LiuPeng,
liupeng wrote:
Thanks for Julien Pierre answer!
I want to do a low-level RSA encrypt for my proprietary application and I
use smart card (gd spk) as my hardware device(Both the public key and the
private key stored in smartcard).
Firstable, to do an RSA encrypt using a public key, you don't really
need to actually perform the operation on the smartcard. If you imported
the public key into your hardware token, and use the resulting public
key handle of that token key for the operations, NSS will first try to
perform the operations on the smartcard's PKCS#11 module. If that fails,
it will then fallback to doing it in software using softokn.
Before I use nss for my proprietary
application,I use pkcs11 hardware module directly.
I want to use public key to encrypt some my proprietary data,and use pkcs1.5
padding mode(CKM_RSA_PKCS).Later I use the corresponding private key to
decrypt it.(Maybe I also use the private key to sign some data and use
publickey to verify the signature.)
But it seems function PK11_PubEncryptRaw use CKM_X509 mode,and I don't know
the detail implementation of pkcs1.5 padding mode.Does nss support any
function to do this?
Does the function PK11_CipherOp seems can do this?If it can do,how do I
generate a PK11Context pass to function.
PK11_CipherOp only works for bulk (symmetric) ciphers. You can't use it
for RSA public key ops .
After much questioning of other team members, we have come to the
conclusion that there is no function today in NSS that directly does
what you want. We only use RSA encryption and decryption to wrap and
unwrap symmetric keys (such as for SSL and S/MIME), but not for actual
application data, and therefore we didn't provide a function to encrypt
and decrypt data using RSA. If you are using RSA to encrypt a symmetric
key, then you can use the function called PK11_PubWrapSymKey .
Pass it CKM_RSA_PKCS, the handle to your public key on your token, the
handle to a symmetric key, and a SECItem* which will contain the wrapped
(encrypted) key.
If what you are encrypting with RSA is not a symmetric key, what you can
do is create a dummy symmetric key from the data you want to encrypt
with RSA. Use PK11_ImportSymKey to import your symkey (actually your
data to encrypt) . The key data will be in a SECItem structure which
simply contains a void* and a length. I think you can use a
CK_MECHANISM_TYPE of CKM_GENERIC_SECRET_KEY_GEN and a PK11Origin try
PK11_OriginGenerated .
You can destroy the fake symmetric key using PK11_FreeSymKey after you
are doing encrypting.
___
mozilla-crypto mailing list
[EMAIL PROTECTED]
http://mail.mozilla.org/listinfo/mozilla-crypto