hi,
I did found that the CKA_SENSITIVE is "true" by using the following code:
rv = PK11_ReadRawAttribute(PK11_TypePrivKey, privKey, CKA_SENSITIVE,
&value);
if (rv != SECSuccess) {
NSSUtilLogger.msg(ERROR, "Failed to read CKA_SENSITIVE attribute from
private key.");
}
if ((value.len == 1) && (value.data != NULL))
std::cout<< !!(*(CK_BBOOL*)value.data)<<std::endl;
But I did set sensitive parameter to be PR_FALSE when generate the key pair,
see the following:
*privk = PK11_GenerateKeyPair(slot, CKM_RSA_PKCS_KEY_PAIR_GEN, &rsaParams,
pubk, PR_FALSE, PR_FALSE, NULL);
How could the key still be sensitive? Is there anywhere that I should set?
Best Regards
Weizhong Qiang
On Jan 26, 2012, at 6:57 PM, Robert Relyea wrote:
> On 01/26/2012 07:55 AM, weizhong qiang wrote:
>> On Jan 26, 2012, at 4:44 PM, helpcrypto helpcrypto wrote:
>>
>>> AFAIK, returning or not the attributes from an object, depends on the token.
>> Everything I am operating is on the nss internal softoken.
>
> Right softoken enforces good hygiene.
> In truth, access to those attributes are controlled through a couple of other
> attributes:
>
> CKA_PRIVATE - access to the object requires authentication.
>
> CKA_SENSITIVE - direct access to the sensitive/private attributes of this
> object is prohibitted.
>
> CKA_EXTRACTABLE - this object can be extracted from the token.
>
> If Private is set, then you need to log in to do any of the actions below.
>
> If both Sensitve and Extractable is set, then you can extract the object by
> wrapping it, but you can't access the unencrypted attributes.
>
> If Senstive is FALSE and Extractable is TRUE, you can either extract the
> object by wrapping it, or by reading the attributes directly.
>
> If Extractable is FALSE, then you can't extract the object at all (either by
> wrapping it or by reading the attributes directly).
>
> Most tokens set Extratable to FALSE.
>
> bob
>
>>
>>
>>> I recommend you reading about CKO_PRIVATE_KEY on PKCS#11 standard to
>>> understand what can be happening.
>>> For example if token=card, CKA_PRIME_1 *musnt* be on the card, as far
>>> is not *needed* to do cryptographic operations.
>>>
>>> El día 26 de enero de 2012 14:08, weizhong qiang
>>> <weizhongqi...@gmail.com> escribió:
>>>> hi,
>>>> Is there a fact that nss does not permit the reading of the attribute
>>>> CKA_PRIVATE_EXPONENT, CKA_PRIME_1, etc.?
>>>> Because with all of the eight attributes, it is possible to compose the
>>>> content of the private key, but the outputting of private key is not
>>>> allowed in nss?
>>>>
>>>> Thanks and Best Regards,
>>>> Weizhong Qiang
>>>>
>>>> On Jan 26, 2012, at 9:43 AM, helpcrypto helpcrypto wrote:
>>>>
>>>>> Is eny error shown at NSSUtilLogger.msg(ERROR, "Failed to read
>>>>> attribute %x from private key.", type); ?
>>>>>
>>>>> El día 25 de enero de 2012 17:04, weizhong qiang
>>>>> <weizhongqi...@gmail.com> escribió:
>>>>>> hi all,
>>>>>> I tried to get the attributes from a private key (see the following code
>>>>>> piece). But only the CKA_MODULUS and CKA_PUBLIC_EXPONENT can be got,
>>>>>> others (CKA_PRIVATE_EXPONENT etc.) can not be got.
>>>>>> Could you tell me how to solve it?
>>>>>> By the way, I generate rsa key pair without "sensitive"
>>>>>> (PK11_GenerateKeyPair(slot, CKM_RSA_PKCS_KEY_PAIR_GEN,&rsaParams, pubk,
>>>>>> PR_TRUE, PR_FALSE, NULL); ), so I suppose the private key is not
>>>>>> protected by password, and can be output?
>>>>>>
>>>>>> Best Regards,
>>>>>> Weizhong Qiang
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> /****************/
>>>>>> static bool ReadPrivKeyAttribute(SECKEYPrivateKey* key,
>>>>>> CK_ATTRIBUTE_TYPE type, std::vector<uint8>* output) {
>>>>>> SECItem item;
>>>>>> SECStatus rv;
>>>>>> rv = PK11_ReadRawAttribute(PK11_TypePrivKey, key, type,&item);
>>>>>> if (rv != SECSuccess) {
>>>>>> NSSUtilLogger.msg(ERROR, "Failed to read attribute %x from private
>>>>>> key.", type);
>>>>>> return false;
>>>>>> }
>>>>>> output->assign(item.data, item.data + item.len);
>>>>>> SECITEM_FreeItem(&item, PR_FALSE);
>>>>>> return true;
>>>>>> }
>>>>>>
>>>>>> static bool ExportPrivateKey(SECKEYPrivateKey* key, std::vector<uint8>*
>>>>>> output) {
>>>>>> PrivateKeyInfoCodec private_key_info(true);
>>>>>>
>>>>>> // Manually read the component attributes of the private key and
>>>>>> build up
>>>>>> // the PrivateKeyInfo.
>>>>>> if (!ReadPrivKeyAttribute(key, CKA_MODULUS,
>>>>>> private_key_info.modulus()) ||
>>>>>> !ReadPrivKeyAttribute(key, CKA_PUBLIC_EXPONENT,
>>>>>> private_key_info.public_exponent()) ||
>>>>>> !ReadPrivKeyAttribute(key, CKA_PRIVATE_EXPONENT,
>>>>>> private_key_info.private_exponent()) ||
>>>>>> !ReadPrivKeyAttribute(key, CKA_PRIME_1, private_key_info.prime1())
>>>>>> ||
>>>>>> !ReadPrivKeyAttribute(key, CKA_PRIME_2, private_key_info.prime2())
>>>>>> ||
>>>>>> !ReadPrivKeyAttribute(key, CKA_EXPONENT_1,
>>>>>> private_key_info.exponent1()) ||
>>>>>> !ReadPrivKeyAttribute(key, CKA_EXPONENT_2,
>>>>>> private_key_info.exponent2()) ||
>>>>>> !ReadPrivKeyAttribute(key, CKA_COEFFICIENT,
>>>>>> private_key_info.coefficient())) {
>>>>>> return false;
>>>>>> }
>>>>>>
>>>>>> return private_key_info.Export(output);
>>>>>> }
>>>>>>
>>>>>> --
>>>>>> dev-tech-crypto mailing list
>>>>>> dev-tech-crypto@lists.mozilla.org
>>>>>> https://lists.mozilla.org/listinfo/dev-tech-crypto
>>>>> --
>>>>> dev-tech-crypto mailing list
>>>>> dev-tech-crypto@lists.mozilla.org
>>>>> https://lists.mozilla.org/listinfo/dev-tech-crypto
>>>> --
>>>> dev-tech-crypto mailing list
>>>> dev-tech-crypto@lists.mozilla.org
>>>> https://lists.mozilla.org/listinfo/dev-tech-crypto
>>> --
>>> dev-tech-crypto mailing list
>>> dev-tech-crypto@lists.mozilla.org
>>> https://lists.mozilla.org/listinfo/dev-tech-crypto
>
>
> --
> dev-tech-crypto mailing list
> dev-tech-crypto@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-tech-crypto
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
