As you can see from the code, there is a special GenerateKey function.
Yes, the simplest implementation I have for NSS does use the random
generator but it was only a result of copy/paste from GnuTLS/OpenSSL code.
It would be great to have symmetric key generated on crypto token.
Definitely.
However, you need to remember that you might need to get *raw* symmetric
key data in some cases (encrypting with encrypted key).
Theoretically (in the context of NSS) we should be able to manage without ever using
raw symmetric keys. The key material can be in the crypto token,
and users can just use key handles. For distribution, the keys
can be wrapped using key transport algorithms (using PKI). In any case,
NSS does have APIs (PK11_ExtractKeyValue; PK11_GetKeyData) to extract the
raw symmetric key from the token... (which will fail if a token is
in FIPS mode.... which prohibits export of key material).
Bottom line: I have no problems with your suggestions. But you might want to talk with Tej about that too.
Aleksey
Andrew Fan wrote:
Hi Aleksey,
I noticed that in the implementation of xmlSec on top of NSS, every symmetic key( symkeys.c ) is generated from calling PK11_RandomGenerate( unsigned char* data , int len ), which calling the C_GenerateRandom of PKCS#11, and creating an internal pkcs11 slot for C_GenerateRandom.
I think it is unreasonable. 1. a symmetric key should be created in the
user practice context, i.e., a certain slot and an a certain session. 2. a symmetic key should be created by the crypto device( C_GenerateKey )
instead of constructed from a random. 3. although from a random, it is
possible to create a symmetric key, it is not a recommendable
solution. 4. this implementation hides the mechanism of crypto device.
What's your idea about this questions?
Regards, Andrew
_______________________________________________ xmlsec mailing list [EMAIL PROTECTED] http://www.aleksey.com/mailman/listinfo/xmlsec
_______________________________________________ xmlsec mailing list [EMAIL PROTECTED] http://www.aleksey.com/mailman/listinfo/xmlsec
