hi, On Jan 27, 2012, at 6:41 PM, Robert Relyea wrote:
> On 01/26/2012 06:50 PM, weizhong qiang wrote: >> hi, >> >> On Jan 26, 2012, at 6:28 PM, Robert Relyea wrote: >> >>> On 01/26/2012 05:08 AM, weizhong qiang wrote: >>>> hi, >>>> Is there a fact that nss does not permit the reading of the attribute >>>> CKA_PRIVATE_EXPONENT, CKA_PRIME_1, etc.? >>>> Because with all of the eight attributes, it is possible to compose the >>>> content of the private key, but the outputting of private key is not >>>> allowed in nss? >>>> >>>> Thanks and Best Regards, >>>> Weizhong Qiang >>> These are private attributes. You are correct, applications aren't allowed >>> to get them. It's bad security hygene to access private cryptographic >>> components in the application itself, thought it's almost the first thing >>> new crypto programmers try to do. >>> >>> My real question here is Why do you want to get the CKA_PRIVATE_EXPONENT? >> I need to get CKA_PRIVATE_EXPONENT and some other private attributes, in >> order to compute the private key, so as to output this private key without >> encryption. I just knew that nss itself does not support the outputting of >> private key without encryption. > Right. That is how NSS enforces that semantic. >> The outputting of private key that nss support is only the pk12 that >> requires encryption of private key. >> I reason I want to do this is that I use the certificate in nss softoken to >> sign a proxy certificate (rfc 3820), and then I need to output the private >> key (generate by nss) that is relevant to this proxy certificate. > I'm still not clear why the key needs to be in the clear. Are you trying to > use the key with some other software? All major crypto toolkits allow > importing keys using pkcs 12, or is the proxy using your own code (which is > really a bad idea given the plethera of tested and available open source > crypto libraries out there). In the Grid computing area, the private key of proxy (a proxy includes both X509 and private key) by default needs to be un-encrypted, so that the delegation can be processed automatically (see: http://globus.org/toolkit/docs/4.0/security/key-index.html). Before the proxy normally is generated by the file-based certificate and key, now we need it to be generated by the credential from nss softoken. I am using nss API to achieve this. To clarify my problem, I use nss API to generate a proxy (i.e., a RSA key pair is generated inside nss, and then the public key is used for an EEC credential in nss DB to sign a proxy certificate), but since the private key is still inside nss db, I need to output the private key together with the signed certificate. PKCS12 is the option for outputting, but the private key encryption is not needed for me here, because a private key of proxy must not be encrypted. So that is the reason why I need to output a un-encrypted key. Best Regards Weizhong Qiang > > bob >> >> Best Regards, >> Weizhong Qiang >> >>> bob >>> >>> -- >>> dev-tech-crypto mailing list >>> dev-tech-crypto@lists.mozilla.org >>> https://lists.mozilla.org/listinfo/dev-tech-crypto > > > -- > dev-tech-crypto mailing list > dev-tech-crypto@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-tech-crypto -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto