Re: Thunderbird encrypted mail using certificate (on smartcard) isnt able to C_Decrypt the message. Why?
Robert Relyea rrel...@redhat.com wrote: Sorry my bad, I wasn't clear. The double decrypt happens in the case where you first call C_Decrypt with pData = NULL. In that case you can return 128 instead of decrypting the data just to get the length. In the case where C_Decrypt is called with pData != NULL, you need to return the actual number of bytes coded by the PKCS #1 encoding because you are actually returning the decrypted data at this point. AFAIK first call C_Decrypt with pData=NULL and pulDataLen=0 should return the decrypt bytes length (X). Then, second call should have pData!=NULL and pulDataLen=y. if yX -CKR_BUFFER_TOO_SMALL Returning 128 doesnt work (and shouldnt), cause the decrypted data is 24 (always?) bytes length Anyhow, i now return the correct size (24) and dont trust on C_Decrypt input pulDataLen. -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: Regarding PSM with external SSL library
Ashok Subash wrote: Hi Brian, We have made some progress. We could statically build nss and link on our platform. Do you mean statically link NSS into Firefox? If so, there are several gotchas that need to be taken into account. See Wan-Teh's patch at https://bugzilla.mozilla.org/show_bug.cgi?id=534471 which addresses some/all of them on Windows for *Chrome*. I imagine the issues are similar but not quite the same for Firefox and/or for other platforms. Is there any other porting points i've missed? Your inputs/suggestions will help us to solve this faster. I wish I could be more helpful but it is really hard to tell the problem from the description given. Also, it is hard for me to diagnose problems with Firefox 3.6.x because I have *literally* never even checked out the source code for Firefox 3.6.x before. (I started at Mozilla during the development of 4.0.) - Brian -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: how to get CKA_PRIVATE_EXPONENT attribute from a private key?
Is eny error shown at NSSUtilLogger.msg(ERROR, Failed to read
attribute %x from private key., type); ?
El día 25 de enero de 2012 17:04, weizhong qiang
weizhongqi...@gmail.com escribió:
hi all,
I tried to get the attributes from a private key (see the following code
piece). But only the CKA_MODULUS and CKA_PUBLIC_EXPONENT can be got, others
(CKA_PRIVATE_EXPONENT etc.) can not be got.
Could you tell me how to solve it?
By the way, I generate rsa key pair without sensitive
(PK11_GenerateKeyPair(slot, CKM_RSA_PKCS_KEY_PAIR_GEN, rsaParams, pubk,
PR_TRUE, PR_FALSE, NULL); ), so I suppose the private key is not protected by
password, and can be output?
Best Regards,
Weizhong Qiang
//
static bool ReadPrivKeyAttribute(SECKEYPrivateKey* key, CK_ATTRIBUTE_TYPE
type, std::vectoruint8* output) {
SECItem item;
SECStatus rv;
rv = PK11_ReadRawAttribute(PK11_TypePrivKey, key, type, item);
if (rv != SECSuccess) {
NSSUtilLogger.msg(ERROR, Failed to read attribute %x from private
key., type);
return false;
}
output-assign(item.data, item.data + item.len);
SECITEM_FreeItem(item, PR_FALSE);
return true;
}
static bool ExportPrivateKey(SECKEYPrivateKey* key, std::vectoruint8*
output) {
PrivateKeyInfoCodec private_key_info(true);
// Manually read the component attributes of the private key and build up
// the PrivateKeyInfo.
if (!ReadPrivKeyAttribute(key, CKA_MODULUS, private_key_info.modulus()) ||
!ReadPrivKeyAttribute(key, CKA_PUBLIC_EXPONENT,
private_key_info.public_exponent()) ||
!ReadPrivKeyAttribute(key, CKA_PRIVATE_EXPONENT,
private_key_info.private_exponent()) ||
!ReadPrivKeyAttribute(key, CKA_PRIME_1, private_key_info.prime1()) ||
!ReadPrivKeyAttribute(key, CKA_PRIME_2, private_key_info.prime2()) ||
!ReadPrivKeyAttribute(key, CKA_EXPONENT_1, private_key_info.exponent1())
||
!ReadPrivKeyAttribute(key, CKA_EXPONENT_2, private_key_info.exponent2())
||
!ReadPrivKeyAttribute(key, CKA_COEFFICIENT,
private_key_info.coefficient())) {
return false;
}
return private_key_info.Export(output);
}
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: how to get CKA_PRIVATE_EXPONENT attribute from a private key?
Hi,
It gives number 123, which is the type CKA_PRIVATE_EXPONENT.
Thanks
Weizhong qiang
在 2012-1-26 下午4:43,helpcrypto helpcrypto helpcry...@gmail.com写道:
Is eny error shown at NSSUtilLogger.msg(ERROR, Failed to read
attribute %x from private key., type); ?
El día 25 de enero de 2012 17:04, weizhong qiang
weizhongqi...@gmail.com escribió:
hi all,
I tried to get the attributes from a private key (see the following code
piece). But only the CKA_MODULUS and CKA_PUBLIC_EXPONENT can be got, others
(CKA_PRIVATE_EXPONENT etc.) can not be got.
Could you tell me how to solve it?
By the way, I generate rsa key pair without sensitive
(PK11_GenerateKeyPair(slot, CKM_RSA_PKCS_KEY_PAIR_GEN, rsaParams, pubk,
PR_TRUE, PR_FALSE, NULL); ), so I suppose the private key is not protected
by password, and can be output?
Best Regards,
Weizhong Qiang
//
static bool ReadPrivKeyAttribute(SECKEYPrivateKey* key,
CK_ATTRIBUTE_TYPE type, std::vectoruint8* output) {
SECItem item;
SECStatus rv;
rv = PK11_ReadRawAttribute(PK11_TypePrivKey, key, type, item);
if (rv != SECSuccess) {
NSSUtilLogger.msg(ERROR, Failed to read attribute %x from private
key., type);
return false;
}
output-assign(item.data, item.data + item.len);
SECITEM_FreeItem(item, PR_FALSE);
return true;
}
static bool ExportPrivateKey(SECKEYPrivateKey* key, std::vectoruint8*
output) {
PrivateKeyInfoCodec private_key_info(true);
// Manually read the component attributes of the private key and
build up
// the PrivateKeyInfo.
if (!ReadPrivKeyAttribute(key, CKA_MODULUS,
private_key_info.modulus()) ||
!ReadPrivKeyAttribute(key, CKA_PUBLIC_EXPONENT,
private_key_info.public_exponent()) ||
!ReadPrivKeyAttribute(key, CKA_PRIVATE_EXPONENT,
private_key_info.private_exponent()) ||
!ReadPrivKeyAttribute(key, CKA_PRIME_1, private_key_info.prime1())
||
!ReadPrivKeyAttribute(key, CKA_PRIME_2, private_key_info.prime2())
||
!ReadPrivKeyAttribute(key, CKA_EXPONENT_1,
private_key_info.exponent1()) ||
!ReadPrivKeyAttribute(key, CKA_EXPONENT_2,
private_key_info.exponent2()) ||
!ReadPrivKeyAttribute(key, CKA_COEFFICIENT,
private_key_info.coefficient())) {
return false;
}
return private_key_info.Export(output);
}
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: how to get CKA_PRIVATE_EXPONENT attribute from a private key?
my mistake. i mean the RV value -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: how to get CKA_PRIVATE_EXPONENT attribute from a private key?
The rv value gives SECFailure. Thanks 在 2012-1-26 下午5:29,helpcrypto helpcrypto helpcry...@gmail.com写道: my mistake. i mean the RV value -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: how to get CKA_PRIVATE_EXPONENT attribute from a private key?
hi,
Is there a fact that nss does not permit the reading of the attribute
CKA_PRIVATE_EXPONENT, CKA_PRIME_1, etc.?
Because with all of the eight attributes, it is possible to compose the content
of the private key, but the outputting of private key is not allowed in nss?
Thanks and Best Regards,
Weizhong Qiang
On Jan 26, 2012, at 9:43 AM, helpcrypto helpcrypto wrote:
Is eny error shown at NSSUtilLogger.msg(ERROR, Failed to read
attribute %x from private key., type); ?
El día 25 de enero de 2012 17:04, weizhong qiang
weizhongqi...@gmail.com escribió:
hi all,
I tried to get the attributes from a private key (see the following code
piece). But only the CKA_MODULUS and CKA_PUBLIC_EXPONENT can be got, others
(CKA_PRIVATE_EXPONENT etc.) can not be got.
Could you tell me how to solve it?
By the way, I generate rsa key pair without sensitive
(PK11_GenerateKeyPair(slot, CKM_RSA_PKCS_KEY_PAIR_GEN, rsaParams, pubk,
PR_TRUE, PR_FALSE, NULL); ), so I suppose the private key is not protected
by password, and can be output?
Best Regards,
Weizhong Qiang
//
static bool ReadPrivKeyAttribute(SECKEYPrivateKey* key, CK_ATTRIBUTE_TYPE
type, std::vectoruint8* output) {
SECItem item;
SECStatus rv;
rv = PK11_ReadRawAttribute(PK11_TypePrivKey, key, type, item);
if (rv != SECSuccess) {
NSSUtilLogger.msg(ERROR, Failed to read attribute %x from private
key., type);
return false;
}
output-assign(item.data, item.data + item.len);
SECITEM_FreeItem(item, PR_FALSE);
return true;
}
static bool ExportPrivateKey(SECKEYPrivateKey* key, std::vectoruint8*
output) {
PrivateKeyInfoCodec private_key_info(true);
// Manually read the component attributes of the private key and build up
// the PrivateKeyInfo.
if (!ReadPrivKeyAttribute(key, CKA_MODULUS, private_key_info.modulus()) ||
!ReadPrivKeyAttribute(key, CKA_PUBLIC_EXPONENT,
private_key_info.public_exponent()) ||
!ReadPrivKeyAttribute(key, CKA_PRIVATE_EXPONENT,
private_key_info.private_exponent()) ||
!ReadPrivKeyAttribute(key, CKA_PRIME_1, private_key_info.prime1()) ||
!ReadPrivKeyAttribute(key, CKA_PRIME_2, private_key_info.prime2()) ||
!ReadPrivKeyAttribute(key, CKA_EXPONENT_1,
private_key_info.exponent1()) ||
!ReadPrivKeyAttribute(key, CKA_EXPONENT_2,
private_key_info.exponent2()) ||
!ReadPrivKeyAttribute(key, CKA_COEFFICIENT,
private_key_info.coefficient())) {
return false;
}
return private_key_info.Export(output);
}
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: how to get CKA_PRIVATE_EXPONENT attribute from a private key?
AFAIK, returning or not the attributes from an object, depends on the token.
I recommend you reading about CKO_PRIVATE_KEY on PKCS#11 standard to
understand what can be happening.
For example if token=card, CKA_PRIME_1 *musnt* be on the card, as far
is not *needed* to do cryptographic operations.
El día 26 de enero de 2012 14:08, weizhong qiang
weizhongqi...@gmail.com escribió:
hi,
Is there a fact that nss does not permit the reading of the attribute
CKA_PRIVATE_EXPONENT, CKA_PRIME_1, etc.?
Because with all of the eight attributes, it is possible to compose the
content of the private key, but the outputting of private key is not allowed
in nss?
Thanks and Best Regards,
Weizhong Qiang
On Jan 26, 2012, at 9:43 AM, helpcrypto helpcrypto wrote:
Is eny error shown at NSSUtilLogger.msg(ERROR, Failed to read
attribute %x from private key., type); ?
El día 25 de enero de 2012 17:04, weizhong qiang
weizhongqi...@gmail.com escribió:
hi all,
I tried to get the attributes from a private key (see the following code
piece). But only the CKA_MODULUS and CKA_PUBLIC_EXPONENT can be got, others
(CKA_PRIVATE_EXPONENT etc.) can not be got.
Could you tell me how to solve it?
By the way, I generate rsa key pair without sensitive
(PK11_GenerateKeyPair(slot, CKM_RSA_PKCS_KEY_PAIR_GEN, rsaParams, pubk,
PR_TRUE, PR_FALSE, NULL); ), so I suppose the private key is not protected
by password, and can be output?
Best Regards,
Weizhong Qiang
//
static bool ReadPrivKeyAttribute(SECKEYPrivateKey* key, CK_ATTRIBUTE_TYPE
type, std::vectoruint8* output) {
SECItem item;
SECStatus rv;
rv = PK11_ReadRawAttribute(PK11_TypePrivKey, key, type, item);
if (rv != SECSuccess) {
NSSUtilLogger.msg(ERROR, Failed to read attribute %x from private
key., type);
return false;
}
output-assign(item.data, item.data + item.len);
SECITEM_FreeItem(item, PR_FALSE);
return true;
}
static bool ExportPrivateKey(SECKEYPrivateKey* key, std::vectoruint8*
output) {
PrivateKeyInfoCodec private_key_info(true);
// Manually read the component attributes of the private key and build up
// the PrivateKeyInfo.
if (!ReadPrivKeyAttribute(key, CKA_MODULUS, private_key_info.modulus())
||
!ReadPrivKeyAttribute(key, CKA_PUBLIC_EXPONENT,
private_key_info.public_exponent()) ||
!ReadPrivKeyAttribute(key, CKA_PRIVATE_EXPONENT,
private_key_info.private_exponent()) ||
!ReadPrivKeyAttribute(key, CKA_PRIME_1, private_key_info.prime1()) ||
!ReadPrivKeyAttribute(key, CKA_PRIME_2, private_key_info.prime2()) ||
!ReadPrivKeyAttribute(key, CKA_EXPONENT_1,
private_key_info.exponent1()) ||
!ReadPrivKeyAttribute(key, CKA_EXPONENT_2,
private_key_info.exponent2()) ||
!ReadPrivKeyAttribute(key, CKA_COEFFICIENT,
private_key_info.coefficient())) {
return false;
}
return private_key_info.Export(output);
}
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: how to get CKA_PRIVATE_EXPONENT attribute from a private key?
On Jan 26, 2012, at 4:44 PM, helpcrypto helpcrypto wrote:
AFAIK, returning or not the attributes from an object, depends on the token.
Everything I am operating is on the nss internal softoken.
I recommend you reading about CKO_PRIVATE_KEY on PKCS#11 standard to
understand what can be happening.
For example if token=card, CKA_PRIME_1 *musnt* be on the card, as far
is not *needed* to do cryptographic operations.
El día 26 de enero de 2012 14:08, weizhong qiang
weizhongqi...@gmail.com escribió:
hi,
Is there a fact that nss does not permit the reading of the attribute
CKA_PRIVATE_EXPONENT, CKA_PRIME_1, etc.?
Because with all of the eight attributes, it is possible to compose the
content of the private key, but the outputting of private key is not allowed
in nss?
Thanks and Best Regards,
Weizhong Qiang
On Jan 26, 2012, at 9:43 AM, helpcrypto helpcrypto wrote:
Is eny error shown at NSSUtilLogger.msg(ERROR, Failed to read
attribute %x from private key., type); ?
El día 25 de enero de 2012 17:04, weizhong qiang
weizhongqi...@gmail.com escribió:
hi all,
I tried to get the attributes from a private key (see the following code
piece). But only the CKA_MODULUS and CKA_PUBLIC_EXPONENT can be got,
others (CKA_PRIVATE_EXPONENT etc.) can not be got.
Could you tell me how to solve it?
By the way, I generate rsa key pair without sensitive
(PK11_GenerateKeyPair(slot, CKM_RSA_PKCS_KEY_PAIR_GEN, rsaParams, pubk,
PR_TRUE, PR_FALSE, NULL); ), so I suppose the private key is not protected
by password, and can be output?
Best Regards,
Weizhong Qiang
//
static bool ReadPrivKeyAttribute(SECKEYPrivateKey* key, CK_ATTRIBUTE_TYPE
type, std::vectoruint8* output) {
SECItem item;
SECStatus rv;
rv = PK11_ReadRawAttribute(PK11_TypePrivKey, key, type, item);
if (rv != SECSuccess) {
NSSUtilLogger.msg(ERROR, Failed to read attribute %x from private
key., type);
return false;
}
output-assign(item.data, item.data + item.len);
SECITEM_FreeItem(item, PR_FALSE);
return true;
}
static bool ExportPrivateKey(SECKEYPrivateKey* key, std::vectoruint8*
output) {
PrivateKeyInfoCodec private_key_info(true);
// Manually read the component attributes of the private key and build
up
// the PrivateKeyInfo.
if (!ReadPrivKeyAttribute(key, CKA_MODULUS, private_key_info.modulus())
||
!ReadPrivKeyAttribute(key, CKA_PUBLIC_EXPONENT,
private_key_info.public_exponent()) ||
!ReadPrivKeyAttribute(key, CKA_PRIVATE_EXPONENT,
private_key_info.private_exponent()) ||
!ReadPrivKeyAttribute(key, CKA_PRIME_1, private_key_info.prime1()) ||
!ReadPrivKeyAttribute(key, CKA_PRIME_2, private_key_info.prime2()) ||
!ReadPrivKeyAttribute(key, CKA_EXPONENT_1,
private_key_info.exponent1()) ||
!ReadPrivKeyAttribute(key, CKA_EXPONENT_2,
private_key_info.exponent2()) ||
!ReadPrivKeyAttribute(key, CKA_COEFFICIENT,
private_key_info.coefficient())) {
return false;
}
return private_key_info.Export(output);
}
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: Thunderbird encrypted mail using certificate (on smartcard) isnt able to C_Decrypt the message. Why?
On 01/26/2012 12:04 AM, helpcrypto helpcrypto wrote: Robert Relyearrel...@redhat.com wrote: Sorry my bad, I wasn't clear. The double decrypt happens in the case where you first call C_Decrypt with pData = NULL. In that case you can return 128 instead of decrypting the data just to get the length. In the case where C_Decrypt is called with pData != NULL, you need to return the actual number of bytes coded by the PKCS #1 encoding because you are actually returning the decrypted data at this point. AFAIK first call C_Decrypt with pData=NULL and pulDataLen=0 should return the decrypt bytes length (X). Then, second call should have pData!=NULL and pulDataLen=y. if yX -CKR_BUFFER_TOO_SMALL Returning 128 doesnt work (and shouldnt), cause the decrypted data is 24 (always?) bytes length In the first call you need to return a value at least big enough to hold the decrypted data. 128 bytes (size of encrypted data) is big enough for RSA. This isn't ideal, however. You keep saying the data is 24 bytes, but that's not a given, it's only true in the case you were talking. If you receive a different type of key it could be a different size. Even if I know the key type is RC5, for instance, I still don't know the key length. That is encoded in the PKCS #1. In order to get that you need to decrypt the block. That is why I was saying using the first call/second call method could lead to needing to double decrypt (once to find the length and once to return the data). Anyhow, i now return the correct size (24) and dont trust on C_Decrypt input pulDataLen. err, are you hard coding the size at 24. That is not what I said to do. You function that use used to decrypt your PKCS #1 data returns a data length somewhere. It has to or the function is incomplete (it's not really processing the PKCS #1 data). That data length is what you need to return. bob -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: how to get CKA_PRIVATE_EXPONENT attribute from a private key?
On 01/26/2012 07:55 AM, weizhong qiang wrote:
On Jan 26, 2012, at 4:44 PM, helpcrypto helpcrypto wrote:
AFAIK, returning or not the attributes from an object, depends on the token.
Everything I am operating is on the nss internal softoken.
Right softoken enforces good hygiene.
In truth, access to those attributes are controlled through a couple of
other attributes:
CKA_PRIVATE - access to the object requires authentication.
CKA_SENSITIVE - direct access to the sensitive/private attributes of
this object is prohibitted.
CKA_EXTRACTABLE - this object can be extracted from the token.
If Private is set, then you need to log in to do any of the actions below.
If both Sensitve and Extractable is set, then you can extract the object
by wrapping it, but you can't access the unencrypted attributes.
If Senstive is FALSE and Extractable is TRUE, you can either extract the
object by wrapping it, or by reading the attributes directly.
If Extractable is FALSE, then you can't extract the object at all
(either by wrapping it or by reading the attributes directly).
Most tokens set Extratable to FALSE.
bob
I recommend you reading about CKO_PRIVATE_KEY on PKCS#11 standard to
understand what can be happening.
For example if token=card, CKA_PRIME_1 *musnt* be on the card, as far
is not *needed* to do cryptographic operations.
El día 26 de enero de 2012 14:08, weizhong qiang
weizhongqi...@gmail.com escribió:
hi,
Is there a fact that nss does not permit the reading of the attribute
CKA_PRIVATE_EXPONENT, CKA_PRIME_1, etc.?
Because with all of the eight attributes, it is possible to compose the content
of the private key, but the outputting of private key is not allowed in nss?
Thanks and Best Regards,
Weizhong Qiang
On Jan 26, 2012, at 9:43 AM, helpcrypto helpcrypto wrote:
Is eny error shown at NSSUtilLogger.msg(ERROR, Failed to read
attribute %x from private key., type); ?
El día 25 de enero de 2012 17:04, weizhong qiang
weizhongqi...@gmail.com escribió:
hi all,
I tried to get the attributes from a private key (see the following code
piece). But only the CKA_MODULUS and CKA_PUBLIC_EXPONENT can be got, others
(CKA_PRIVATE_EXPONENT etc.) can not be got.
Could you tell me how to solve it?
By the way, I generate rsa key pair without sensitive (PK11_GenerateKeyPair(slot,
CKM_RSA_PKCS_KEY_PAIR_GEN,rsaParams, pubk, PR_TRUE, PR_FALSE, NULL); ), so I suppose the
private key is not protected by password, and can be output?
Best Regards,
Weizhong Qiang
//
static bool ReadPrivKeyAttribute(SECKEYPrivateKey* key, CK_ATTRIBUTE_TYPE type,
std::vectoruint8* output) {
SECItem item;
SECStatus rv;
rv = PK11_ReadRawAttribute(PK11_TypePrivKey, key, type,item);
if (rv != SECSuccess) {
NSSUtilLogger.msg(ERROR, Failed to read attribute %x from private key.,
type);
return false;
}
output-assign(item.data, item.data + item.len);
SECITEM_FreeItem(item, PR_FALSE);
return true;
}
static bool ExportPrivateKey(SECKEYPrivateKey* key, std::vectoruint8*
output) {
PrivateKeyInfoCodec private_key_info(true);
// Manually read the component attributes of the private key and build up
// the PrivateKeyInfo.
if (!ReadPrivKeyAttribute(key, CKA_MODULUS, private_key_info.modulus()) ||
!ReadPrivKeyAttribute(key, CKA_PUBLIC_EXPONENT,
private_key_info.public_exponent()) ||
!ReadPrivKeyAttribute(key, CKA_PRIVATE_EXPONENT,
private_key_info.private_exponent()) ||
!ReadPrivKeyAttribute(key, CKA_PRIME_1, private_key_info.prime1()) ||
!ReadPrivKeyAttribute(key, CKA_PRIME_2, private_key_info.prime2()) ||
!ReadPrivKeyAttribute(key, CKA_EXPONENT_1, private_key_info.exponent1())
||
!ReadPrivKeyAttribute(key, CKA_EXPONENT_2, private_key_info.exponent2())
||
!ReadPrivKeyAttribute(key, CKA_COEFFICIENT,
private_key_info.coefficient())) {
return false;
}
return private_key_info.Export(output);
}
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: how to get CKA_PRIVATE_EXPONENT attribute from a private key?
On 01/26/2012 05:08 AM, weizhong qiang wrote: hi, Is there a fact that nss does not permit the reading of the attribute CKA_PRIVATE_EXPONENT, CKA_PRIME_1, etc.? Because with all of the eight attributes, it is possible to compose the content of the private key, but the outputting of private key is not allowed in nss? Thanks and Best Regards, Weizhong Qiang These are private attributes. You are correct, applications aren't allowed to get them. It's bad security hygene to access private cryptographic components in the application itself, thought it's almost the first thing new crypto programmers try to do. My real question here is Why do you want to get the CKA_PRIVATE_EXPONENT? bob -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: how to get CKA_PRIVATE_EXPONENT attribute from a private key?
hi, On Jan 26, 2012, at 6:28 PM, Robert Relyea wrote: On 01/26/2012 05:08 AM, weizhong qiang wrote: hi, Is there a fact that nss does not permit the reading of the attribute CKA_PRIVATE_EXPONENT, CKA_PRIME_1, etc.? Because with all of the eight attributes, it is possible to compose the content of the private key, but the outputting of private key is not allowed in nss? Thanks and Best Regards, Weizhong Qiang These are private attributes. You are correct, applications aren't allowed to get them. It's bad security hygene to access private cryptographic components in the application itself, thought it's almost the first thing new crypto programmers try to do. My real question here is Why do you want to get the CKA_PRIVATE_EXPONENT? I need to get CKA_PRIVATE_EXPONENT and some other private attributes, in order to compute the private key, so as to output this private key without encryption. I just knew that nss itself does not support the outputting of private key without encryption. The outputting of private key that nss support is only the pk12 that requires encryption of private key. I reason I want to do this is that I use the certificate in nss softoken to sign a proxy certificate (rfc 3820), and then I need to output the private key (generate by nss) that is relevant to this proxy certificate. Best Regards, Weizhong Qiang bob -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: Thunderbird encrypted mail using certificate (on smartcard) isnt able to C_Decrypt the message. Why?
In the first call you need to return a value at least big enough to hold the decrypted data. 128 bytes (size of encrypted data) is big enough for RSA. This isn't ideal, however. You keep saying the data is 24 bytes, but that's not a given, it's only true in the case you were talking. If you receive a different type of key it could be a different size. Even if I know the key type is RC5, for instance, I still don't know the key length. That is encoded in the PKCS #1. In order to get that you need to decrypt the block. That is why I was saying using the first call/second call method could lead to needing to double decrypt (once to find the length and once to return the data). This is what im doing, dont worry. err, are you hard coding the size at 24. That is not what I said to do. You function that use used to decrypt your PKCS #1 data returns a data length somewhere. It has to or the function is incomplete (it's not really processing the PKCS #1 data). That data length is what you need to return. Not hardcoding. That would be a nightmare. I do it as you said some mails ago: twice. -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
