I'll try wrapping the key and see if that helps. Thanks! -----Original Message----- From: Robert Relyea [mailto:[email protected]] Sent: Wednesday, March 16, 2011 1:45 AM To: Gil Bahat Cc: mozilla's crypto code discussion list Subject: Re: Need assistance - how can pwspec write key length be 0 after the client key exchange?
On 03/15/2011 04:06 PM, Gil Bahat wrote: > With regards to sending the key as plaintext - that's just in the interim, > once I get that successfully done I will write the code to encrypt it. > Besides, before I can wrap the key, I'd still need to pass the raw > representation as a parameter, so I'm trying to get that first. > > With regards to key access - what would be the right way to do it then? I > want to reliably access the session key and then dump it as soon as I don't > need it. You need to design some way to get a key from the firewall securely. There are a number of ways of doing this (including connecting to the firewall with SSL and deriving a wrapping key from the master secret, creating an RSA key pair one the firewall and passing the public key to the SSL client [the easiest way to do this is with a certificate]). This looks like a class research project, so I'll leave it to you to figure out which to choose. NSS provides some primitives which takes a PK11_SymKey handle and returns a wrapped key: PK11_WrapSymKey() takes two symkeys, one which you can use for wrapping, the other which will be wrapped. PK11_PubWrapSymKey() takes a public key and a symkey. I will wrap the symkey with the public key. PK11_Derive() returns a new symkey from some base key. Derive allows you to manipulate the base key according some some standard protocols without actually seeing the base key. (This is how SSL gets it's list of keys from the master secret, or how it gets the master secret from the pre-master secret). PK11_UnwrapSymKey() takes a symkey and some wrapped data and returns the unwrapped the symkey. PK11_PubUnwrapSymKey() takes a private key and wrapped data and returns the unwrapped symkey. You can find the list in nss/security/lib/pk11wrap/pk11pub.h (or on linux with nss-devel installed in /usr/include/nss3/pk11pub.h). > On a somewhat related note, I don't think I understand the purpose of this > code snippet from ssl3con then: > > pwSpec->client.write_key = > PK11_SymKeyFromHandle(slot, symKey, PK11_OriginDerive, > bulk_mechanism, returnedKeys.hClientKey, PR_TRUE, pwArg); > > shouldn't this set some form of value to pwSpec->client.write_key - plaintext > or encrypted? Why would I get nulls when accessing this data structure? This is a data structure that contains a location (slot), and a handle. The actual key is stored in the token. You were trying to access write_key_item, which is a different data structure which is used by servers when we need to get good benchmarks;). bob -- dev-tech-crypto mailing list [email protected] https://lists.mozilla.org/listinfo/dev-tech-crypto
