Dr S N Henson <[EMAIL PROTECTED]> wrote in message news:<[EMAIL PROTECTED]>... > Pierre wrote: > > > > > > We try to decrpyt an epki object generated from NSS with OpenSSL pkcs8 > > tool but without success ! > > > > Here is the DER encoded epki object: > [data deleted] > > > > So what's wrong ? > > > > Not sure what the problem is at this stage. I'd guess that for some > reason OpenSSL and NSS don't agree on what the key should be for that > particular combination of PBE algorithm, password, salt and iteration > count. > > I think the OpenSSL implementation has been checked against others for > this algorithm in the past but that doesn't rule out problems with that > particular combination. One thing I did notice is that you said earlier: > > > This epki object was created with PBE_SHA1_DES_CBC algo and a > > password. > > > > whereas the sample you sent used pbeWithMD5AndDES-CBC . I'm not very > familiar with how you create PKCS#8 structures with NSS but you could > try using 1 for the iteration count (its currently 2048) and trying with > different passwords to see if its just an odd combination or a general > disagreement. It should also be possible to dump what NSS thinks the DES > key and IV should be and compare with OpenSSL. > > Steve.
To understand the way the NSS library implements MD5AndDES-CBC and SHA1AndDES-CBC, we printed a huge quantity of traces. After severals tests we found what is happening: 1. Before sending the password and the salt to SHA1 or MD5, the NSS library is adding a 0x00 value between the password and salt. So the NSS send password||0||salt to the hash function. That's strange because in the RSA reference document about PKCS5, we read that password||salt must be send to hash function. Isn't it a bug ? Is it the way the system is dealing with string ? 2. When using the SHA1 with the DES-CBC, the SHA1 function is returning a 20 bytes array. The NSS library seems to take the first 8 bytes as the key and the last 8 bytes as the iv. Key and iv are used to initiate the DES algorithm. That's strange (again !) because in RSA document we read that the first 8 bytes must be the key and the next 8 bytes (Not the last) must be the iv. Isn't it another bug ? So, to end with this we found the solution but we also found that the NSS library seems to work diffrently from other solution like OpenSSL ... Must we publish bugs into Bugzilla to allow product correction ? Thank you.
