Re: how to decrypt with pubkey without pkcs1 padding things
Wan-Teh Chang wrote: On Thu, Nov 20, 2008 at 9:32 PM, NZzi [EMAIL PROTECTED] wrote: yeah, in order to get the real reason of the problem, i had to compile NSS from source and debug my program with NSS code, then i found why i got 8192 error. It's because the length thing of data and signed data. I'm sorry that you had to go through this trouble. I have just checked in three patches that should improve the error reporting of our PK11_ crypto functions. Since you had done the work of compiling NSS from source, you can help me verify if my patches would have helped in your situation, in two ways. 1. In your current NSS source tree, please let me know where in the source code (source file and line number) it failed due to the length of data and signed data. With this info, I can tell if my patches will propagate that error up to the PK11_ function. Or 2. Build the tip of the NSS source tree, and see if you get a better NSS error code than -8192 (SEC_ERROR_IO) now. Hopefully you'll get SEC_ERROR_INPUT_LEN (-8188) or SEC_ERROR_OUTPUT_LEN (-8189) instead. You can check out the tip of the NSS source tree as follows: export CVSROOT=:pserver:[EMAIL PROTECTED]:/cvsroot cvs -q co -A NSPR NSS I think Chang's current work on doc is great, a detailed Docs about NSS API(each level, including PKCS#11, Crypto Wrapper, and etc) will help people like me(know the basic cryptography knowledge, but not good at it) a lot. Documentation is important, but informative error codes are also important. This is why I hope you can help me verify my patches would have helped you. Ok, no problem, it's my pleasure. But can you give me some days, because my project is close to release dead line(at the end of this month), so this test can only be done at this weekend or next monday. I'm terribly sorry for this :( BTW, the source i use is NSS_3_12_RTM tag, i think your patch wasn't merge in this tag, right? Thanks! Wan-Teh ___ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto ___ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: how to decrypt with pubkey without pkcs1 padding things
On Mon, Nov 24, 2008 at 9:10 PM, NZzi [EMAIL PROTECTED] wrote: But can you give me some days, because my project is close to release dead line(at the end of this month), so this test can only be done at this weekend or next monday. I'm terribly sorry for this :( No problem. Take your time. BTW, the source i use is NSS_3_12_RTM tag, i think your patch wasn't merge in this tag, right? Right. My patch is not in any tag yet. You need to use the tip of the trunk, without any tag. Just use these commands on Linux: export CVSROOT=:pserver:[EMAIL PROTECTED]:/cvsroot cvs -q co -A NSPR NSS Wan-Teh ___ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: how to decrypt with pubkey without pkcs1 padding things
On Thu, Nov 20, 2008 at 9:32 PM, NZzi [EMAIL PROTECTED] wrote: yeah, in order to get the real reason of the problem, i had to compile NSS from source and debug my program with NSS code, then i found why i got 8192 error. It's because the length thing of data and signed data. I'm sorry that you had to go through this trouble. I have just checked in three patches that should improve the error reporting of our PK11_ crypto functions. Since you had done the work of compiling NSS from source, you can help me verify if my patches would have helped in your situation, in two ways. 1. In your current NSS source tree, please let me know where in the source code (source file and line number) it failed due to the length of data and signed data. With this info, I can tell if my patches will propagate that error up to the PK11_ function. Or 2. Build the tip of the NSS source tree, and see if you get a better NSS error code than -8192 (SEC_ERROR_IO) now. Hopefully you'll get SEC_ERROR_INPUT_LEN (-8188) or SEC_ERROR_OUTPUT_LEN (-8189) instead. You can check out the tip of the NSS source tree as follows: export CVSROOT=:pserver:[EMAIL PROTECTED]:/cvsroot cvs -q co -A NSPR NSS I think Chang's current work on doc is great, a detailed Docs about NSS API(each level, including PKCS#11, Crypto Wrapper, and etc) will help people like me(know the basic cryptography knowledge, but not good at it) a lot. Documentation is important, but informative error codes are also important. This is why I hope you can help me verify my patches would have helped you. Thanks! Wan-Teh ___ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: how to decrypt with pubkey without pkcs1 padding things
Robert Relyea wrote: Ken wrote: 2008/11/15 Robert Relyea [EMAIL PROTECTED]: NZzi wrote: Robert Relyea wrote: NZzi wrote: hi all: I want to use private key to encrypt a message, and decrypt with public key. Are you encrypting data or a symmetric Key? Most of the nss code that does these operations does so on actual symetric keys (which are then used to do additional encryption/decryption/macing). In that case they are using the PK11_PubWrapSymKey() and PK11_PubUnwrapSymKey(). If i use symmetric key to encrypt a license and use private key to encrypt the symmetric key, other people can have my public key. Yeah, it's an unfortunate name. The Pub in PubWrapSymKey means 'Public Key Cryptography not PublicKey. It's really the private key. It was written before we started standardizing on separating Public and Private in the function name. but i must guarantee the integrity of license and forbid it from regenerating or modifying. No matter what key(public or private) is used to wrap the symkey, if someone hack the program to get the unwrapped symkey(e.g. from memory), he can modify and regenerate the license to pass the validation. So i just want to use private key to encrypt the license, decrypt and validate it using public key. OK, so you are doing a signing operation, not an key exchange or encryption. (the symetric key only applies to the decryption issue). In doing crypto, it's important to understand what your high level goal before you can apply the appropriate primitives. In this case it sounds like you aren't really making data unreadable, you are simply making sure the data is the correct data (that is the license is valid). The reason I don't use SGN_*() is I need recover the content of license. I tried the PK11_VerifyRecover(), but got 8192 error, So I'm not sure PK11_VerifyRecover() can recover the content of license signature, signed by PK11_Sign(private_key,...)? Typically you include the data you are signing in the clear along with the signature. The license content can't be a secret, or your scheme is broken (anyone can get it if you 'encrypt' it with your private key). If you just use the RSA encrypt, you are definitely tying yourself to RSA (no possibility of using some other signing algorithm, which requires you to possess knowledge of what it is you are trying to sign before you actually verify). If you are trying to match some existing system, then you are pretty much stuck with RSA anyway, but if you are building this on your own, then consider including the data outside the signature. You'll thank me later;). That being send, PK11_VerifyRecover should work. The most likely reasons for it not working include: 1) the public key you decrypt with doesn't math the private key you encrypted with, 2) the signed data is corrupted in some way. What does your code sample look like? yeah, in order to get the real reason of the problem, i had to compile NSS from source and debug my program with NSS code, then i found why i got 8192 error. It's because the length thing of data and signed data. I think Chang's current work on doc is great, a detailed Docs about NSS API(each level, including PKCS#11, Crypto Wrapper, and etc) will help people like me(know the basic cryptography knowledge, but not good at it) a lot. anyway, thanks very much bob ___ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto ___ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: how to decrypt with pubkey without pkcs1 padding things
Ken wrote: 2008/11/15 Robert Relyea [EMAIL PROTECTED]: NZzi wrote: Robert Relyea wrote: NZzi wrote: hi all: I want to use private key to encrypt a message, and decrypt with public key. Are you encrypting data or a symmetric Key? Most of the nss code that does these operations does so on actual symetric keys (which are then used to do additional encryption/decryption/macing). In that case they are using the PK11_PubWrapSymKey() and PK11_PubUnwrapSymKey(). If i use symmetric key to encrypt a license and use private key to encrypt the symmetric key, other people can have my public key. Yeah, it's an unfortunate name. The Pub in PubWrapSymKey means 'Public Key Cryptography not PublicKey. It's really the private key. It was written before we started standardizing on separating Public and Private in the function name. but i must guarantee the integrity of license and forbid it from regenerating or modifying. No matter what key(public or private) is used to wrap the symkey, if someone hack the program to get the unwrapped symkey(e.g. from memory), he can modify and regenerate the license to pass the validation. So i just want to use private key to encrypt the license, decrypt and validate it using public key. OK, so you are doing a signing operation, not an key exchange or encryption. (the symetric key only applies to the decryption issue). In doing crypto, it's important to understand what your high level goal before you can apply the appropriate primitives. In this case it sounds like you aren't really making data unreadable, you are simply making sure the data is the correct data (that is the license is valid). The reason I don't use SGN_*() is I need recover the content of license. I tried the PK11_VerifyRecover(), but got 8192 error, So I'm not sure PK11_VerifyRecover() can recover the content of license signature, signed by PK11_Sign(private_key,...)? Typically you include the data you are signing in the clear along with the signature. The license content can't be a secret, or your scheme is broken (anyone can get it if you 'encrypt' it with your private key). If you just use the RSA encrypt, you are definitely tying yourself to RSA (no possibility of using some other signing algorithm, which requires you to possess knowledge of what it is you are trying to sign before you actually verify). If you are trying to match some existing system, then you are pretty much stuck with RSA anyway, but if you are building this on your own, then consider including the data outside the signature. You'll thank me later;). That being send, PK11_VerifyRecover should work. The most likely reasons for it not working include: 1) the public key you decrypt with doesn't math the private key you encrypted with, 2) the signed data is corrupted in some way. What does your code sample look like? bob smime.p7s Description: S/MIME Cryptographic Signature ___ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: how to decrypt with pubkey without pkcs1 padding things
NZzi wrote: Robert Relyea wrote: NZzi wrote: hi all: I want to use private key to encrypt a message, and decrypt with public key. Are you encrypting data or a symmetric Key? Most of the nss code that does these operations does so on actual symetric keys (which are then used to do additional encryption/decryption/macing). In that case they are using the PK11_PubWrapSymKey() and PK11_PubUnwrapSymKey(). If i use symmetric key to encrypt a license and use private key to encrypt the symmetric key, other people can have my public key. Yeah, it's an unfortunate name. The Pub in PubWrapSymKey means 'Public Key Cryptography not PublicKey. It's really the private key. It was written before we started standardizing on separating Public and Private in the function name. bob I think he can hack my program to get the symmetric key, when my program recover the license using the symmetric key decrypted by public key. He can write a new license and re-generate the license to let the software use forever, how can I forbid this? bob [snip...] ___ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto smime.p7s Description: S/MIME Cryptographic Signature ___ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: how to decrypt with pubkey without pkcs1 padding things
2008/11/15 Robert Relyea [EMAIL PROTECTED]: NZzi wrote: Robert Relyea wrote: NZzi wrote: hi all: I want to use private key to encrypt a message, and decrypt with public key. Are you encrypting data or a symmetric Key? Most of the nss code that does these operations does so on actual symetric keys (which are then used to do additional encryption/decryption/macing). In that case they are using the PK11_PubWrapSymKey() and PK11_PubUnwrapSymKey(). If i use symmetric key to encrypt a license and use private key to encrypt the symmetric key, other people can have my public key. Yeah, it's an unfortunate name. The Pub in PubWrapSymKey means 'Public Key Cryptography not PublicKey. It's really the private key. It was written before we started standardizing on separating Public and Private in the function name. but i must guarantee the integrity of license and forbid it from regenerating or modifying. No matter what key(public or private) is used to wrap the symkey, if someone hack the program to get the unwrapped symkey(e.g. from memory), he can modify and regenerate the license to pass the validation. So i just want to use private key to encrypt the license, decrypt and validate it using public key. The reason I don't use SGN_*() is I need recover the content of license. I tried the PK11_VerifyRecover(), but got 8192 error, So I'm not sure PK11_VerifyRecover() can recover the content of license signature, signed by PK11_Sign(private_key,...)? bob I think he can hack my program to get the symmetric key, when my program recover the license using the symmetric key decrypted by public key. He can write a new license and re-generate the license to let the software use forever, how can I forbid this? bob [snip...] ___ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto ___ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto ___ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
how to decrypt with pubkey without pkcs1 padding things
hi all: I want to use private key to encrypt a message, and decrypt with public key. i know there is PK11_PubDecryptRaw, PK11_PubEncrptRaw, but all these don't do padding things(PKCS1) for me. and SGN_*(), VFY_*(), PK11_Verify*() give me the digest message, not plaint message i want. i find PK11_PubEncryptPKCS1() in mailing list discussion, which seems to do the padding. But i want to use private key to encrypt, not public key. And what's more, there are not any doc or example codes to show PK11_PubEncryptPKCS1() usage can anyone give me some examples or hints? thanks in advance ___ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: how to decrypt with pubkey without pkcs1 padding things
NZzi wrote: hi all: I want to use private key to encrypt a message, and decrypt with public key. i know there is PK11_PubDecryptRaw, PK11_PubEncrptRaw, but all these don't do padding things(PKCS1) for me. and SGN_*(), VFY_*(), PK11_Verify*() give me the digest message, not plaint message i want. i find PK11_PubEncryptPKCS1() in mailing list discussion, which seems to do the padding. But i want to use private key to encrypt, not public key. And what's more, there are not any doc or example codes to show PK11_PubEncryptPKCS1() usage because i use PK11_PubEncryptPKCS1() in my code guessing howto use, but i got 8192 error(PR_GetError()), i lookup the error code: An I/O error occurred during authentication; or an error occurred during crypto operation (other than signature verification). all the description is senseless for me can anyone give me some examples or hints? thanks in advance ___ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: how to decrypt with pubkey without pkcs1 padding things
NZzi wrote: NZzi wrote: hi all: I want to use private key to encrypt a message, and decrypt with public key. i know there is PK11_PubDecryptRaw, PK11_PubEncrptRaw, but all these don't do padding things(PKCS1) for me. and SGN_*(), VFY_*(), PK11_Verify*() give me the digest message, not plaint message i want. i find PK11_PubEncryptPKCS1() in mailing list discussion, which seems to do the padding. But i want to use private key to encrypt, not public key. And what's more, there are not any doc or example codes to show PK11_PubEncryptPKCS1() usage because i use PK11_PubEncryptPKCS1() in my code guessing howto use, but i got 8192 error(PR_GetError()), i lookup the error code: An I/O error occurred during authentication; or an error occurred during crypto operation (other than signature verification). all the description is senseless for me following is my code: modulus_len = modulus_len = SECKEY_PublicKeyStrength(lf_sec-pubkey); char *data_buf = calloc(...modulus_len); char *enbuf = calloc(...,modulus_len); PK11_PubEncryptPKCS1(lf_sec-pubkey,enbuf,tmpbuf,modulus_len,NULL); ... use the same parameters for PK11_PubEncryptRaw() will work well can anyone give me some examples or hints? thanks in advance ___ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: how to decrypt with pubkey without pkcs1 padding things
NZzi wrote: hi all: I want to use private key to encrypt a message, and decrypt with public key. Are you encrypting data or a symmetric Key? Most of the nss code that does these operations does so on actual symetric keys (which are then used to do additional encryption/decryption/macing). In that case they are using the PK11_PubWrapSymKey() and PK11_PubUnwrapSymKey(). bob i find PK11_PubEncryptPKCS1() in mailing list discussion, which seems to do the padding. But i want to use private key to encrypt, not public key. And what's more, there are not any doc or example codes to show PK11_PubEncryptPKCS1() usage OK, so here's a question, what is it you are trying to do? Encrypting with the private key is really called 'Signing'. The equivalent function is PK11_Sign. If you are doing key distribution, or you are trying to pass secret data to someone else you want to encrypt with the public key, so only the person with the private key can decrypt it. Encrypting with the private key, in this case, will allow anyone to read the result by 'decrypting' with the public key. In the sign case, you don't care about secrecy, you want to 'prove' you hold the private key. In that case you 'encrypt' data with that private key. I know you have the private key because I get the correct data back when I 'decrypt' with the public key. This recovery process is a verification, so it's called PK11_Verify, except you are looking for the actual data to recover, not to verify that the data matches. This operation is *VERY* RSA specific. No other signing/verification method uses it. In that case you need to call the special function PK11_VerifyRecover. These names match their PKCS #11 equivalents in the PKCS #11 spec. An important note about this. NSS allows this. There are cases where you do need to use PK11_VerifyRecover rather than PK11_Verify, or more specificially, the high level SGN_ and VFY_ functions. HOWEVER, there should be warning signs in your head if you have to resort to these cases. First, you will likely be generating signatures that no one else will be able to validate (All toolkits know how to deal with an RSA signature with PKCS #1 padding *AND* properly ASN1 wrapped digests - even better wrapped as an ASN1 signing wrapper). Second, you are tying your application strongly to RSA. The world of crypto is littered with the dead bodies of once strong algorithms which have fallen to the increasingly sophisticated attacks of the cryptanalyst. RSA is still strong today (albeit weaker than when I first started working in crypto), but that may not stay forever. Tying yourself to a specific algorithm is not a good idea. All that being said the mapping of high level/crypto operation names to low level RSA operations is as follows: Encrypt with public Key (PKCS #1 padding): PK11_PubEncryptPKCS1() Decrypt with private Key (PKCS #1 padding): PK11_PrivDecryptPKCS1() Encrypt with private Key (PKCS #1 padding): PK11_Sign() (use mechanism CKM_RSA_PKCS1) Decrypt with public Key (PKCS #1 padding): PK11_VerifyRecover() (use mechanism CKM_RSA_PKCS1) Note: for PKCS #1 specifies different padding rules for Sign/Verify versus Encrypt/Decrypt. For the former the padding character is a constant (I think ff, but I'd have to check to be sure), while the latter pads with random non-zero data. Also Note: A full PKCS #1 RSA signature is not only PKCS #1 padded, but also wraps the digest which it is signing with a DER wrapper which includes the OID value of the hash used to generate the digest. PK11_Sign does not add this wrapping on it's own, and PK11_VerifyRecover does not strip it. bob can anyone give me some examples or hints? thanks in advance ___ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto smime.p7s Description: S/MIME Cryptographic Signature ___ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: how to decrypt with pubkey without pkcs1 padding things
Robert Relyea wrote: NZzi wrote: hi all: I want to use private key to encrypt a message, and decrypt with public key. Are you encrypting data or a symmetric Key? Most of the nss code that does these operations does so on actual symetric keys (which are then used to do additional encryption/decryption/macing). In that case they are using the PK11_PubWrapSymKey() and PK11_PubUnwrapSymKey(). bob i find PK11_PubEncryptPKCS1() in mailing list discussion, which seems to do the padding. But i want to use private key to encrypt, not public key. And what's more, there are not any doc or example codes to show PK11_PubEncryptPKCS1() usage OK, so here's a question, what is it you are trying to do? Encrypting with the private key is really called 'Signing'. The equivalent function is PK11_Sign. If you are doing key distribution, or you are trying to pass secret data to someone else you want to encrypt with the public key, so only the person with the private key can decrypt it. Encrypting with the private key, in this case, will allow anyone to read the result by 'decrypting' with the public key. In the sign case, you don't care about secrecy, you want to 'prove' you hold the private key. In that case you 'encrypt' data with that private key. I know you have the private key because I get the correct data back when I 'decrypt' with the public key. This recovery process is a verification, so it's called PK11_Verify, except you are looking for the actual data to recover, not to verify that the data matches. This operation is *VERY* RSA specific. No other signing/verification method uses it. In that case you need to call the special function PK11_VerifyRecover. These names match their PKCS #11 equivalents in the PKCS #11 spec. An important note about this. NSS allows this. There are cases where you do need to use PK11_VerifyRecover rather than PK11_Verify, or more specificially, the high level SGN_ and VFY_ functions. HOWEVER, there should be warning signs in your head if you have to resort to these cases. First, you will likely be generating signatures that no one else will be able to validate (All toolkits know how to deal with an RSA signature with PKCS #1 padding *AND* properly ASN1 wrapped digests - even better wrapped as an ASN1 signing wrapper). Second, you are tying your application strongly to RSA. The world of crypto is littered with the dead bodies of once strong algorithms which have fallen to the increasingly sophisticated attacks of the cryptanalyst. RSA is still strong today (albeit weaker than when I first started working in crypto), but that may not stay forever. Tying yourself to a specific algorithm is not a good idea. All that being said the mapping of high level/crypto operation names to low level RSA operations is as follows: Encrypt with public Key (PKCS #1 padding): PK11_PubEncryptPKCS1() Decrypt with private Key (PKCS #1 padding): PK11_PrivDecryptPKCS1() Encrypt with private Key (PKCS #1 padding): PK11_Sign() (use mechanism CKM_RSA_PKCS1) Decrypt with public Key (PKCS #1 padding): PK11_VerifyRecover() (use mechanism CKM_RSA_PKCS1) I'm sorry for my nonsense words, i'm mad about using nss in my code last night. I just want to use private key to encrypt a message(key modulus len), and recover/decrypt the message using public key, without caring about anything about padding PKCS#1/PKCS#11. I only know little about cryptography. following is my test code: #define BASE64_ENCODED_SUBJECTPUBLICKEYINFO MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAL3F6TIc3JEYsugo+a2fPU3W+Epv/FeIX21DC86WYnpFtW4srFtz2oNUzyLUzDHZdb+k//8dcT3IAOzUUi3R2eMCAwEAAQ== #define BASE64_ENCODED_PRIVATEKEYINFO MIIBVQIBADANBgkqhkiG9w0BAQEFAASCAT8wggE7AgEAAkEAvcXpMhzckRiy6Cj5rZ89Tdb4Sm/8V4hfbUMLzpZiekW1biysW3Pag1TPItTMMdl1v6T//x1xPcgA7NRSLdHZ4wIDAQABAkEAjh8+4qncwcmGivnM6ytbpQT+k/jEOeXG2bQhjojvnXN3FazGCEFXvpuIBcJVfaIJS9YBCMOzzrAtO0+k2hWnOQIhAOC4NVbo8FQhZS4yXM1M86kMl47FA9ui//OUfbhlAdw1AiEA2DBmIXnsboKB+OHver69p0gNeWlvcJc9bjDVfdLVsLcCIQCPtV3vGYJv2vdwxqZQaHC+YB4gIGAqOqBCbmjD3lyFLQIgA+VTYdUNoqwtZWvE4gRf7IzK2V5CCNhg3gR5RGwxN58CIGCcafoRrUKsM66ISg0ITI04G9V/w+wMx91wjEEB+QBz rv = NSS_NoDB_Init(.); slot = PK11_GetInternalKeySlot(); ATOB_ConvertAsciiToItem(der, pubkstr) spki = SECKEY_DecodeDERSubjectPublicKeyInfo(der); SECITEM_FreeItem(der, PR_FALSE); pubkey = SECKEY_ExtractPublicKey(spki); char *pvtkstr = BASE64_ENCODED_PRIVATEKEYINFO; SECItem nickname, pvt_der; nickname.type = siBuffer; nickname.data = pvtkeynickname; nickname.len = strlen(pvtkeynickname); ATOB_ConvertAsciiToItem(pvt_der, pvtkstr) PK11_ImportDERPrivateKeyInfoAndReturnKey(slot, pvt_der, NULL, NULL, PR_FALSE, PR_TRUE, KU_ALL, pvtkey, NULL); SECItem encdata; encdata.len = PK11_SignatureLen(pvtkey); encdata.data = (char *)calloc(encdata.len, sizeof(char)); SECItem plain_data; char testdata[1024]; int i; for(i=0;iTESTLEN;i++) testdata[i] = 'a'; plain_data.len = TESTLEN; plain_data.data = testdata;
Re: how to decrypt with pubkey without pkcs1 padding things
On Thu, Nov 13, 2008 at 7:41 PM, NZzi [EMAIL PROTECTED] wrote: now the test code failed in PK11_Sign() with 8192 error, and as i have said error code description about this errno is senseless. The -8192 error (SEC_ERROR_IO) is the default error code that NSS currently uses for many crypto function failures. The error code name SEC_ERROR_IO is confusing in this context because it is a crypto operation, not I/O, that failed, and it doesn't tell you why a crypto operation failed. This will be fixed in the upcoming NSS 3.12.3 release. I have some patches for NSS 3.12.2 to fix the SEC_ERROR_IO problem in https://bugzilla.mozilla.org/show_bug.cgi?id=453364. If you build NSS from source code, and are comfortable with apply patches to a source tree, you can try applying the patches in that bug and see if it helps PK11_Sign() report a better error code. Wan-Teh ___ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: how to decrypt with pubkey without pkcs1 padding things
NZzi wrote: Robert Relyea wrote: NZzi wrote: hi all: I want to use private key to encrypt a message, and decrypt with public key. Are you encrypting data or a symmetric Key? Most of the nss code that does these operations does so on actual symetric keys (which are then used to do additional encryption/decryption/macing). In that case they are using the PK11_PubWrapSymKey() and PK11_PubUnwrapSymKey(). bob i find PK11_PubEncryptPKCS1() in mailing list discussion, which seems to do the padding. But i want to use private key to encrypt, not public key. And what's more, there are not any doc or example codes to show PK11_PubEncryptPKCS1() usage OK, so here's a question, what is it you are trying to do? Encrypting with the private key is really called 'Signing'. The equivalent function is PK11_Sign. If you are doing key distribution, or you are trying to pass secret data to someone else you want to encrypt with the public key, so only the person with the private key can decrypt it. Encrypting with the private key, in this case, will allow anyone to read the result by 'decrypting' with the public key. In the sign case, you don't care about secrecy, you want to 'prove' you hold the private key. In that case you 'encrypt' data with that private key. I know you have the private key because I get the correct data back when I 'decrypt' with the public key. This recovery process is a verification, so it's called PK11_Verify, except you are looking for the actual data to recover, not to verify that the data matches. This operation is *VERY* RSA specific. No other signing/verification method uses it. In that case you need to call the special function PK11_VerifyRecover. These names match their PKCS #11 equivalents in the PKCS #11 spec. An important note about this. NSS allows this. There are cases where you do need to use PK11_VerifyRecover rather than PK11_Verify, or more specificially, the high level SGN_ and VFY_ functions. HOWEVER, there should be warning signs in your head if you have to resort to these cases. First, you will likely be generating signatures that no one else will be able to validate (All toolkits know how to deal with an RSA signature with PKCS #1 padding *AND* properly ASN1 wrapped digests - even better wrapped as an ASN1 signing wrapper). Second, you are tying your application strongly to RSA. The world of crypto is littered with the dead bodies of once strong algorithms which have fallen to the increasingly sophisticated attacks of the cryptanalyst. RSA is still strong today (albeit weaker than when I first started working in crypto), but that may not stay forever. Tying yourself to a specific algorithm is not a good idea. All that being said the mapping of high level/crypto operation names to low level RSA operations is as follows: Encrypt with public Key (PKCS #1 padding): PK11_PubEncryptPKCS1() Decrypt with private Key (PKCS #1 padding): PK11_PrivDecryptPKCS1() Encrypt with private Key (PKCS #1 padding): PK11_Sign() (use mechanism CKM_RSA_PKCS1) Decrypt with public Key (PKCS #1 padding): PK11_VerifyRecover() (use mechanism CKM_RSA_PKCS1) I'm sorry for my nonsense words, i'm mad about using nss in my code last night. I just want to use private key to encrypt a message(key modulus len), and recover/decrypt the message using public key, without caring about anything about padding PKCS#1/PKCS#11. I only know little about cryptography. following is my test code: #define BASE64_ENCODED_SUBJECTPUBLICKEYINFO MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAL3F6TIc3JEYsugo+a2fPU3W+Epv/FeIX21DC86WYnpFtW4srFtz2oNUzyLUzDHZdb+k//8dcT3IAOzUUi3R2eMCAwEAAQ== #define BASE64_ENCODED_PRIVATEKEYINFO MIIBVQIBADANBgkqhkiG9w0BAQEFAASCAT8wggE7AgEAAkEAvcXpMhzckRiy6Cj5rZ89Tdb4Sm/8V4hfbUMLzpZiekW1biysW3Pag1TPItTMMdl1v6T//x1xPcgA7NRSLdHZ4wIDAQABAkEAjh8+4qncwcmGivnM6ytbpQT+k/jEOeXG2bQhjojvnXN3FazGCEFXvpuIBcJVfaIJS9YBCMOzzrAtO0+k2hWnOQIhAOC4NVbo8FQhZS4yXM1M86kMl47FA9ui//OUfbhlAdw1AiEA2DBmIXnsboKB+OHver69p0gNeWlvcJc9bjDVfdLVsLcCIQCPtV3vGYJv2vdwxqZQaHC+YB4gIGAqOqBCbmjD3lyFLQIgA+VTYdUNoqwtZWvE4gRf7IzK2V5CCNhg3gR5RGwxN58CIGCcafoRrUKsM66ISg0ITI04G9V/w+wMx91wjEEB+QBz rv = NSS_NoDB_Init(.); slot = PK11_GetInternalKeySlot(); ATOB_ConvertAsciiToItem(der, pubkstr) spki = SECKEY_DecodeDERSubjectPublicKeyInfo(der); SECITEM_FreeItem(der, PR_FALSE); pubkey = SECKEY_ExtractPublicKey(spki); char *pvtkstr = BASE64_ENCODED_PRIVATEKEYINFO; SECItem nickname, pvt_der; nickname.type = siBuffer; nickname.data = pvtkeynickname; nickname.len = strlen(pvtkeynickname); ATOB_ConvertAsciiToItem(pvt_der, pvtkstr) PK11_ImportDERPrivateKeyInfoAndReturnKey(slot, pvt_der, NULL, NULL, PR_FALSE, PR_TRUE, KU_ALL, pvtkey, NULL); SECItem encdata; encdata.len = PK11_SignatureLen(pvtkey); encdata.data = (char *)calloc(encdata.len, sizeof(char)); SECItem plain_data; char testdata[1024]; int i; for(i=0;iTESTLEN;i++) testdata[i] = 'a'; plain_data.len = TESTLEN; plain_data.data = testdata;
Re: how to decrypt with pubkey without pkcs1 padding things
NZzi wrote: NZzi wrote: Robert Relyea wrote: NZzi wrote: hi all: I want to use private key to encrypt a message, and decrypt with public key. Are you encrypting data or a symmetric Key? Most of the nss code that does these operations does so on actual symetric keys (which are then used to do additional encryption/decryption/macing). In that case they are using the PK11_PubWrapSymKey() and PK11_PubUnwrapSymKey(). bob i find PK11_PubEncryptPKCS1() in mailing list discussion, which seems to do the padding. But i want to use private key to encrypt, not public key. And what's more, there are not any doc or example codes to show PK11_PubEncryptPKCS1() usage OK, so here's a question, what is it you are trying to do? Encrypting with the private key is really called 'Signing'. The equivalent function is PK11_Sign. If you are doing key distribution, or you are trying to pass secret data to someone else you want to encrypt with the public key, so only the person with the private key can decrypt it. Encrypting with the private key, in this case, will allow anyone to read the result by 'decrypting' with the public key. In the sign case, you don't care about secrecy, you want to 'prove' you hold the private key. In that case you 'encrypt' data with that private key. I know you have the private key because I get the correct data back when I 'decrypt' with the public key. This recovery process is a verification, so it's called PK11_Verify, except you are looking for the actual data to recover, not to verify that the data matches. This operation is *VERY* RSA specific. No other signing/verification method uses it. In that case you need to call the special function PK11_VerifyRecover. These names match their PKCS #11 equivalents in the PKCS #11 spec. An important note about this. NSS allows this. There are cases where you do need to use PK11_VerifyRecover rather than PK11_Verify, or more specificially, the high level SGN_ and VFY_ functions. HOWEVER, there should be warning signs in your head if you have to resort to these cases. First, you will likely be generating signatures that no one else will be able to validate (All toolkits know how to deal with an RSA signature with PKCS #1 padding *AND* properly ASN1 wrapped digests - even better wrapped as an ASN1 signing wrapper). Second, you are tying your application strongly to RSA. The world of crypto is littered with the dead bodies of once strong algorithms which have fallen to the increasingly sophisticated attacks of the cryptanalyst. RSA is still strong today (albeit weaker than when I first started working in crypto), but that may not stay forever. Tying yourself to a specific algorithm is not a good idea. All that being said the mapping of high level/crypto operation names to low level RSA operations is as follows: Encrypt with public Key (PKCS #1 padding): PK11_PubEncryptPKCS1() Decrypt with private Key (PKCS #1 padding): PK11_PrivDecryptPKCS1() Encrypt with private Key (PKCS #1 padding): PK11_Sign() (use mechanism CKM_RSA_PKCS1) Decrypt with public Key (PKCS #1 padding): PK11_VerifyRecover() (use mechanism CKM_RSA_PKCS1) I'm sorry for my nonsense words, i'm mad about using nss in my code last night. I just want to use private key to encrypt a message(key modulus len), and recover/decrypt the message using public key, without caring about anything about padding PKCS#1/PKCS#11. I only know little about cryptography. following is my test code: #define BASE64_ENCODED_SUBJECTPUBLICKEYINFO MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAL3F6TIc3JEYsugo+a2fPU3W+Epv/FeIX21DC86WYnpFtW4srFtz2oNUzyLUzDHZdb+k//8dcT3IAOzUUi3R2eMCAwEAAQ== #define BASE64_ENCODED_PRIVATEKEYINFO MIIBVQIBADANBgkqhkiG9w0BAQEFAASCAT8wggE7AgEAAkEAvcXpMhzckRiy6Cj5rZ89Tdb4Sm/8V4hfbUMLzpZiekW1biysW3Pag1TPItTMMdl1v6T//x1xPcgA7NRSLdHZ4wIDAQABAkEAjh8+4qncwcmGivnM6ytbpQT+k/jEOeXG2bQhjojvnXN3FazGCEFXvpuIBcJVfaIJS9YBCMOzzrAtO0+k2hWnOQIhAOC4NVbo8FQhZS4yXM1M86kMl47FA9ui//OUfbhlAdw1AiEA2DBmIXnsboKB+OHver69p0gNeWlvcJc9bjDVfdLVsLcCIQCPtV3vGYJv2vdwxqZQaHC+YB4gIGAqOqBCbmjD3lyFLQIgA+VTYdUNoqwtZWvE4gRf7IzK2V5CCNhg3gR5RGwxN58CIGCcafoRrUKsM66ISg0ITI04G9V/w+wMx91wjEEB+QBz rv = NSS_NoDB_Init(.); slot = PK11_GetInternalKeySlot(); ATOB_ConvertAsciiToItem(der, pubkstr) spki = SECKEY_DecodeDERSubjectPublicKeyInfo(der); SECITEM_FreeItem(der, PR_FALSE); pubkey = SECKEY_ExtractPublicKey(spki); char *pvtkstr = BASE64_ENCODED_PRIVATEKEYINFO; SECItem nickname, pvt_der; nickname.type = siBuffer; nickname.data = pvtkeynickname; nickname.len = strlen(pvtkeynickname); ATOB_ConvertAsciiToItem(pvt_der, pvtkstr) PK11_ImportDERPrivateKeyInfoAndReturnKey(slot, pvt_der, NULL, NULL, PR_FALSE, PR_TRUE, KU_ALL, pvtkey, NULL); SECItem encdata; encdata.len = PK11_SignatureLen(pvtkey); encdata.data = (char *)calloc(encdata.len, sizeof(char)); SECItem plain_data; char testdata[1024]; int i; for(i=0;iTESTLEN;i++) testdata[i] = 'a'; plain_data.len = TESTLEN; plain_data.data =