what's happening is that it does a test RSA decrypt of (perversely) a
1008 bit key, and it's looking to see if you decrypt it right.
sometimes they do 1024, sometimes they do 1008. So you need to decrypt
in the C_Verify with the public key they created with the CreateObject.
Bob Relyea wrote:
>
> pfnus wrote:
>
> > Hi Robert,
> > my situation now is like this;
> >
> > There is no keypair yet in my token, also no certificate yet.Whenever
> > i try to go to a secure website (https), C_CreateObject will get
> > called, followed by C_VerifyRecoverInit, then C_VerifyRecover and
> > C_DestroyObject.A public key template is passed in by Communicator
> > during C_CreateObject. I am confused about a couple of things happened
> > here; I guessed that the secure website is presenting a certificate to
> > NC, and the public key is extracted by NC., and then a public key
> > template is passed in to C_CraeteObject. Then C_VerifyRecoverxxx is
> > called to verify the certificate's signature. Am i right at this
> > point?
>
> Hmmm, something just isn't getting interpreted right here. I know why
> the calls are being made -- you have selected 'RSA' as part of the
> configuration for your token. You really only want to do this if you are
> running a hardware accellerator. If you just have a smart card, do not
> set the RSA flag on your token. NSS is perfectly capable of
> determinining that you can do RSA operations, the bit tell NSS that your
> token should be used for *all* RSA operations.
>
> That still doesn't answer the mystery of why you are getting bad
> Attribute data, though.
>
> >
> > Question: Why the public Key modulus is always the same, with length
> > of 126 bytes,(including a leading '0' byte) no matter which https site
> > i go to? I am pretty much confused here,
> > any ideas what had happened?
>
> There is something really weird with your setup. I can picture a bug in
> our system where for some reason we are building bad modulus's during
> key gen, but Communicator would be completely broken if it kept
> extracting 126 byte Modulus's from certificates. My best guess at this
> point is there is some sort of packing problem with your data structures
> and you and Communicator can't agree on where the length value is
> supposed to go.
>
> Again, I'd suggest grabbing a copy of mozilla and one of the sample apps
> and see if you can step through where things get confused.
>
> bob
