes)

C_Verify CKK_DES3CKK_DES2 any Block size (8 bytes)

For this mechanism, the ulMinKeySize and ulMaxKeySize fields of the CK_MECHANISM_INFO structure are not used.

RSA Security Inc. Public-Key Cryptography Standards - PKCS#11 - v230

Function	Key type	Data length	Signature length
C_Sign	CKK_DES3CKK_DES2	any	Block size (8 bytes)
C_Verify	CKK_DES3CKK_DES2	any	Block size (8 bytes)