Thanks a lot for this answer. Now I understand what was wrong.
However, I think there is something wrong in the way Netscape passes the handle to
the DES3 key in the C_WrapKey function. Indeed, the handle is not a valid handle in
my token (i.e. no object exists with this handle for my module).
In the other case, for the Unwrapping function, Netscape call the C_CreateObject
function of my PKCS#11 module before calling my C_UnWrapKey. Then Netscape passes to
my C_UnWrapKey() the handle to the secret key object it has just created with my
module. So for unwrapping, I can get the unwrapping key.
But for the wrapping, Netscape doesn't call my C_CreateObject before calling my
C_WrapKey. As I understand it, may be the handle to the wrapping key refers to the
Netscape softtoken, because it hasn't called my C_CreateObject.
Have you experienced this problem ? Could it be a bug of my Netscape version ( I use
Communicator 4.75 on Win98). Is there a way to access the secret key in Netscape key
database ?
I hope this is not too much OT and that you can tell me what you think of this.
Thanks again,
Etienne
Dr S N Henson wrote:
> Here's the problem. What Netscape is doing is passing you a handle to a
> 3DES key which you should use to encrypt the data. PKCS8_encrypt()
> specifically handles password based encryption and packages the result
> in a PKCS8 (X509_SIG) structure. So while this is what OpenSSL wants for
> packaging the PKCS8_PRIV_KEY_INFO structure into a PKCS8 structure it
> isn't what Netscape wants.
>
> What you need to do, if I understand things correctly, is to generate
> the DER encoding of the PKCS8_PRIV_KEY_INFO structure using the
> i2d_PKCS8_PRIV_KEY_INFO routine (see FAQ for some info on using i2d
> routines).
>
> Then with this data you encrypt it using the passed 3DES key using
> EVP_Encrypt() and friends (see manual pages). Zero the unencrypted
> encoding and pass the encrypted stuff back to the application.
>
> If you just want the length of the encrypted structure without actually
> going through all this you can make a few shortcuts to this by just
> working out the encoding length and then the padded encrypted length
> (round up to a multiple of 8 [the 3DES block size] or add 8 if it is
> already a multiple of the block size).
>
> Steve.
> --
> Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/
> Personal Email: [EMAIL PROTECTED]
> Senior crypto engineer, Celo Communications: http://www.celocom.com/
> Core developer of the OpenSSL project: http://www.openssl.org/
> Business Email: [EMAIL PROTECTED] PGP key: via homepage.
>
> ______________________________________________________________________
> OpenSSL Project http://www.openssl.org
> User Support Mailing List [EMAIL PROTECTED]
> Automated List Manager [EMAIL PROTECTED]
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
