On 03/07/2014 07:02 AM, Leon Brits wrote: > Hi, > > We have a security device which is used via cryptoki (PKCS#11) to perform > cryptographic operations such as sign/verify and en/decrypt of emails. > Sign works via our device while Verify and Encrypt is done by the PC. Our > problem is with Decrypt: We never get a 'DecryptFinal()' function call. From > the debug log I can see that the DecryptInit() function is called and > successfully exits. Next a DecryptUpdate() is called and all the data is send > to our device with APDU and even this finishes successful. Next > C_CloseSession() is called instead of DecryptFinal() first. Am I wrong to > expect this? Hmm. This is interesting, I would have expected NSS to do a C_DecryptInit() followed by a C_Decrypt(). I'm assuming we are talking about an RSA operation here and not an symetric key operation like AES or DES.
Yes, I just checked. We we are unwrapping a key (which is what the logical function RSA Decrypt supports), We check to see if the token support unwrap with the target mechanism. If it does we use unwrap (and the key winds up in the token). If the token does not support unwrap, but it does support decrypt, we call our 'handunwrap' routine with decrypts the key and then inserts the decrypted in into an appropriate token. The decrypt happens with the following sequence: C_CreateSession() C_DecryptInit() C_Decrypt() C_CloseSession() I wonder if your token is mapping C_Decrypt to C_DecryptUpdate ? (See pk11_handUnwrap() in nss/lib/pk11wrap/pk11skey.c) bob > > Please help > Regards, > LJB > >
smime.p7s
Description: S/MIME Cryptographic Signature
-- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
