I have to implement custom key derivation function which basically works as follows:
I have encryption key K in secure container of HSM. K can't be exported and the only way how to use it is through HSM command or PKCS#11 function.
The derived key DK is the output of encryption data with key K, so DK = E(data, K).
My problem is when I implement this function through commands or PKCS#11 function, I will get a clear-text of DK outside of HSM secure container. I need to secure the key so it never leaves the secure container.
Is it possible to implement custom functions, such as my derivation function, inside secure container of HSM so the output could be secured as a cryptographic key? How to do it without getting the clear-text output of DK?