I'm trying to understand why the PK11_Derive call:

    CK_OBJECT_HANDLE key_handle = PK11_GetSymKeyHandle(key);
    SECItem key_param = {
        .data = (unsigned char*)&key_handle,
        .len = sizeof(key_handle)
    };
    CK_ATTRIBUTE_TYPE operation = CKA_DERIVE;
    int key_size = 0;
    PK11SymKey *result = PK11_Derive(base_key,
CKM_CONCATENATE_BASE_AND_KEY, &key_param, CKM_MD5_KEY_DERIVATION,
                     operation, key_size);

works when "key" came from CKM_DH_PKCS_DERIVE but fails when the key
came from (CKM_ECDH1_DERIVE,CKD_NULL).  Debugging suggests that the
operation is rejected in lib/softoken/pkcs11c.c by the code:

            att2 = sftk_FindAttribute(newKey, CKA_VALUE);
            if (att2 == NULL) {
                sftk_FreeObject(newKey);
                crv = CKR_KEY_HANDLE_INVALID;
                break;
            }

I've found a work-around is to first CKM_EXTRACT_KEY_FROM_KEY and then
use that :-/

Is this expected?  And is there a clean way to detect a key like ECDH
that will cause problems.

Andrew
-- 
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto

Reply via email to