On 07/30/2013 05:34 PM, John wrote:
keys that are marked CKA_EXTRACTABLE = PR_FALSE. aren't exportable I suspect that Symkeys are marked that way be default.Thank you.FIPS is not enabled so PK11_ImportSymKeyWithFlags() works for me. However I'm unable to export the imported key using PK11_ExtractKeyValue() and PK11_GetKeyData(). I suspect this is by design - keys are protected from being exported?
It's a really bad idea to use raw keys (both import and export), so we don't make it easy. Your best bet is to at least wrap the keys you are trying to export out using PK11_WrapSymKey(). Then use the corresponding Unwrap to take the keys back out.
At this point I usually ask, what is it you are trying to do? usually when I see someone trying to import or export keyblobs, they are coding at the wrong level and we should be pushing more of whatever protocol you are running into NSS.
As a work around, I have tried importing the key using PK11_CreateGenericObject() instead, as shown below. However PK11_CreateGenericObject() failed to create the object, and PORT_GetError() returned -8018 (SEC_ERROR_UNKNOWN_PKCS11_ERROR) Am I missing something?
It depends on the template, when you call PK11_CreateGeneric object, you are responsible for your own template. NSS doesn't map all the PKCS #11 errors (particularly template errors since normally only NSS creates templates).
-- View this message in context: http://mozilla.6506.n7.nabble.com/Importing-a-symmetic-key-into-NSS-database-tp286642p286742.html Sent from the Mozilla - Cryptography mailing list archive at Nabble.com.
smime.p7s
Description: S/MIME Cryptographic Signature
-- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
