awslabs · DmitriyMusatkin · Oct 29, 2025 · Oct 29, 2025 · Oct 29, 2025 · Oct 29, 2025
diff --git a/crt/aws-c-cal b/crt/aws-c-cal
diff --git a/include/aws/crt/crypto/HKDF.h b/include/aws/crt/crypto/HKDF.h
@@ -0,0 +1,28 @@
+#pragma once
+/**
+ * Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+ * SPDX-License-Identifier: Apache-2.0.
+ */
+#include <aws/crt/Exports.h>
+#include <aws/crt/Types.h>
+
+namespace Aws
+{
+    namespace Crt
+    {
+        namespace Crypto
+        {
+            /**
+             * Derives an SHA256 HMAC HKDF using the default allocator and writes it to out.
+             * If this function fails, Aws::Crt::LastError() will contain the error that occurred.
+             */
+            bool AWS_CRT_CPP_API DeriveSHA512HMACHKDF(
+                Allocator *allocator,
+                ByteCursor ikm,
+                ByteCursor salt,
+                ByteCursor info,
+                ByteBuf &out,
+                size_t length) noexcept;
+        } // namespace Crypto
+    } // namespace Crt
+} // namespace Aws
diff --git a/include/aws/crt/crypto/HMAC.h b/include/aws/crt/crypto/HMAC.h
@@ -144,7 +144,7 @@ namespace Aws
 
                 /**
                  * Complete the HMAC computation and write the final digest to output.
-                 * This cannote be called more than once.
+                 * This cannot be called more than once.
                  * If truncate_to is something other than 0, the output must be truncated to that number of bytes.
                  * Raise an AWS error and return false to indicate failure.
                  */

diff --git a/source/crypto/HKDF.cpp b/source/crypto/HKDF.cpp
@@ -0,0 +1,27 @@
+/**
+ * Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+ * SPDX-License-Identifier: Apache-2.0.
+ */
+#include <aws/crt/crypto/HKDF.h>
+
+#include <aws/cal/hkdf.h>
+
+namespace Aws
+{
+    namespace Crt
+    {
+        namespace Crypto
+        {
+            bool DeriveSHA512HMACHKDF(
+                Allocator *allocator,
+                ByteCursor ikm,
+                ByteCursor salt,
+                ByteCursor info,
+                ByteBuf &out,
+                size_t length) noexcept
+            {
+                return aws_hkdf_derive(allocator, HKDF_HMAC_SHA512, ikm, salt, info, &out, length) == AWS_OP_SUCCESS;
+            }
+        } // namespace Crypto
+    } // namespace Crt
+} // namespace Aws
diff --git a/tests/CMakeLists.txt b/tests/CMakeLists.txt
@@ -318,6 +318,10 @@ add_test_case(CborSanityTest)
 add_test_case(CborTimeStampTest)
 add_test_case(CborLastErrorTest)
 
+if (NOT BYO_CRYPTO) 
+    add_test_case(HKDFPiping)
+endif()
+
 generate_cpp_test_driver(${TEST_BINARY_NAME})
 
 aws_add_sanitizers(${TEST_BINARY_NAME})

diff --git a/tests/HKDFTest.cpp b/tests/HKDFTest.cpp
@@ -0,0 +1,36 @@
+/**
+ * Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+ * SPDX-License-Identifier: Apache-2.0.
+ */
+#include <aws/crt/Api.h>
+#include <aws/crt/crypto/HKDF.h>
+#include <aws/testing/aws_test_harness.h>
+
+static int s_TestHKDFPiping(struct aws_allocator *allocator, void *)
+{
+    Aws::Crt::ApiHandle apiHandle(allocator);
+
+    uint8_t ikm[] = {0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b,
+                     0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b};
+    Aws::Crt::ByteCursor ikm_cur = aws_byte_cursor_from_array(ikm, sizeof(ikm));
+
+    uint8_t salt[] = {0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b, 0x0c};
+    Aws::Crt::ByteCursor salt_cur = aws_byte_cursor_from_array(salt, sizeof(salt));
+
+    uint8_t info[] = {0xf0, 0xf1, 0xf2, 0xf3, 0xf4, 0xf5, 0xf6, 0xf7, 0xf8, 0xf9};
+    Aws::Crt::ByteCursor info_cur = aws_byte_cursor_from_array(info, sizeof(info));
+
+    uint8_t output[64] = {0};
+    Aws::Crt::ByteBuf ret = Aws::Crt::ByteBufFromEmptyArray(output, sizeof(output));
+
+    ASSERT_TRUE(Aws::Crt::Crypto::DeriveSHA512HMACHKDF(allocator, ikm_cur, salt_cur, info_cur, ret, 42));
+
+    uint8_t expected[] = {0x83, 0x23, 0x90, 0x08, 0x6c, 0xda, 0x71, 0xfb, 0x47, 0x62, 0x5b, 0xb5, 0xce, 0xb1,
+                          0x68, 0xe4, 0xc8, 0xe2, 0x6a, 0x1a, 0x16, 0xed, 0x34, 0xd9, 0xfc, 0x7f, 0xe9, 0x2c,
+                          0x14, 0x81, 0x57, 0x93, 0x38, 0xda, 0x36, 0x2c, 0xb8, 0xd9, 0xf9, 0x25, 0xd7, 0xcb};
+
+    ASSERT_BIN_ARRAYS_EQUALS(ret.buffer, ret.len, expected, sizeof(expected));
+
+    return AWS_OP_SUCCESS;
+}
+AWS_TEST_CASE(HKDFPiping, s_TestHKDFPiping)
+32 −0		.github/workflows/codecov.yml
+4 −0		CMakeLists.txt
+35 −0		include/aws/cal/ecc.h
+1 −1		include/aws/cal/hash.h
+55 −0		include/aws/cal/hkdf.h
+34 −0		include/aws/cal/hmac.h
+43 −0		include/aws/cal/private/der.h
+8 −2		include/aws/cal/private/ecc.h
+24 −4		source/darwin/commoncrypto_hmac.c
+1 −0		source/darwin/commoncrypto_sha256.c
+51 −1		source/der.c
+824 −57		source/ecc.c
+61 −0		source/hkdf.c
+40 −0		source/hmac.c
+150 −0		source/shared/ref_hkdf.c
+86 −0		source/unix/openssl_hkdf.c
+75 −57		source/unix/opensslcrypto_ecc.c
+40 −5		source/unix/opensslcrypto_hmac.c
+4 −25		source/windows/bcrypt_ecc.c
+65 −6		source/windows/bcrypt_hmac.c
+22 −0		tests/CMakeLists.txt
+50 −2		tests/der_test.c
+182 −11		tests/ecc_test.c
+152 −0		tests/hkdf_test.c
+354 −0		tests/sha512_hmac_test.c