I have a CERTCertificate and some data, and I wan't to encrypt and decrypt the data.
I'm having trouble using PK11_PubDecryptRaw/PK11_PubEncryptRaw. I pass
both functions raw data with is same size as the key modulus, but it
doesn't work all the times.
What do you mean by "it doesn't work"? Does some function return results you didn't expect? What function? What result? Did the function return something other that SECSuccess? If so, what value was returned by PR_GetError()?
I don't really understand why PubDecryptRaw
takes more arguments than PubEncryptRaw, which could be one of my problems
:) Why is that?
The "Raw" functions are patterned after the non-Raw ones. The Encrypt function will generally produce a result that is equal in length to the modulus. So, the encrypt function doesn't take all the extra arguments to describe the length of the output buffer.
In the case of a non-raw (e.g. PKCS #1) decrypt function, the decrypted output will generally be considerably shorter than the modulus, so the function provides explicit access to the output buffer length. For the RAW interface, the output would be expected to be about the same as the modulus length (never longer), so one might argue that the extra length parameters aren't really needed for the raw decrypt function, but in this case, the function was designed to have similar arguments to the non-raw functions.
> Can someone give me a simple example of how to "do it right"?
User data is not typically encrypted directly with RSA encryption.
Usually, RSA encryption is used to encrypt (or "wrap") other keys, such as triple-DES or AES) which are used with their respective encryption algorithms to encrypt user data.
So, the commonly used solution is to generate a "symmetric" key that is
used to encrypt some user data, then "wrap" (encrypt) that key using an
RSA public key. On the other end, the RSA private key is used to "unwrap" (decrypt) the "symmetric" key, which in turn is used to decrypt the user
data.
Look at PK11_KeyGen() to generate a symmetric key, PK11_PubWrapSymKey() to wrap it, PK11_PubUnwrapSymKey or PK11_PubUnwrapSymKeyWithFlags to unwrap it.
My first plan was to use the RSA_*KeyOp-functions from blapi.h, but I can't find out how to get from CERTCertificate to the RSAPublicKey/RSAPrivateKey that the functions take as arguments. Any help there?
I don't think you want to start to use the really low level functions. I suggest you stay with the PK11_ functions.
Thanks in advance,
Allan Beaufour Larsen
