hi,
On Jan 27, 2012, at 6:52 PM, Robert Relyea wrote:
> On 01/26/2012 11:53 PM, weizhong qiang wrote:
>> hi,
>> I did found that the CKA_SENSITIVE is "true" by using the following code:
>> rv = PK11_ReadRawAttribute(PK11_TypePrivKey, privKey,
>> CKA_SENSITIVE,&value);
>> if (rv != SECSuccess) {
>> NSSUtilLogger.msg(ERROR, "Failed to read CKA_SENSITIVE attribute
>> from private key.");
>> }
>> if ((value.len == 1)&& (value.data != NULL))
>> std::cout<< !!(*(CK_BBOOL*)value.data)<<std::endl;
>>
>> But I did set sensitive parameter to be PR_FALSE when generate the key pair,
>> see the following:
>> *privk = PK11_GenerateKeyPair(slot, CKM_RSA_PKCS_KEY_PAIR_GEN,&rsaParams,
>> pubk, PR_FALSE, PR_FALSE, NULL);
>>
>> How could the key still be sensitive? Is there anywhere that I should set?
> Hmm, your right, that doesn't seem right. Do you have a simple test case that
> reproduces this?
Yes, Please see the following attachment for the test case. If you would help,
you need to change the path of nss db, and certname, password etc.
>
> Also which version of NSS are you running?
Name: NSS
Description: Mozilla Network Security Services
Version: 3.12.9+ckbi-1.82
> Are you sure that slot points to the internal token?
Yes, you can see the code of test case, I explicitly point to the internal
token.
> Are you in FIPS mode? (in which case you don't have a choice on sensitive or
> not).
I did not enable FIPS mode. I suppose FIPS will not be enabled by default?
Best Regard,
Weizhong Qiang
>
> NSS uses exactly this method to generate a key it's going to load into a
> token that doesn't support CKM_RSA_PKCS_KEY_PAIR_GEN.
>
> bob
>
>>
>> Best Regards
>> Weizhong Qiang
>>
>>
>> On Jan 26, 2012, at 6:57 PM, Robert Relyea wrote:
>>
>>> On 01/26/2012 07:55 AM, weizhong qiang wrote:
>>>> On Jan 26, 2012, at 4:44 PM, helpcrypto helpcrypto wrote:
>>>>
>>>>> AFAIK, returning or not the attributes from an object, depends on the
>>>>> token.
>>>> Everything I am operating is on the nss internal softoken.
>>> Right softoken enforces good hygiene.
>>> In truth, access to those attributes are controlled through a couple of
>>> other attributes:
>>>
>>> CKA_PRIVATE - access to the object requires authentication.
>>>
>>> CKA_SENSITIVE - direct access to the sensitive/private attributes of this
>>> object is prohibitted.
>>>
>>> CKA_EXTRACTABLE - this object can be extracted from the token.
>>>
>>> If Private is set, then you need to log in to do any of the actions below.
>>>
>>> If both Sensitve and Extractable is set, then you can extract the object by
>>> wrapping it, but you can't access the unencrypted attributes.
>>>
>>> If Senstive is FALSE and Extractable is TRUE, you can either extract the
>>> object by wrapping it, or by reading the attributes directly.
>>>
>>> If Extractable is FALSE, then you can't extract the object at all (either
>>> by wrapping it or by reading the attributes directly).
>>>
>>> Most tokens set Extratable to FALSE.
>>>
>>> bob
>>>
>>>>
>>>>> I recommend you reading about CKO_PRIVATE_KEY on PKCS#11 standard to
>>>>> understand what can be happening.
>>>>> For example if token=card, CKA_PRIME_1 *musnt* be on the card, as far
>>>>> is not *needed* to do cryptographic operations.
>>>>>
>>>>> El día 26 de enero de 2012 14:08, weizhong qiang
>>>>> <weizhongqi...@gmail.com> escribió:
>>>>>> hi,
>>>>>> Is there a fact that nss does not permit the reading of the attribute
>>>>>> CKA_PRIVATE_EXPONENT, CKA_PRIME_1, etc.?
>>>>>> Because with all of the eight attributes, it is possible to compose the
>>>>>> content of the private key, but the outputting of private key is not
>>>>>> allowed in nss?
>>>>>>
>>>>>> Thanks and Best Regards,
>>>>>> Weizhong Qiang
>>>>>>
>>>>>> On Jan 26, 2012, at 9:43 AM, helpcrypto helpcrypto wrote:
>>>>>>
>>>>>>> Is eny error shown at NSSUtilLogger.msg(ERROR, "Failed to read
>>>>>>> attribute %x from private key.", type); ?
>>>>>>>
>>>>>>> El día 25 de enero de 2012 17:04, weizhong qiang
>>>>>>> <weizhongqi...@gmail.com> escribió:
>>>>>>>> hi all,
>>>>>>>> I tried to get the attributes from a private key (see the following
>>>>>>>> code piece). But only the CKA_MODULUS and CKA_PUBLIC_EXPONENT can be
>>>>>>>> got, others (CKA_PRIVATE_EXPONENT etc.) can not be got.
>>>>>>>> Could you tell me how to solve it?
>>>>>>>> By the way, I generate rsa key pair without "sensitive"
>>>>>>>> (PK11_GenerateKeyPair(slot, CKM_RSA_PKCS_KEY_PAIR_GEN,&rsaParams,
>>>>>>>> pubk, PR_TRUE, PR_FALSE, NULL); ), so I suppose the private key is not
>>>>>>>> protected by password, and can be output?
>>>>>>>>
>>>>>>>> Best Regards,
>>>>>>>> Weizhong Qiang
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> /****************/
>>>>>>>> static bool ReadPrivKeyAttribute(SECKEYPrivateKey* key,
>>>>>>>> CK_ATTRIBUTE_TYPE type, std::vector<uint8>* output) {
>>>>>>>> SECItem item;
>>>>>>>> SECStatus rv;
>>>>>>>> rv = PK11_ReadRawAttribute(PK11_TypePrivKey, key, type,&item);
>>>>>>>> if (rv != SECSuccess) {
>>>>>>>> NSSUtilLogger.msg(ERROR, "Failed to read attribute %x from
>>>>>>>> private key.", type);
>>>>>>>> return false;
>>>>>>>> }
>>>>>>>> output->assign(item.data, item.data + item.len);
>>>>>>>> SECITEM_FreeItem(&item, PR_FALSE);
>>>>>>>> return true;
>>>>>>>> }
>>>>>>>>
>>>>>>>> static bool ExportPrivateKey(SECKEYPrivateKey* key,
>>>>>>>> std::vector<uint8>* output) {
>>>>>>>> PrivateKeyInfoCodec private_key_info(true);
>>>>>>>>
>>>>>>>> // Manually read the component attributes of the private key and
>>>>>>>> build up
>>>>>>>> // the PrivateKeyInfo.
>>>>>>>> if (!ReadPrivKeyAttribute(key, CKA_MODULUS,
>>>>>>>> private_key_info.modulus()) ||
>>>>>>>> !ReadPrivKeyAttribute(key, CKA_PUBLIC_EXPONENT,
>>>>>>>> private_key_info.public_exponent()) ||
>>>>>>>> !ReadPrivKeyAttribute(key, CKA_PRIVATE_EXPONENT,
>>>>>>>> private_key_info.private_exponent()) ||
>>>>>>>> !ReadPrivKeyAttribute(key, CKA_PRIME_1,
>>>>>>>> private_key_info.prime1()) ||
>>>>>>>> !ReadPrivKeyAttribute(key, CKA_PRIME_2,
>>>>>>>> private_key_info.prime2()) ||
>>>>>>>> !ReadPrivKeyAttribute(key, CKA_EXPONENT_1,
>>>>>>>> private_key_info.exponent1()) ||
>>>>>>>> !ReadPrivKeyAttribute(key, CKA_EXPONENT_2,
>>>>>>>> private_key_info.exponent2()) ||
>>>>>>>> !ReadPrivKeyAttribute(key, CKA_COEFFICIENT,
>>>>>>>> private_key_info.coefficient())) {
>>>>>>>> return false;
>>>>>>>> }
>>>>>>>>
>>>>>>>> return private_key_info.Export(output);
>>>>>>>> }
>>>>>>>>
>>>>>>>> --
>>>>>>>> dev-tech-crypto mailing list
>>>>>>>> dev-tech-crypto@lists.mozilla.org
>>>>>>>> https://lists.mozilla.org/listinfo/dev-tech-crypto
>>>>>>> --
>>>>>>> dev-tech-crypto mailing list
>>>>>>> dev-tech-crypto@lists.mozilla.org
>>>>>>> https://lists.mozilla.org/listinfo/dev-tech-crypto
>>>>>> --
>>>>>> dev-tech-crypto mailing list
>>>>>> dev-tech-crypto@lists.mozilla.org
>>>>>> https://lists.mozilla.org/listinfo/dev-tech-crypto
>>>>> --
>>>>> dev-tech-crypto mailing list
>>>>> dev-tech-crypto@lists.mozilla.org
>>>>> https://lists.mozilla.org/listinfo/dev-tech-crypto
>>>
>>> --
>>> dev-tech-crypto mailing list
>>> dev-tech-crypto@lists.mozilla.org
>>> https://lists.mozilla.org/listinfo/dev-tech-crypto
>
>
> --
> dev-tech-crypto mailing list
> dev-tech-crypto@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-tech-crypto
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
