Encrypting with a simple symmetric key - how?

Sat, 20 Sep 2014 14:02:13 -0700 

Hi all,

I am currently trying to get some code working that will ultimately encrypt 
video for HLS. In this case the key is supplied over an out-of-band secure 
channel to the client by the protocol.

>From trawling the net I found this message which describes what I am trying to 
>do, and the problem that NSS throws up while doing it - in order to use key 
>material directly in FIPS mode you need to encrypt the symmetric key and then 
>unwrap that key, you cannot use the key directly: 
>http://permalink.gmane.org/gmane.comp.mozilla.crypto/7947

Examples of how to do this are very thin on the ground, and I’m properly stuck 
- can anyone cast their eyes over this code and point out where I have gone 
wrong?

    /* generate the key */
    slot = PK11_GetBestSlot(key->cipherMech, NULL);
    if (slot) {
        unsigned char data[BUFFER_SIZE];

        /* get the key length */
        len = PK11_GetBestKeyLength(slot, key->cipherMech);

        /* sanity check - key correct size? */
        if (secretLen != len) {
            PK11_FreeSlot(slot);
            return APR_EKEYLENGTH;
        }

        /* prepare a space for the wrapped key */
        wrappedItem.len = len;
        wrappedItem.data = data;

        tslot = PK11_GetBestSlot(CKM_AES_CBC, NULL);
        if (tslot) {

            /* generate a temporary wrapping key */
            tkey = PK11_KeyGen(tslot, CKM_AES_CBC, 0,
                    PK11_GetBestKeyLength(tslot, CKM_AES_CBC), 0);

            /* prepare the key to wrap */
            secretItem.data = (unsigned char *) secret;
            secretItem.len = secretLen;

            /* wrap the key */
            secParam = PK11_GenerateNewParam(CKM_AES_CBC, tkey);
            ctx = PK11_CreateContextBySymKey(CKM_AES_CBC, CKA_ENCRYPT, tkey,
                    secParam);
            if (ctx) {
                s = PK11_CipherOp(ctx, wrappedItem.data,
                        (int *) (&wrappedItem.len), BUFFER_SIZE,
                        secretItem.data, secretItem.len);
                if (s == SECSuccess) {

                    /* unwrap the key again */
                    key->symKey = PK11_UnwrapSymKeyWithFlagsPerm(tkey,
                            CKM_AES_CBC, NULL, &wrappedItem,
                            key->cipherMech, CKA_UNWRAP, len, 0, PR_TRUE);

// FAIL: NULL is returned, and the error is SEC_ERROR_NO_MEMORY

                }

                PK11_DestroyContext(ctx, PR_TRUE);
            }

            /* clean up */
            PK11_FreeSymKey(tkey);
            PK11_FreeSlot(tslot);

        }

        PK11_FreeSlot(slot);
    }

Regards,
Graham
—

-- 
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto

Reply via email to