hi, I did found that the CKA_SENSITIVE is "true" by using the following code: rv = PK11_ReadRawAttribute(PK11_TypePrivKey, privKey, CKA_SENSITIVE, &value); if (rv != SECSuccess) { NSSUtilLogger.msg(ERROR, "Failed to read CKA_SENSITIVE attribute from private key."); } if ((value.len == 1) && (value.data != NULL)) std::cout<< !!(*(CK_BBOOL*)value.data)<<std::endl;
But I did set sensitive parameter to be PR_FALSE when generate the key pair, see the following: *privk = PK11_GenerateKeyPair(slot, CKM_RSA_PKCS_KEY_PAIR_GEN, &rsaParams, pubk, PR_FALSE, PR_FALSE, NULL); How could the key still be sensitive? Is there anywhere that I should set? Best Regards Weizhong Qiang On Jan 26, 2012, at 6:57 PM, Robert Relyea wrote: > On 01/26/2012 07:55 AM, weizhong qiang wrote: >> On Jan 26, 2012, at 4:44 PM, helpcrypto helpcrypto wrote: >> >>> AFAIK, returning or not the attributes from an object, depends on the token. >> Everything I am operating is on the nss internal softoken. > > Right softoken enforces good hygiene. > In truth, access to those attributes are controlled through a couple of other > attributes: > > CKA_PRIVATE - access to the object requires authentication. > > CKA_SENSITIVE - direct access to the sensitive/private attributes of this > object is prohibitted. > > CKA_EXTRACTABLE - this object can be extracted from the token. > > If Private is set, then you need to log in to do any of the actions below. > > If both Sensitve and Extractable is set, then you can extract the object by > wrapping it, but you can't access the unencrypted attributes. > > If Senstive is FALSE and Extractable is TRUE, you can either extract the > object by wrapping it, or by reading the attributes directly. > > If Extractable is FALSE, then you can't extract the object at all (either by > wrapping it or by reading the attributes directly). > > Most tokens set Extratable to FALSE. > > bob > >> >> >>> I recommend you reading about CKO_PRIVATE_KEY on PKCS#11 standard to >>> understand what can be happening. >>> For example if token=card, CKA_PRIME_1 *musnt* be on the card, as far >>> is not *needed* to do cryptographic operations. >>> >>> El día 26 de enero de 2012 14:08, weizhong qiang >>> <weizhongqi...@gmail.com> escribió: >>>> hi, >>>> Is there a fact that nss does not permit the reading of the attribute >>>> CKA_PRIVATE_EXPONENT, CKA_PRIME_1, etc.? >>>> Because with all of the eight attributes, it is possible to compose the >>>> content of the private key, but the outputting of private key is not >>>> allowed in nss? >>>> >>>> Thanks and Best Regards, >>>> Weizhong Qiang >>>> >>>> On Jan 26, 2012, at 9:43 AM, helpcrypto helpcrypto wrote: >>>> >>>>> Is eny error shown at NSSUtilLogger.msg(ERROR, "Failed to read >>>>> attribute %x from private key.", type); ? >>>>> >>>>> El día 25 de enero de 2012 17:04, weizhong qiang >>>>> <weizhongqi...@gmail.com> escribió: >>>>>> hi all, >>>>>> I tried to get the attributes from a private key (see the following code >>>>>> piece). But only the CKA_MODULUS and CKA_PUBLIC_EXPONENT can be got, >>>>>> others (CKA_PRIVATE_EXPONENT etc.) can not be got. >>>>>> Could you tell me how to solve it? >>>>>> By the way, I generate rsa key pair without "sensitive" >>>>>> (PK11_GenerateKeyPair(slot, CKM_RSA_PKCS_KEY_PAIR_GEN,&rsaParams, pubk, >>>>>> PR_TRUE, PR_FALSE, NULL); ), so I suppose the private key is not >>>>>> protected by password, and can be output? >>>>>> >>>>>> Best Regards, >>>>>> Weizhong Qiang >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> /****************/ >>>>>> static bool ReadPrivKeyAttribute(SECKEYPrivateKey* key, >>>>>> CK_ATTRIBUTE_TYPE type, std::vector<uint8>* output) { >>>>>> SECItem item; >>>>>> SECStatus rv; >>>>>> rv = PK11_ReadRawAttribute(PK11_TypePrivKey, key, type,&item); >>>>>> if (rv != SECSuccess) { >>>>>> NSSUtilLogger.msg(ERROR, "Failed to read attribute %x from private >>>>>> key.", type); >>>>>> return false; >>>>>> } >>>>>> output->assign(item.data, item.data + item.len); >>>>>> SECITEM_FreeItem(&item, PR_FALSE); >>>>>> return true; >>>>>> } >>>>>> >>>>>> static bool ExportPrivateKey(SECKEYPrivateKey* key, std::vector<uint8>* >>>>>> output) { >>>>>> PrivateKeyInfoCodec private_key_info(true); >>>>>> >>>>>> // Manually read the component attributes of the private key and >>>>>> build up >>>>>> // the PrivateKeyInfo. >>>>>> if (!ReadPrivKeyAttribute(key, CKA_MODULUS, >>>>>> private_key_info.modulus()) || >>>>>> !ReadPrivKeyAttribute(key, CKA_PUBLIC_EXPONENT, >>>>>> private_key_info.public_exponent()) || >>>>>> !ReadPrivKeyAttribute(key, CKA_PRIVATE_EXPONENT, >>>>>> private_key_info.private_exponent()) || >>>>>> !ReadPrivKeyAttribute(key, CKA_PRIME_1, private_key_info.prime1()) >>>>>> || >>>>>> !ReadPrivKeyAttribute(key, CKA_PRIME_2, private_key_info.prime2()) >>>>>> || >>>>>> !ReadPrivKeyAttribute(key, CKA_EXPONENT_1, >>>>>> private_key_info.exponent1()) || >>>>>> !ReadPrivKeyAttribute(key, CKA_EXPONENT_2, >>>>>> private_key_info.exponent2()) || >>>>>> !ReadPrivKeyAttribute(key, CKA_COEFFICIENT, >>>>>> private_key_info.coefficient())) { >>>>>> return false; >>>>>> } >>>>>> >>>>>> return private_key_info.Export(output); >>>>>> } >>>>>> >>>>>> -- >>>>>> dev-tech-crypto mailing list >>>>>> dev-tech-crypto@lists.mozilla.org >>>>>> https://lists.mozilla.org/listinfo/dev-tech-crypto >>>>> -- >>>>> dev-tech-crypto mailing list >>>>> dev-tech-crypto@lists.mozilla.org >>>>> https://lists.mozilla.org/listinfo/dev-tech-crypto >>>> -- >>>> dev-tech-crypto mailing list >>>> dev-tech-crypto@lists.mozilla.org >>>> https://lists.mozilla.org/listinfo/dev-tech-crypto >>> -- >>> dev-tech-crypto mailing list >>> dev-tech-crypto@lists.mozilla.org >>> https://lists.mozilla.org/listinfo/dev-tech-crypto > > > -- > dev-tech-crypto mailing list > dev-tech-crypto@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-tech-crypto -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto