As you can see from the code, there is a special GenerateKey function. Yes, the simplest implementation I have for NSS does use the random generator but it was only a result of copy/paste from GnuTLS/OpenSSL code. It would be great to have symmetric key generated on crypto token. However, you need to remember that you might need to get *raw* symmetric key data in some cases (encrypting with encrypted key).
Bottom line: I have no problems with your suggestions. But you might want to talk with Tej about that too.
Aleksey
Andrew Fan wrote:
Hi Aleksey,
I noticed that in the implementation of xmlSec on top of NSS, every symmetic key( symkeys.c ) is generated from calling PK11_RandomGenerate( unsigned char* data , int len ), which calling the C_GenerateRandom of PKCS#11, and creating an internal pkcs11 slot for C_GenerateRandom.
I think it is unreasonable. 1. a symmetric key should be created in the
user practice context, i.e., a certain slot and an a certain session. 2. a symmetic key should be created by the crypto device( C_GenerateKey )
instead of constructed from a random. 3. although from a random, it is
possible to create a symmetric key, it is not a recommendable
solution. 4. this implementation hides the mechanism of crypto device.
What's your idea about this questions?
Regards, Andrew
_______________________________________________ xmlsec mailing list [EMAIL PROTECTED] http://www.aleksey.com/mailman/listinfo/xmlsec
