Petar Popara wrote:
I have found what causes failure, but don't know why. I have been using
CKM_DES_CBC instead of CKM_DES_CBC_PAD.
NSS's software crypto module (mozilla/security/nss/lib/softoken)
returns CKR_DEVICE_ERROR on all symmetric encryption/decryption
failures.
If you use CKM_DES_CBC instead of CKM_DES_CBC_PAD and your
input size is not a multiple of the DES block size, the
encryption/decryption will fail. Note that at this point
NSS actually sets the NSS error code SEC_ERROR_INVALID_ARGS.
(Look for "(inLen % 8) != 0" in
mozilla/security/nss/lib/freebl/desblapi.c.)
Then, PK11_CipherOp maps the PKCS #11 error code CKR_DEVICE_ERROR
to the NSS error code SEC_IO_ERROR. This overwrites the
SEC_ERROR_INVALID_ARGS error code NSS sets previously.
So the ambiguous error code SEC_IO_ERROR comes from the
CKR_DEVICE_ERROR return value from lib/softoken.
What NSS can do to improve this is to call PORT_GetError
on symmetric encryption/decryption failures and return a
more precise CKR_ value than CKR_DEVICE_ERROR. For example,
SEC_ERROR_INVALID_ARGS could be mapped to CKR_ARGUMENTS_BAD.
And then lib/pk11wrap can map CKR_ARGUMENTS_BAD to SEC_ERROR_INVALID_ARGS.
Wan-Teh
_______________________________________________
mozilla-crypto mailing list
[email protected]
http://mail.mozilla.org/listinfo/mozilla-crypto
