liupeng wrote:
Thanks for Julien Pierre answer!
I want to do a low-level RSA encrypt for my proprietary application and I use smart card (g&d spk) as my hardware device(Both the public key and the private key stored in smartcard).
Firstable, to do an RSA encrypt using a public key, you don't really need to actually perform the operation on the smartcard. If you imported the public key into your hardware token, and use the resulting public key handle of that token key for the operations, NSS will first try to perform the operations on the smartcard's PKCS#11 module. If that fails, it will then fallback to doing it in software using softokn.
Before I use nss for my proprietary application,I use pkcs11 hardware module directly. I want to use public key to encrypt some my proprietary data,and use pkcs1.5 padding mode(CKM_RSA_PKCS).Later I use the corresponding private key to decrypt it.(Maybe I also use the private key to sign some data and use publickey to verify the signature.) But it seems function PK11_PubEncryptRaw use CKM_X509 mode,and I don't know the detail implementation of pkcs1.5 padding mode.Does nss support any function to do this?
Does the function PK11_CipherOp seems can do this?If it can do,how do I generate a PK11Context pass to function.
PK11_CipherOp only works for bulk (symmetric) ciphers. You can't use it for RSA public key ops .
After much questioning of other team members, we have come to the conclusion that there is no function today in NSS that directly does what you want. We only use RSA encryption and decryption to wrap and unwrap symmetric keys (such as for SSL and S/MIME), but not for actual application data, and therefore we didn't provide a function to encrypt and decrypt data using RSA. If you are using RSA to encrypt a symmetric key, then you can use the function called PK11_PubWrapSymKey .
Pass it CKM_RSA_PKCS, the handle to your public key on your token, the handle to a symmetric key, and a SECItem* which will contain the wrapped (encrypted) key.
If what you are encrypting with RSA is not a symmetric key, what you can do is create a dummy symmetric key from the data you want to encrypt with RSA. Use PK11_ImportSymKey to import your "symkey" (actually your data to encrypt) . The "key" data will be in a SECItem structure which simply contains a void* and a length. I think you can use a CK_MECHANISM_TYPE of CKM_GENERIC_SECRET_KEY_GEN and a PK11Origin try PK11_OriginGenerated .
You can destroy the fake symmetric key using PK11_FreeSymKey after you are doing encrypting.
_______________________________________________ mozilla-crypto mailing list [EMAIL PROTECTED] http://mail.mozilla.org/listinfo/mozilla-crypto
