hi, On Jan 27, 2012, at 6:52 PM, Robert Relyea wrote:
> On 01/26/2012 11:53 PM, weizhong qiang wrote: >> hi, >> I did found that the CKA_SENSITIVE is "true" by using the following code: >> rv = PK11_ReadRawAttribute(PK11_TypePrivKey, privKey, >> CKA_SENSITIVE,&value); >> if (rv != SECSuccess) { >> NSSUtilLogger.msg(ERROR, "Failed to read CKA_SENSITIVE attribute >> from private key."); >> } >> if ((value.len == 1)&& (value.data != NULL)) >> std::cout<< !!(*(CK_BBOOL*)value.data)<<std::endl; >> >> But I did set sensitive parameter to be PR_FALSE when generate the key pair, >> see the following: >> *privk = PK11_GenerateKeyPair(slot, CKM_RSA_PKCS_KEY_PAIR_GEN,&rsaParams, >> pubk, PR_FALSE, PR_FALSE, NULL); >> >> How could the key still be sensitive? Is there anywhere that I should set? > Hmm, your right, that doesn't seem right. Do you have a simple test case that > reproduces this? Yes, Please see the following attachment for the test case. If you would help, you need to change the path of nss db, and certname, password etc.
> > Also which version of NSS are you running? Name: NSS Description: Mozilla Network Security Services Version: 3.12.9+ckbi-1.82 > Are you sure that slot points to the internal token? Yes, you can see the code of test case, I explicitly point to the internal token. > Are you in FIPS mode? (in which case you don't have a choice on sensitive or > not). I did not enable FIPS mode. I suppose FIPS will not be enabled by default? Best Regard, Weizhong Qiang > > NSS uses exactly this method to generate a key it's going to load into a > token that doesn't support CKM_RSA_PKCS_KEY_PAIR_GEN. > > bob > >> >> Best Regards >> Weizhong Qiang >> >> >> On Jan 26, 2012, at 6:57 PM, Robert Relyea wrote: >> >>> On 01/26/2012 07:55 AM, weizhong qiang wrote: >>>> On Jan 26, 2012, at 4:44 PM, helpcrypto helpcrypto wrote: >>>> >>>>> AFAIK, returning or not the attributes from an object, depends on the >>>>> token. >>>> Everything I am operating is on the nss internal softoken. >>> Right softoken enforces good hygiene. >>> In truth, access to those attributes are controlled through a couple of >>> other attributes: >>> >>> CKA_PRIVATE - access to the object requires authentication. >>> >>> CKA_SENSITIVE - direct access to the sensitive/private attributes of this >>> object is prohibitted. >>> >>> CKA_EXTRACTABLE - this object can be extracted from the token. >>> >>> If Private is set, then you need to log in to do any of the actions below. >>> >>> If both Sensitve and Extractable is set, then you can extract the object by >>> wrapping it, but you can't access the unencrypted attributes. >>> >>> If Senstive is FALSE and Extractable is TRUE, you can either extract the >>> object by wrapping it, or by reading the attributes directly. >>> >>> If Extractable is FALSE, then you can't extract the object at all (either >>> by wrapping it or by reading the attributes directly). >>> >>> Most tokens set Extratable to FALSE. >>> >>> bob >>> >>>> >>>>> I recommend you reading about CKO_PRIVATE_KEY on PKCS#11 standard to >>>>> understand what can be happening. >>>>> For example if token=card, CKA_PRIME_1 *musnt* be on the card, as far >>>>> is not *needed* to do cryptographic operations. >>>>> >>>>> El día 26 de enero de 2012 14:08, weizhong qiang >>>>> <weizhongqi...@gmail.com> escribió: >>>>>> hi, >>>>>> Is there a fact that nss does not permit the reading of the attribute >>>>>> CKA_PRIVATE_EXPONENT, CKA_PRIME_1, etc.? >>>>>> Because with all of the eight attributes, it is possible to compose the >>>>>> content of the private key, but the outputting of private key is not >>>>>> allowed in nss? >>>>>> >>>>>> Thanks and Best Regards, >>>>>> Weizhong Qiang >>>>>> >>>>>> On Jan 26, 2012, at 9:43 AM, helpcrypto helpcrypto wrote: >>>>>> >>>>>>> Is eny error shown at NSSUtilLogger.msg(ERROR, "Failed to read >>>>>>> attribute %x from private key.", type); ? >>>>>>> >>>>>>> El día 25 de enero de 2012 17:04, weizhong qiang >>>>>>> <weizhongqi...@gmail.com> escribió: >>>>>>>> hi all, >>>>>>>> I tried to get the attributes from a private key (see the following >>>>>>>> code piece). But only the CKA_MODULUS and CKA_PUBLIC_EXPONENT can be >>>>>>>> got, others (CKA_PRIVATE_EXPONENT etc.) can not be got. >>>>>>>> Could you tell me how to solve it? >>>>>>>> By the way, I generate rsa key pair without "sensitive" >>>>>>>> (PK11_GenerateKeyPair(slot, CKM_RSA_PKCS_KEY_PAIR_GEN,&rsaParams, >>>>>>>> pubk, PR_TRUE, PR_FALSE, NULL); ), so I suppose the private key is not >>>>>>>> protected by password, and can be output? >>>>>>>> >>>>>>>> Best Regards, >>>>>>>> Weizhong Qiang >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> /****************/ >>>>>>>> static bool ReadPrivKeyAttribute(SECKEYPrivateKey* key, >>>>>>>> CK_ATTRIBUTE_TYPE type, std::vector<uint8>* output) { >>>>>>>> SECItem item; >>>>>>>> SECStatus rv; >>>>>>>> rv = PK11_ReadRawAttribute(PK11_TypePrivKey, key, type,&item); >>>>>>>> if (rv != SECSuccess) { >>>>>>>> NSSUtilLogger.msg(ERROR, "Failed to read attribute %x from >>>>>>>> private key.", type); >>>>>>>> return false; >>>>>>>> } >>>>>>>> output->assign(item.data, item.data + item.len); >>>>>>>> SECITEM_FreeItem(&item, PR_FALSE); >>>>>>>> return true; >>>>>>>> } >>>>>>>> >>>>>>>> static bool ExportPrivateKey(SECKEYPrivateKey* key, >>>>>>>> std::vector<uint8>* output) { >>>>>>>> PrivateKeyInfoCodec private_key_info(true); >>>>>>>> >>>>>>>> // Manually read the component attributes of the private key and >>>>>>>> build up >>>>>>>> // the PrivateKeyInfo. >>>>>>>> if (!ReadPrivKeyAttribute(key, CKA_MODULUS, >>>>>>>> private_key_info.modulus()) || >>>>>>>> !ReadPrivKeyAttribute(key, CKA_PUBLIC_EXPONENT, >>>>>>>> private_key_info.public_exponent()) || >>>>>>>> !ReadPrivKeyAttribute(key, CKA_PRIVATE_EXPONENT, >>>>>>>> private_key_info.private_exponent()) || >>>>>>>> !ReadPrivKeyAttribute(key, CKA_PRIME_1, >>>>>>>> private_key_info.prime1()) || >>>>>>>> !ReadPrivKeyAttribute(key, CKA_PRIME_2, >>>>>>>> private_key_info.prime2()) || >>>>>>>> !ReadPrivKeyAttribute(key, CKA_EXPONENT_1, >>>>>>>> private_key_info.exponent1()) || >>>>>>>> !ReadPrivKeyAttribute(key, CKA_EXPONENT_2, >>>>>>>> private_key_info.exponent2()) || >>>>>>>> !ReadPrivKeyAttribute(key, CKA_COEFFICIENT, >>>>>>>> private_key_info.coefficient())) { >>>>>>>> return false; >>>>>>>> } >>>>>>>> >>>>>>>> return private_key_info.Export(output); >>>>>>>> } >>>>>>>> >>>>>>>> -- >>>>>>>> dev-tech-crypto mailing list >>>>>>>> dev-tech-crypto@lists.mozilla.org >>>>>>>> https://lists.mozilla.org/listinfo/dev-tech-crypto >>>>>>> -- >>>>>>> dev-tech-crypto mailing list >>>>>>> dev-tech-crypto@lists.mozilla.org >>>>>>> https://lists.mozilla.org/listinfo/dev-tech-crypto >>>>>> -- >>>>>> dev-tech-crypto mailing list >>>>>> dev-tech-crypto@lists.mozilla.org >>>>>> https://lists.mozilla.org/listinfo/dev-tech-crypto >>>>> -- >>>>> dev-tech-crypto mailing list >>>>> dev-tech-crypto@lists.mozilla.org >>>>> https://lists.mozilla.org/listinfo/dev-tech-crypto >>> >>> -- >>> dev-tech-crypto mailing list >>> dev-tech-crypto@lists.mozilla.org >>> https://lists.mozilla.org/listinfo/dev-tech-crypto > > > -- > dev-tech-crypto mailing list > dev-tech-crypto@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-tech-crypto
-- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto