Big change in mozilla-crypto@mozilla.org mailing list

[mozilla-crypto-admin]

The mozilla-crypto mailing list has just undergone a big change.  It
is running on a new mailing list package called Mailman.  This will
hopefully solve a lot of problems that administering this list has
presented.

How does this affect you?

1) Mail intended for the whole list should be sent to:
[EMAIL PROTECTED]

2) You have been given an arbitrary password to prevent others from
unsubscribing you without your knowledge.  It will be mailed to you in
a separate email, which you may have already received.  Don't worry if
you forget this password; a reminder will be sent to you via email
every month.

3) If you have World Wide Web access, you can use it any time to
unsubscribe from this list, to switch to and from digest mode, to
check back issues of the list (which will be available after the list
has been getting posts for a day or so), etc.  The Web address for
these resources is:

http://mail.mozilla.org/listinfo/mozilla-crypto

4) If you do not have WWW access, you can do these same things via
email.  Send mail to [EMAIL PROTECTED] with a subject
or body containing just the word help (without the quotes).  You
will receive an automated reply giving you further directions.

Please address any questions or problems with this new setup to:
[EMAIL PROTECTED]

This message was auto-generated by Mailman 2.0.13.  For more
information on the Mailman software, visit the Mailman homepage at
http://www.list.org/

Re: NSS PKCS#11 Module

[liupeng]

Thanks for Julien Pierre answer!

I want to do a low-level RSA encrypt for my proprietary application and I
use smart card (gd spk) as my hardware device(Both the public key and the
private key stored in smartcard).Before I use nss for my proprietary
application,I use pkcs11 hardware module directly.
I want to use public key to encrypt some my proprietary data,and use pkcs1.5
padding mode(CKM_RSA_PKCS).Later I use the corresponding private key to
decrypt it.(Maybe I also use the private key to sign some data and use
publickey to verify the signature.)
But it seems function PK11_PubEncryptRaw use CKM_X509 mode,and I don't know
the detail implementation of pkcs1.5 padding mode.Does nss support any
function to do this?
Does the function PK11_CipherOp seems can do this?If it can do,how do I
generate a PK11Context pass to function.

Thanks a lot.

LiuPeng



___
mozilla-crypto mailing list
[EMAIL PROTECTED]
http://mail.mozilla.org/listinfo/mozilla-crypto

Re: NSS PKCS#11 Module

[Julien Pierre]

LiuPeng,

liupeng wrote:
Thanks for Julien Pierre answer!

I want to do a low-level RSA encrypt for my proprietary application and I
use smart card (gd spk) as my hardware device(Both the public key and the
private key stored in smartcard).
Firstable, to do an RSA encrypt using a public key, you don't really 
need to actually perform the operation on the smartcard. If you imported 
the public key into your hardware token, and use the resulting public 
key handle of that token key for the operations, NSS will first try to 
perform the operations on the smartcard's PKCS#11 module. If that fails, 
it will then fallback to doing it in software using softokn.

Before I use nss for my proprietary
application,I use pkcs11 hardware module directly.
I want to use public key to encrypt some my proprietary data,and use pkcs1.5
padding mode(CKM_RSA_PKCS).Later I use the corresponding private key to
decrypt it.(Maybe I also use the private key to sign some data and use
publickey to verify the signature.)
But it seems function PK11_PubEncryptRaw use CKM_X509 mode,and I don't know
the detail implementation of pkcs1.5 padding mode.Does nss support any
function to do this?

Does the function PK11_CipherOp seems can do this?If it can do,how do I
generate a PK11Context pass to function.
PK11_CipherOp only works for bulk (symmetric) ciphers. You can't use it 
for RSA public key ops .

After much questioning of other team members, we have come to the 
conclusion that there is no function today in NSS that directly does 
what you want. We only use RSA encryption and decryption to wrap and 
unwrap symmetric keys (such as for SSL and S/MIME), but not for actual 
application data, and therefore we didn't provide a function to encrypt 
and decrypt data using RSA. If you are using RSA to encrypt a symmetric 
key, then you can use the function called PK11_PubWrapSymKey .

Pass it CKM_RSA_PKCS, the handle to your public key on your token, the 
handle to a symmetric key, and a SECItem* which will contain the wrapped 
(encrypted) key.

If what you are encrypting with RSA is not a symmetric key, what you can 
do is create a dummy symmetric key from the data you want to encrypt 
with RSA. Use PK11_ImportSymKey to import your symkey (actually your 
data to encrypt) . The key data will be in a SECItem structure which 
simply contains a void* and a length. I think you can use a 
CK_MECHANISM_TYPE of CKM_GENERIC_SECRET_KEY_GEN and a PK11Origin try 
PK11_OriginGenerated .

You can destroy the fake symmetric key using PK11_FreeSymKey after you 
are doing encrypting.

___
mozilla-crypto mailing list
[EMAIL PROTECTED]
http://mail.mozilla.org/listinfo/mozilla-crypto