Re: programatically populating key3.db with a password encryption key

Thu, 15 Nov 2012 10:44:39 -0800 

Hi again,


On Wednesday, November 14, 2012 07:29:30 PM Kai Engert wrote:
> I haven't worked on the lowlevel code myself yet, so I'm not sure how
> exactly it works.
> 
> But I just had a look at PSM code nsSDR.cpp, and I'm learning that
> "secret decoder ring" appears to be a functionality provided by NSS,
> because I see functions with prefix PK11SDR
> 
> There is another NSS tool named "sdrtest". Maybe that tool can help you?
> 
> After preparing a fresh database, I ran:
> sdrtest -t foo -d /tmp/sdr/ -o /tmp/bar

Even though this command creates key3.db and initializes it with an encryption 
key, it seems that the encrypting function of this utility totally ignores the 
created key.

At sdrtest.c:

...........................

 SECItem keyid = { 0, 0, 0 };

^^^^^^

      SECItem outBuf = { 0, 0, 0 };
      PK11SlotInfo *slot = NULL;

      /* sigh, initialize the key database */
      slot = PK11_GetInternalKeySlot();
      if (slot && PK11_NeedUserInit(slot)) {
        switch (pwdata.source) {
        case PW_FROMFILE:
            rv = SECU_ChangePW(slot, 0, pwdata.data);
            break;
        case PW_PLAINTEXT:
            rv = SECU_ChangePW(slot, pwdata.data, 0);
            break;
        default:
            rv = SECU_ChangePW(slot, "", 0);
            break;
        }
        if (rv != SECSuccess) {
            SECU_PrintError(program_name, "Failed to initialize slot \"%s\"",
                                    PK11_GetSlotName(slot));
            return SECFailure;
        }
      }
      if (slot) {
        PK11_FreeSlot(slot);
      }

      rv = PK11SDR_Encrypt(&keyid, &data, &result, &pwdata);
^^^^^
...........................
Now if we look at ine 195 here

http://www.mozilla.org/projects/security/pki/nss/fips/nss-source/mozilla/security/nss/lib/pk11wrap/pk11sdr.c.html

it will see that keyid = { 0, 0, 0 } will have libnss use an internal predefine 
key, instead of the one contained in -d DATABASEDIR

Am I seeing this right?

I noticed this as I tried to use sdrtest to encrypt credentials instead of the 
python script I have currently, and the saved credentials were allways rejected 
by Thunderbird.

What do you think?

Cheers
Gustavo


-- 
Angulo Sólido - Tecnologias de Informação
http://angulosolido.pt
-- 
dev-tech-crypto mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-tech-crypto

Reply via email to