I'm trying to understand why the PK11_Derive call: CK_OBJECT_HANDLE key_handle = PK11_GetSymKeyHandle(key); SECItem key_param = { .data = (unsigned char*)&key_handle, .len = sizeof(key_handle) }; CK_ATTRIBUTE_TYPE operation = CKA_DERIVE; int key_size = 0; PK11SymKey *result = PK11_Derive(base_key, CKM_CONCATENATE_BASE_AND_KEY, &key_param, CKM_MD5_KEY_DERIVATION, operation, key_size);
works when "key" came from CKM_DH_PKCS_DERIVE but fails when the key came from (CKM_ECDH1_DERIVE,CKD_NULL). Debugging suggests that the operation is rejected in lib/softoken/pkcs11c.c by the code: att2 = sftk_FindAttribute(newKey, CKA_VALUE); if (att2 == NULL) { sftk_FreeObject(newKey); crv = CKR_KEY_HANDLE_INVALID; break; } I've found a work-around is to first CKM_EXTRACT_KEY_FROM_KEY and then use that :-/ Is this expected? And is there a clean way to detect a key like ECDH that will cause problems. Andrew -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto