On 01/26/2012 07:55 AM, weizhong qiang wrote:
On Jan 26, 2012, at 4:44 PM, helpcrypto helpcrypto wrote:
AFAIK, returning or not the attributes from an object, depends on the token.
Everything I am operating is on the nss internal softoken.
Right softoken enforces good hygiene.
In truth, access to those attributes are controlled through a couple of
other attributes:
CKA_PRIVATE - access to the object requires authentication.
CKA_SENSITIVE - direct access to the sensitive/private attributes of
this object is prohibitted.
CKA_EXTRACTABLE - this object can be extracted from the token.
If Private is set, then you need to log in to do any of the actions below.
If both Sensitve and Extractable is set, then you can extract the object
by wrapping it, but you can't access the unencrypted attributes.
If Senstive is FALSE and Extractable is TRUE, you can either extract the
object by wrapping it, or by reading the attributes directly.
If Extractable is FALSE, then you can't extract the object at all
(either by wrapping it or by reading the attributes directly).
Most tokens set Extratable to FALSE.
bob
I recommend you reading about CKO_PRIVATE_KEY on PKCS#11 standard to
understand what can be happening.
For example if token=card, CKA_PRIME_1 *musnt* be on the card, as far
is not *needed* to do cryptographic operations.
El día 26 de enero de 2012 14:08, weizhong qiang
<weizhongqi...@gmail.com> escribió:
hi,
Is there a fact that nss does not permit the reading of the attribute
CKA_PRIVATE_EXPONENT, CKA_PRIME_1, etc.?
Because with all of the eight attributes, it is possible to compose the content
of the private key, but the outputting of private key is not allowed in nss?
Thanks and Best Regards,
Weizhong Qiang
On Jan 26, 2012, at 9:43 AM, helpcrypto helpcrypto wrote:
Is eny error shown at NSSUtilLogger.msg(ERROR, "Failed to read
attribute %x from private key.", type); ?
El día 25 de enero de 2012 17:04, weizhong qiang
<weizhongqi...@gmail.com> escribió:
hi all,
I tried to get the attributes from a private key (see the following code
piece). But only the CKA_MODULUS and CKA_PUBLIC_EXPONENT can be got, others
(CKA_PRIVATE_EXPONENT etc.) can not be got.
Could you tell me how to solve it?
By the way, I generate rsa key pair without "sensitive" (PK11_GenerateKeyPair(slot,
CKM_RSA_PKCS_KEY_PAIR_GEN,&rsaParams, pubk, PR_TRUE, PR_FALSE, NULL); ), so I suppose the
private key is not protected by password, and can be output?
Best Regards,
Weizhong Qiang
/****************/
static bool ReadPrivKeyAttribute(SECKEYPrivateKey* key, CK_ATTRIBUTE_TYPE type,
std::vector<uint8>* output) {
SECItem item;
SECStatus rv;
rv = PK11_ReadRawAttribute(PK11_TypePrivKey, key, type,&item);
if (rv != SECSuccess) {
NSSUtilLogger.msg(ERROR, "Failed to read attribute %x from private key.",
type);
return false;
}
output->assign(item.data, item.data + item.len);
SECITEM_FreeItem(&item, PR_FALSE);
return true;
}
static bool ExportPrivateKey(SECKEYPrivateKey* key, std::vector<uint8>*
output) {
PrivateKeyInfoCodec private_key_info(true);
// Manually read the component attributes of the private key and build up
// the PrivateKeyInfo.
if (!ReadPrivKeyAttribute(key, CKA_MODULUS, private_key_info.modulus()) ||
!ReadPrivKeyAttribute(key, CKA_PUBLIC_EXPONENT,
private_key_info.public_exponent()) ||
!ReadPrivKeyAttribute(key, CKA_PRIVATE_EXPONENT,
private_key_info.private_exponent()) ||
!ReadPrivKeyAttribute(key, CKA_PRIME_1, private_key_info.prime1()) ||
!ReadPrivKeyAttribute(key, CKA_PRIME_2, private_key_info.prime2()) ||
!ReadPrivKeyAttribute(key, CKA_EXPONENT_1, private_key_info.exponent1())
||
!ReadPrivKeyAttribute(key, CKA_EXPONENT_2, private_key_info.exponent2())
||
!ReadPrivKeyAttribute(key, CKA_COEFFICIENT,
private_key_info.coefficient())) {
return false;
}
return private_key_info.Export(output);
}
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
