Hi all, I am currently trying to get some code working that will ultimately encrypt video for HLS. In this case the key is supplied over an out-of-band secure channel to the client by the protocol.
>From trawling the net I found this message which describes what I am trying to >do, and the problem that NSS throws up while doing it - in order to use key >material directly in FIPS mode you need to encrypt the symmetric key and then >unwrap that key, you cannot use the key directly: >http://permalink.gmane.org/gmane.comp.mozilla.crypto/7947 Examples of how to do this are very thin on the ground, and I’m properly stuck - can anyone cast their eyes over this code and point out where I have gone wrong? /* generate the key */ slot = PK11_GetBestSlot(key->cipherMech, NULL); if (slot) { unsigned char data[BUFFER_SIZE]; /* get the key length */ len = PK11_GetBestKeyLength(slot, key->cipherMech); /* sanity check - key correct size? */ if (secretLen != len) { PK11_FreeSlot(slot); return APR_EKEYLENGTH; } /* prepare a space for the wrapped key */ wrappedItem.len = len; wrappedItem.data = data; tslot = PK11_GetBestSlot(CKM_AES_CBC, NULL); if (tslot) { /* generate a temporary wrapping key */ tkey = PK11_KeyGen(tslot, CKM_AES_CBC, 0, PK11_GetBestKeyLength(tslot, CKM_AES_CBC), 0); /* prepare the key to wrap */ secretItem.data = (unsigned char *) secret; secretItem.len = secretLen; /* wrap the key */ secParam = PK11_GenerateNewParam(CKM_AES_CBC, tkey); ctx = PK11_CreateContextBySymKey(CKM_AES_CBC, CKA_ENCRYPT, tkey, secParam); if (ctx) { s = PK11_CipherOp(ctx, wrappedItem.data, (int *) (&wrappedItem.len), BUFFER_SIZE, secretItem.data, secretItem.len); if (s == SECSuccess) { /* unwrap the key again */ key->symKey = PK11_UnwrapSymKeyWithFlagsPerm(tkey, CKM_AES_CBC, NULL, &wrappedItem, key->cipherMech, CKA_UNWRAP, len, 0, PR_TRUE); // FAIL: NULL is returned, and the error is SEC_ERROR_NO_MEMORY } PK11_DestroyContext(ctx, PR_TRUE); } /* clean up */ PK11_FreeSymKey(tkey); PK11_FreeSlot(tslot); } PK11_FreeSlot(slot); } Regards, Graham — -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto