Le mardi 24 janvier 2012 16:29:05 UTC+1, helpcrypto helpcrypto a écrit : > Ok guys, just to let you know, now its working. (Again, this list > deserves my love) > > 2 things were happenning: > > 1-As Rob Relyea (thx) pointed me, i was doing something wrong: My > C_Decrypt function was returning 128 bytes instead of the 24 seems it > should. > Why it should return 24 and not 64/32/16/8...?
The call to the PKCS#11 library specifies CKM_RSA_PKCS as the mechanism. So the library is expected to handle PKCS1v1_5 padding rules. The library doesn't have to know in advance the size of the key, it only needs to check the padding, remove it, and return the data that was really encrypted. The caller (Thunderbird) doesn't need to tell the library: I need to get 16/24/32/whatever bytes. > 2-Mozilla Thunderbird probably has a bug calling this function, and > not following the convention of "invoke first with pulDataLen=0 and > pData=NULL to guess size". Re-read the section 11.2 of PKCS#11. What you describe is only 1 of the 2 acceptable ways (in fact, in this way, nothing is imposed on *pulDataLen). Thunderbird uses the second way, which is described. > In fact, its invoking with pulDataLen=128 (probably 'cause its using > the same buffer for encrypted/decrypted key?) > According to standard: "Its OK if pEncryptedData and pData point to > the same location", but not their lengths! Nothing is imposed on pulDataLen. pData and pEncryptedData can be the same, it is up to the library to support it. Thunderbird expects at most 128 bytes, maybe because the private key is an RSA one of 1024 bits? Anyway, if the library detects that *pulDataLen is not large enough, CKR_ENCRYPTED_DATA_LEN_RANGE can be returned. -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
