On 03/13/2014 05:12 AM, Leon Brits wrote: > Robert, > > Attached is a log of the backtrace when I try to use Thunderbird to decrypt > an email. As you can see in the log it reaches C_DecryptUpdate(), but then > asserts at cmscipher.c:452.
I don't see the attachment? did you forget or did the mailing list strip it? > Now we use OpenSSL to perform these cryptographic operations and if you give > its DecryptUpdate() function exactly (N * blocksize) of data then it will > keep 1 block back waiting for either a DecryptUpdates() with more data or a > DecryptFinal() at which stage it will return the plaintext of that last block. cmscipher does call DecryptUpdate, but for the symmetric portion, not the asymmetric portion. We were talking about key unwrapping/decrypt in RSA. This is clearly an symmetric operation (DES3 or AES or something). Looks like you are trying use a PAD mechanism when NSS requested a CBC mechanism. In the CBC mechanism NSS will always ask for even number of blocks and expect to get back all the blocks. In the PAD mechanism, the PKCS #11 module needs to hold back one block in order to handle padding correctly. > > So what I think is happening here is that you call DecryptUpdate() with data > which fall on the blocksize boundary and OpenSSL buffer the last blocksize of > data and you expect everything back and therefore asserts. My question then > is why do you call DecryptUpdate() here. A Decrypt() would solve my problem. Can't call decrypt here, because I probably have more blocks coming. This is encrypting the email message, so it's streaming. The fundamental issue here is you are probably trying to do more than you need to if you just want a signing/decryption token. You don't need to implement the symmetric algorithms, so if you just implement decrypt (rather than unwrap), NSS will use it's internal implementation to do the symmetric operations. If you are trying to build a full replacement (because you are managing the keys in your token or something, then you need to return all the blocks requested when doing a CBC operation (rather then a CBC_PAD operation). bob > > Thanks for your time! > Regards, > LJB > > > > >
smime.p7s
Description: S/MIME Cryptographic Signature
-- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto