On 01/26/2012 06:50 PM, weizhong qiang wrote:
hi,
On Jan 26, 2012, at 6:28 PM, Robert Relyea wrote:
On 01/26/2012 05:08 AM, weizhong qiang wrote:
hi,
Is there a fact that nss does not permit the reading of the attribute
CKA_PRIVATE_EXPONENT, CKA_PRIME_1, etc.?
Because with all of the eight attributes, it is possible to compose the content
of the private key, but the outputting of private key is not allowed in nss?
Thanks and Best Regards,
Weizhong Qiang
These are private attributes. You are correct, applications aren't allowed to
get them. It's bad security hygene to access private cryptographic components
in the application itself, thought it's almost the first thing new crypto
programmers try to do.
My real question here is Why do you want to get the CKA_PRIVATE_EXPONENT?
I need to get CKA_PRIVATE_EXPONENT and some other private attributes, in order
to compute the private key, so as to output this private key without
encryption. I just knew that nss itself does not support the outputting of
private key without encryption.
Right. That is how NSS enforces that semantic.
The outputting of private key that nss support is only the pk12 that requires
encryption of private key.
I reason I want to do this is that I use the certificate in nss softoken to
sign a proxy certificate (rfc 3820), and then I need to output the private key
(generate by nss) that is relevant to this proxy certificate.
I'm still not clear why the key needs to be in the clear. Are you trying
to use the key with some other software? All major crypto toolkits allow
importing keys using pkcs 12, or is the proxy using your own code (which
is really a bad idea given the plethera of tested and available open
source crypto libraries out there).
bob
Best Regards,
Weizhong Qiang
bob
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto