Re: how to get CKA_PRIVATE_EXPONENT attribute from a private key?
hi, I did found that the CKA_SENSITIVE is "true" by using the following code: rv = PK11_ReadRawAttribute(PK11_TypePrivKey, privKey, CKA_SENSITIVE, &value); if (rv != SECSuccess) { NSSUtilLogger.msg(ERROR, "Failed to read CKA_SENSITIVE attribute from private key."); } if ((value.len == 1) && (value.data != NULL)) std::cout<< !!(*(CK_BBOOL*)value.data)< On 01/26/2012 07:55 AM, weizhong qiang wrote: >> On Jan 26, 2012, at 4:44 PM, helpcrypto helpcrypto wrote: >> >>> AFAIK, returning or not the attributes from an object, depends on the token. >> Everything I am operating is on the nss internal softoken. > > Right softoken enforces good hygiene. > In truth, access to those attributes are controlled through a couple of other > attributes: > > CKA_PRIVATE - access to the object requires authentication. > > CKA_SENSITIVE - direct access to the sensitive/private attributes of this > object is prohibitted. > > CKA_EXTRACTABLE - this object can be extracted from the token. > > If Private is set, then you need to log in to do any of the actions below. > > If both Sensitve and Extractable is set, then you can extract the object by > wrapping it, but you can't access the unencrypted attributes. > > If Senstive is FALSE and Extractable is TRUE, you can either extract the > object by wrapping it, or by reading the attributes directly. > > If Extractable is FALSE, then you can't extract the object at all (either by > wrapping it or by reading the attributes directly). > > Most tokens set Extratable to FALSE. > > bob > >> >> >>> I recommend you reading about CKO_PRIVATE_KEY on PKCS#11 standard to >>> understand what can be happening. >>> For example if token=card, CKA_PRIME_1 *musnt* be on the card, as far >>> is not *needed* to do cryptographic operations. >>> >>> El día 26 de enero de 2012 14:08, weizhong qiang >>> escribió: hi, Is there a fact that nss does not permit the reading of the attribute CKA_PRIVATE_EXPONENT, CKA_PRIME_1, etc.? Because with all of the eight attributes, it is possible to compose the content of the private key, but the outputting of private key is not allowed in nss? Thanks and Best Regards, Weizhong Qiang On Jan 26, 2012, at 9:43 AM, helpcrypto helpcrypto wrote: > Is eny error shown at NSSUtilLogger.msg(ERROR, "Failed to read > attribute %x from private key.", type); ? > > El día 25 de enero de 2012 17:04, weizhong qiang > escribió: >> hi all, >> I tried to get the attributes from a private key (see the following code >> piece). But only the CKA_MODULUS and CKA_PUBLIC_EXPONENT can be got, >> others (CKA_PRIVATE_EXPONENT etc.) can not be got. >> Could you tell me how to solve it? >> By the way, I generate rsa key pair without "sensitive" >> (PK11_GenerateKeyPair(slot, CKM_RSA_PKCS_KEY_PAIR_GEN,&rsaParams, pubk, >> PR_TRUE, PR_FALSE, NULL); ), so I suppose the private key is not >> protected by password, and can be output? >> >> Best Regards, >> Weizhong Qiang >> >> >> >> >> // >> static bool ReadPrivKeyAttribute(SECKEYPrivateKey* key, >> CK_ATTRIBUTE_TYPE type, std::vector* output) { >>SECItem item; >>SECStatus rv; >>rv = PK11_ReadRawAttribute(PK11_TypePrivKey, key, type,&item); >>if (rv != SECSuccess) { >> NSSUtilLogger.msg(ERROR, "Failed to read attribute %x from private >> key.", type); >> return false; >>} >>output->assign(item.data, item.data + item.len); >>SECITEM_FreeItem(&item, PR_FALSE); >>return true; >> } >> >> static bool ExportPrivateKey(SECKEYPrivateKey* key, std::vector* >> output) { >>PrivateKeyInfoCodec private_key_info(true); >> >>// Manually read the component attributes of the private key and >> build up >>// the PrivateKeyInfo. >>if (!ReadPrivKeyAttribute(key, CKA_MODULUS, >> private_key_info.modulus()) || >> !ReadPrivKeyAttribute(key, CKA_PUBLIC_EXPONENT, >> private_key_info.public_exponent()) || >> !ReadPrivKeyAttribute(key, CKA_PRIVATE_EXPONENT, >> private_key_info.private_exponent()) || >> !ReadPrivKeyAttribute(key, CKA_PRIME_1, private_key_info.prime1()) >> || >> !ReadPrivKeyAttribute(key, CKA_PRIME_2, private_key_info.prime2()) >> || >> !ReadPrivKeyAttribute(key, CKA_EXPONENT_1, >> private_key_info.exponent1()) || >> !ReadPrivKeyAttribute(key, CKA_EXPONENT_2, >> private_key_info.exponent2()) || >> !ReadPrivKeyAttribute(key, CKA_COEFFICIENT, >> private_key_info.coefficient())) { >> return false; >>} >> >>return private_key_info.Export(output); >> } >> >> -- >> dev-tech-crypto mailing list >> dev-tech-crypto@l
Re: Thunderbird encrypted mail using certificate (on smartcard) isnt able to C_Decrypt the message. Why?
> In the first call you need to return a value at least big enough to hold the > decrypted data. 128 bytes (size of encrypted data) is big enough for RSA. > This isn't ideal, however. You keep saying the data is 24 bytes, but that's > not a given, it's only true in the case you were talking. If you receive a > different type of key it could be a different size. Even if I know the key > type is RC5, for instance, I still don't know the key length. That is > encoded in the PKCS #1. In order to get that you need to decrypt the block. > That is why I was saying using the first call/second call method could lead > to needing to double decrypt (once to find the length and once to return the > data). This is what im doing, dont worry. > err, are you hard coding the size at 24. That is not what I said to do. You > function that use used to decrypt your PKCS #1 data returns a data length > somewhere. It has to or the function is incomplete (it's not really > processing the PKCS #1 data). That data length is what you need to return. Not hardcoding. That would be a nightmare. I do it as you said some mails ago: twice. -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: how to get CKA_PRIVATE_EXPONENT attribute from a private key?
hi, On Jan 26, 2012, at 6:28 PM, Robert Relyea wrote: > On 01/26/2012 05:08 AM, weizhong qiang wrote: >> hi, >> Is there a fact that nss does not permit the reading of the attribute >> CKA_PRIVATE_EXPONENT, CKA_PRIME_1, etc.? >> Because with all of the eight attributes, it is possible to compose the >> content of the private key, but the outputting of private key is not allowed >> in nss? >> >> Thanks and Best Regards, >> Weizhong Qiang > These are private attributes. You are correct, applications aren't allowed to > get them. It's bad security hygene to access private cryptographic components > in the application itself, thought it's almost the first thing new crypto > programmers try to do. > > My real question here is Why do you want to get the CKA_PRIVATE_EXPONENT? I need to get CKA_PRIVATE_EXPONENT and some other private attributes, in order to compute the private key, so as to output this private key without encryption. I just knew that nss itself does not support the outputting of private key without encryption. The outputting of private key that nss support is only the pk12 that requires encryption of private key. I reason I want to do this is that I use the certificate in nss softoken to sign a proxy certificate (rfc 3820), and then I need to output the private key (generate by nss) that is relevant to this proxy certificate. Best Regards, Weizhong Qiang > > bob > > -- > dev-tech-crypto mailing list > dev-tech-crypto@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-tech-crypto -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: how to get CKA_PRIVATE_EXPONENT attribute from a private key?
On 01/26/2012 05:08 AM, weizhong qiang wrote: hi, Is there a fact that nss does not permit the reading of the attribute CKA_PRIVATE_EXPONENT, CKA_PRIME_1, etc.? Because with all of the eight attributes, it is possible to compose the content of the private key, but the outputting of private key is not allowed in nss? Thanks and Best Regards, Weizhong Qiang These are private attributes. You are correct, applications aren't allowed to get them. It's bad security hygene to access private cryptographic components in the application itself, thought it's almost the first thing new crypto programmers try to do. My real question here is Why do you want to get the CKA_PRIVATE_EXPONENT? bob -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: how to get CKA_PRIVATE_EXPONENT attribute from a private key?
On 01/26/2012 07:55 AM, weizhong qiang wrote: On Jan 26, 2012, at 4:44 PM, helpcrypto helpcrypto wrote: AFAIK, returning or not the attributes from an object, depends on the token. Everything I am operating is on the nss internal softoken. Right softoken enforces good hygiene. In truth, access to those attributes are controlled through a couple of other attributes: CKA_PRIVATE - access to the object requires authentication. CKA_SENSITIVE - direct access to the sensitive/private attributes of this object is prohibitted. CKA_EXTRACTABLE - this object can be extracted from the token. If Private is set, then you need to log in to do any of the actions below. If both Sensitve and Extractable is set, then you can extract the object by wrapping it, but you can't access the unencrypted attributes. If Senstive is FALSE and Extractable is TRUE, you can either extract the object by wrapping it, or by reading the attributes directly. If Extractable is FALSE, then you can't extract the object at all (either by wrapping it or by reading the attributes directly). Most tokens set Extratable to FALSE. bob I recommend you reading about CKO_PRIVATE_KEY on PKCS#11 standard to understand what can be happening. For example if token=card, CKA_PRIME_1 *musnt* be on the card, as far is not *needed* to do cryptographic operations. El día 26 de enero de 2012 14:08, weizhong qiang escribió: hi, Is there a fact that nss does not permit the reading of the attribute CKA_PRIVATE_EXPONENT, CKA_PRIME_1, etc.? Because with all of the eight attributes, it is possible to compose the content of the private key, but the outputting of private key is not allowed in nss? Thanks and Best Regards, Weizhong Qiang On Jan 26, 2012, at 9:43 AM, helpcrypto helpcrypto wrote: Is eny error shown at NSSUtilLogger.msg(ERROR, "Failed to read attribute %x from private key.", type); ? El día 25 de enero de 2012 17:04, weizhong qiang escribió: hi all, I tried to get the attributes from a private key (see the following code piece). But only the CKA_MODULUS and CKA_PUBLIC_EXPONENT can be got, others (CKA_PRIVATE_EXPONENT etc.) can not be got. Could you tell me how to solve it? By the way, I generate rsa key pair without "sensitive" (PK11_GenerateKeyPair(slot, CKM_RSA_PKCS_KEY_PAIR_GEN,&rsaParams, pubk, PR_TRUE, PR_FALSE, NULL); ), so I suppose the private key is not protected by password, and can be output? Best Regards, Weizhong Qiang // static bool ReadPrivKeyAttribute(SECKEYPrivateKey* key, CK_ATTRIBUTE_TYPE type, std::vector* output) { SECItem item; SECStatus rv; rv = PK11_ReadRawAttribute(PK11_TypePrivKey, key, type,&item); if (rv != SECSuccess) { NSSUtilLogger.msg(ERROR, "Failed to read attribute %x from private key.", type); return false; } output->assign(item.data, item.data + item.len); SECITEM_FreeItem(&item, PR_FALSE); return true; } static bool ExportPrivateKey(SECKEYPrivateKey* key, std::vector* output) { PrivateKeyInfoCodec private_key_info(true); // Manually read the component attributes of the private key and build up // the PrivateKeyInfo. if (!ReadPrivKeyAttribute(key, CKA_MODULUS, private_key_info.modulus()) || !ReadPrivKeyAttribute(key, CKA_PUBLIC_EXPONENT, private_key_info.public_exponent()) || !ReadPrivKeyAttribute(key, CKA_PRIVATE_EXPONENT, private_key_info.private_exponent()) || !ReadPrivKeyAttribute(key, CKA_PRIME_1, private_key_info.prime1()) || !ReadPrivKeyAttribute(key, CKA_PRIME_2, private_key_info.prime2()) || !ReadPrivKeyAttribute(key, CKA_EXPONENT_1, private_key_info.exponent1()) || !ReadPrivKeyAttribute(key, CKA_EXPONENT_2, private_key_info.exponent2()) || !ReadPrivKeyAttribute(key, CKA_COEFFICIENT, private_key_info.coefficient())) { return false; } return private_key_info.Export(output); } -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: Thunderbird encrypted mail using certificate (on smartcard) isnt able to C_Decrypt the message. Why?
On 01/26/2012 12:04 AM, helpcrypto helpcrypto wrote: Robert Relyea wrote: Sorry my bad, I wasn't clear. The double decrypt happens in the case where you first call C_Decrypt with pData = NULL. In that case you can return 128 instead of decrypting the data just to get the length. In the case where C_Decrypt is called with pData != NULL, you need to return the actual number of bytes coded by the PKCS #1 encoding because you are actually returning the decrypted data at this point. AFAIK first call C_Decrypt with pData=NULL and pulDataLen=0 should return the decrypt bytes length (X). Then, second call should have pData!=NULL and pulDataLen=y. if yCKR_BUFFER_TOO_SMALL Returning 128 doesnt work (and shouldnt), cause the decrypted data is 24 (always?) bytes length In the first call you need to return a value at least big enough to hold the decrypted data. 128 bytes (size of encrypted data) is big enough for RSA. This isn't ideal, however. You keep saying the data is 24 bytes, but that's not a given, it's only true in the case you were talking. If you receive a different type of key it could be a different size. Even if I know the key type is RC5, for instance, I still don't know the key length. That is encoded in the PKCS #1. In order to get that you need to decrypt the block. That is why I was saying using the first call/second call method could lead to needing to double decrypt (once to find the length and once to return the data). Anyhow, i now return the correct size (24) and dont "trust" on C_Decrypt input pulDataLen. err, are you hard coding the size at 24. That is not what I said to do. You function that use used to decrypt your PKCS #1 data returns a data length somewhere. It has to or the function is incomplete (it's not really processing the PKCS #1 data). That data length is what you need to return. bob -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: how to get CKA_PRIVATE_EXPONENT attribute from a private key?
On Jan 26, 2012, at 4:44 PM, helpcrypto helpcrypto wrote: > AFAIK, returning or not the attributes from an object, depends on the token. Everything I am operating is on the nss internal softoken. > I recommend you reading about CKO_PRIVATE_KEY on PKCS#11 standard to > understand what can be happening. > For example if token=card, CKA_PRIME_1 *musnt* be on the card, as far > is not *needed* to do cryptographic operations. > > El día 26 de enero de 2012 14:08, weizhong qiang > escribió: >> hi, >> Is there a fact that nss does not permit the reading of the attribute >> CKA_PRIVATE_EXPONENT, CKA_PRIME_1, etc.? >> Because with all of the eight attributes, it is possible to compose the >> content of the private key, but the outputting of private key is not allowed >> in nss? >> >> Thanks and Best Regards, >> Weizhong Qiang >> >> On Jan 26, 2012, at 9:43 AM, helpcrypto helpcrypto wrote: >> >>> Is eny error shown at NSSUtilLogger.msg(ERROR, "Failed to read >>> attribute %x from private key.", type); ? >>> >>> El día 25 de enero de 2012 17:04, weizhong qiang >>> escribió: hi all, I tried to get the attributes from a private key (see the following code piece). But only the CKA_MODULUS and CKA_PUBLIC_EXPONENT can be got, others (CKA_PRIVATE_EXPONENT etc.) can not be got. Could you tell me how to solve it? By the way, I generate rsa key pair without "sensitive" (PK11_GenerateKeyPair(slot, CKM_RSA_PKCS_KEY_PAIR_GEN, &rsaParams, pubk, PR_TRUE, PR_FALSE, NULL); ), so I suppose the private key is not protected by password, and can be output? Best Regards, Weizhong Qiang // static bool ReadPrivKeyAttribute(SECKEYPrivateKey* key, CK_ATTRIBUTE_TYPE type, std::vector* output) { SECItem item; SECStatus rv; rv = PK11_ReadRawAttribute(PK11_TypePrivKey, key, type, &item); if (rv != SECSuccess) { NSSUtilLogger.msg(ERROR, "Failed to read attribute %x from private key.", type); return false; } output->assign(item.data, item.data + item.len); SECITEM_FreeItem(&item, PR_FALSE); return true; } static bool ExportPrivateKey(SECKEYPrivateKey* key, std::vector* output) { PrivateKeyInfoCodec private_key_info(true); // Manually read the component attributes of the private key and build up // the PrivateKeyInfo. if (!ReadPrivKeyAttribute(key, CKA_MODULUS, private_key_info.modulus()) || !ReadPrivKeyAttribute(key, CKA_PUBLIC_EXPONENT, private_key_info.public_exponent()) || !ReadPrivKeyAttribute(key, CKA_PRIVATE_EXPONENT, private_key_info.private_exponent()) || !ReadPrivKeyAttribute(key, CKA_PRIME_1, private_key_info.prime1()) || !ReadPrivKeyAttribute(key, CKA_PRIME_2, private_key_info.prime2()) || !ReadPrivKeyAttribute(key, CKA_EXPONENT_1, private_key_info.exponent1()) || !ReadPrivKeyAttribute(key, CKA_EXPONENT_2, private_key_info.exponent2()) || !ReadPrivKeyAttribute(key, CKA_COEFFICIENT, private_key_info.coefficient())) { return false; } return private_key_info.Export(output); } -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto >>> -- >>> dev-tech-crypto mailing list >>> dev-tech-crypto@lists.mozilla.org >>> https://lists.mozilla.org/listinfo/dev-tech-crypto >> >> -- >> dev-tech-crypto mailing list >> dev-tech-crypto@lists.mozilla.org >> https://lists.mozilla.org/listinfo/dev-tech-crypto > -- > dev-tech-crypto mailing list > dev-tech-crypto@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-tech-crypto -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: how to get CKA_PRIVATE_EXPONENT attribute from a private key?
AFAIK, returning or not the attributes from an object, depends on the token. I recommend you reading about CKO_PRIVATE_KEY on PKCS#11 standard to understand what can be happening. For example if token=card, CKA_PRIME_1 *musnt* be on the card, as far is not *needed* to do cryptographic operations. El día 26 de enero de 2012 14:08, weizhong qiang escribió: > hi, > Is there a fact that nss does not permit the reading of the attribute > CKA_PRIVATE_EXPONENT, CKA_PRIME_1, etc.? > Because with all of the eight attributes, it is possible to compose the > content of the private key, but the outputting of private key is not allowed > in nss? > > Thanks and Best Regards, > Weizhong Qiang > > On Jan 26, 2012, at 9:43 AM, helpcrypto helpcrypto wrote: > >> Is eny error shown at NSSUtilLogger.msg(ERROR, "Failed to read >> attribute %x from private key.", type); ? >> >> El día 25 de enero de 2012 17:04, weizhong qiang >> escribió: >>> hi all, >>> I tried to get the attributes from a private key (see the following code >>> piece). But only the CKA_MODULUS and CKA_PUBLIC_EXPONENT can be got, others >>> (CKA_PRIVATE_EXPONENT etc.) can not be got. >>> Could you tell me how to solve it? >>> By the way, I generate rsa key pair without "sensitive" >>> (PK11_GenerateKeyPair(slot, CKM_RSA_PKCS_KEY_PAIR_GEN, &rsaParams, pubk, >>> PR_TRUE, PR_FALSE, NULL); ), so I suppose the private key is not protected >>> by password, and can be output? >>> >>> Best Regards, >>> Weizhong Qiang >>> >>> >>> >>> >>> // >>> static bool ReadPrivKeyAttribute(SECKEYPrivateKey* key, CK_ATTRIBUTE_TYPE >>> type, std::vector* output) { >>> SECItem item; >>> SECStatus rv; >>> rv = PK11_ReadRawAttribute(PK11_TypePrivKey, key, type, &item); >>> if (rv != SECSuccess) { >>> NSSUtilLogger.msg(ERROR, "Failed to read attribute %x from private >>> key.", type); >>> return false; >>> } >>> output->assign(item.data, item.data + item.len); >>> SECITEM_FreeItem(&item, PR_FALSE); >>> return true; >>> } >>> >>> static bool ExportPrivateKey(SECKEYPrivateKey* key, std::vector* >>> output) { >>> PrivateKeyInfoCodec private_key_info(true); >>> >>> // Manually read the component attributes of the private key and build up >>> // the PrivateKeyInfo. >>> if (!ReadPrivKeyAttribute(key, CKA_MODULUS, private_key_info.modulus()) >>> || >>> !ReadPrivKeyAttribute(key, CKA_PUBLIC_EXPONENT, >>> private_key_info.public_exponent()) || >>> !ReadPrivKeyAttribute(key, CKA_PRIVATE_EXPONENT, >>> private_key_info.private_exponent()) || >>> !ReadPrivKeyAttribute(key, CKA_PRIME_1, private_key_info.prime1()) || >>> !ReadPrivKeyAttribute(key, CKA_PRIME_2, private_key_info.prime2()) || >>> !ReadPrivKeyAttribute(key, CKA_EXPONENT_1, >>> private_key_info.exponent1()) || >>> !ReadPrivKeyAttribute(key, CKA_EXPONENT_2, >>> private_key_info.exponent2()) || >>> !ReadPrivKeyAttribute(key, CKA_COEFFICIENT, >>> private_key_info.coefficient())) { >>> return false; >>> } >>> >>> return private_key_info.Export(output); >>> } >>> >>> -- >>> dev-tech-crypto mailing list >>> dev-tech-crypto@lists.mozilla.org >>> https://lists.mozilla.org/listinfo/dev-tech-crypto >> -- >> dev-tech-crypto mailing list >> dev-tech-crypto@lists.mozilla.org >> https://lists.mozilla.org/listinfo/dev-tech-crypto > > -- > dev-tech-crypto mailing list > dev-tech-crypto@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-tech-crypto -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: how to get CKA_PRIVATE_EXPONENT attribute from a private key?
hi, Is there a fact that nss does not permit the reading of the attribute CKA_PRIVATE_EXPONENT, CKA_PRIME_1, etc.? Because with all of the eight attributes, it is possible to compose the content of the private key, but the outputting of private key is not allowed in nss? Thanks and Best Regards, Weizhong Qiang On Jan 26, 2012, at 9:43 AM, helpcrypto helpcrypto wrote: > Is eny error shown at NSSUtilLogger.msg(ERROR, "Failed to read > attribute %x from private key.", type); ? > > El día 25 de enero de 2012 17:04, weizhong qiang > escribió: >> hi all, >> I tried to get the attributes from a private key (see the following code >> piece). But only the CKA_MODULUS and CKA_PUBLIC_EXPONENT can be got, others >> (CKA_PRIVATE_EXPONENT etc.) can not be got. >> Could you tell me how to solve it? >> By the way, I generate rsa key pair without "sensitive" >> (PK11_GenerateKeyPair(slot, CKM_RSA_PKCS_KEY_PAIR_GEN, &rsaParams, pubk, >> PR_TRUE, PR_FALSE, NULL); ), so I suppose the private key is not protected >> by password, and can be output? >> >> Best Regards, >> Weizhong Qiang >> >> >> >> >> // >> static bool ReadPrivKeyAttribute(SECKEYPrivateKey* key, CK_ATTRIBUTE_TYPE >> type, std::vector* output) { >>SECItem item; >>SECStatus rv; >>rv = PK11_ReadRawAttribute(PK11_TypePrivKey, key, type, &item); >>if (rv != SECSuccess) { >> NSSUtilLogger.msg(ERROR, "Failed to read attribute %x from private >> key.", type); >> return false; >>} >>output->assign(item.data, item.data + item.len); >>SECITEM_FreeItem(&item, PR_FALSE); >>return true; >> } >> >> static bool ExportPrivateKey(SECKEYPrivateKey* key, std::vector* >> output) { >>PrivateKeyInfoCodec private_key_info(true); >> >>// Manually read the component attributes of the private key and build up >>// the PrivateKeyInfo. >>if (!ReadPrivKeyAttribute(key, CKA_MODULUS, private_key_info.modulus()) || >> !ReadPrivKeyAttribute(key, CKA_PUBLIC_EXPONENT, >> private_key_info.public_exponent()) || >> !ReadPrivKeyAttribute(key, CKA_PRIVATE_EXPONENT, >> private_key_info.private_exponent()) || >> !ReadPrivKeyAttribute(key, CKA_PRIME_1, private_key_info.prime1()) || >> !ReadPrivKeyAttribute(key, CKA_PRIME_2, private_key_info.prime2()) || >> !ReadPrivKeyAttribute(key, CKA_EXPONENT_1, >> private_key_info.exponent1()) || >> !ReadPrivKeyAttribute(key, CKA_EXPONENT_2, >> private_key_info.exponent2()) || >> !ReadPrivKeyAttribute(key, CKA_COEFFICIENT, >> private_key_info.coefficient())) { >> return false; >>} >> >>return private_key_info.Export(output); >> } >> >> -- >> dev-tech-crypto mailing list >> dev-tech-crypto@lists.mozilla.org >> https://lists.mozilla.org/listinfo/dev-tech-crypto > -- > dev-tech-crypto mailing list > dev-tech-crypto@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-tech-crypto -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: how to get CKA_PRIVATE_EXPONENT attribute from a private key?
The rv value gives SECFailure. Thanks 在 2012-1-26 下午5:29,"helpcrypto helpcrypto" 写道: > my mistake. i mean the RV value > -- > dev-tech-crypto mailing list > dev-tech-crypto@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-tech-crypto > -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: how to get CKA_PRIVATE_EXPONENT attribute from a private key?
my mistake. i mean the RV value -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: how to get CKA_PRIVATE_EXPONENT attribute from a private key?
Hi, It gives number 123, which is the type CKA_PRIVATE_EXPONENT. Thanks Weizhong qiang 在 2012-1-26 下午4:43,"helpcrypto helpcrypto" 写道: > Is eny error shown at NSSUtilLogger.msg(ERROR, "Failed to read > attribute %x from private key.", type); ? > > El día 25 de enero de 2012 17:04, weizhong qiang > escribió: > > hi all, > > I tried to get the attributes from a private key (see the following code > piece). But only the CKA_MODULUS and CKA_PUBLIC_EXPONENT can be got, others > (CKA_PRIVATE_EXPONENT etc.) can not be got. > > Could you tell me how to solve it? > > By the way, I generate rsa key pair without "sensitive" > (PK11_GenerateKeyPair(slot, CKM_RSA_PKCS_KEY_PAIR_GEN, &rsaParams, pubk, > PR_TRUE, PR_FALSE, NULL); ), so I suppose the private key is not protected > by password, and can be output? > > > > Best Regards, > > Weizhong Qiang > > > > > > > > > > // > > static bool ReadPrivKeyAttribute(SECKEYPrivateKey* key, > CK_ATTRIBUTE_TYPE type, std::vector* output) { > >SECItem item; > >SECStatus rv; > >rv = PK11_ReadRawAttribute(PK11_TypePrivKey, key, type, &item); > >if (rv != SECSuccess) { > > NSSUtilLogger.msg(ERROR, "Failed to read attribute %x from private > key.", type); > > return false; > >} > >output->assign(item.data, item.data + item.len); > >SECITEM_FreeItem(&item, PR_FALSE); > >return true; > > } > > > > static bool ExportPrivateKey(SECKEYPrivateKey* key, std::vector* > output) { > >PrivateKeyInfoCodec private_key_info(true); > > > >// Manually read the component attributes of the private key and > build up > >// the PrivateKeyInfo. > >if (!ReadPrivKeyAttribute(key, CKA_MODULUS, > private_key_info.modulus()) || > > !ReadPrivKeyAttribute(key, CKA_PUBLIC_EXPONENT, > private_key_info.public_exponent()) || > > !ReadPrivKeyAttribute(key, CKA_PRIVATE_EXPONENT, > private_key_info.private_exponent()) || > > !ReadPrivKeyAttribute(key, CKA_PRIME_1, private_key_info.prime1()) > || > > !ReadPrivKeyAttribute(key, CKA_PRIME_2, private_key_info.prime2()) > || > > !ReadPrivKeyAttribute(key, CKA_EXPONENT_1, > private_key_info.exponent1()) || > > !ReadPrivKeyAttribute(key, CKA_EXPONENT_2, > private_key_info.exponent2()) || > > !ReadPrivKeyAttribute(key, CKA_COEFFICIENT, > private_key_info.coefficient())) { > > return false; > >} > > > >return private_key_info.Export(output); > > } > > > > -- > > dev-tech-crypto mailing list > > dev-tech-crypto@lists.mozilla.org > > https://lists.mozilla.org/listinfo/dev-tech-crypto > -- > dev-tech-crypto mailing list > dev-tech-crypto@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-tech-crypto -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: how to get CKA_PRIVATE_EXPONENT attribute from a private key?
Is eny error shown at NSSUtilLogger.msg(ERROR, "Failed to read attribute %x from private key.", type); ? El día 25 de enero de 2012 17:04, weizhong qiang escribió: > hi all, > I tried to get the attributes from a private key (see the following code > piece). But only the CKA_MODULUS and CKA_PUBLIC_EXPONENT can be got, others > (CKA_PRIVATE_EXPONENT etc.) can not be got. > Could you tell me how to solve it? > By the way, I generate rsa key pair without "sensitive" > (PK11_GenerateKeyPair(slot, CKM_RSA_PKCS_KEY_PAIR_GEN, &rsaParams, pubk, > PR_TRUE, PR_FALSE, NULL); ), so I suppose the private key is not protected by > password, and can be output? > > Best Regards, > Weizhong Qiang > > > > > // > static bool ReadPrivKeyAttribute(SECKEYPrivateKey* key, CK_ATTRIBUTE_TYPE > type, std::vector* output) { > SECItem item; > SECStatus rv; > rv = PK11_ReadRawAttribute(PK11_TypePrivKey, key, type, &item); > if (rv != SECSuccess) { > NSSUtilLogger.msg(ERROR, "Failed to read attribute %x from private > key.", type); > return false; > } > output->assign(item.data, item.data + item.len); > SECITEM_FreeItem(&item, PR_FALSE); > return true; > } > > static bool ExportPrivateKey(SECKEYPrivateKey* key, std::vector* > output) { > PrivateKeyInfoCodec private_key_info(true); > > // Manually read the component attributes of the private key and build up > // the PrivateKeyInfo. > if (!ReadPrivKeyAttribute(key, CKA_MODULUS, private_key_info.modulus()) || > !ReadPrivKeyAttribute(key, CKA_PUBLIC_EXPONENT, > private_key_info.public_exponent()) || > !ReadPrivKeyAttribute(key, CKA_PRIVATE_EXPONENT, > private_key_info.private_exponent()) || > !ReadPrivKeyAttribute(key, CKA_PRIME_1, private_key_info.prime1()) || > !ReadPrivKeyAttribute(key, CKA_PRIME_2, private_key_info.prime2()) || > !ReadPrivKeyAttribute(key, CKA_EXPONENT_1, private_key_info.exponent1()) > || > !ReadPrivKeyAttribute(key, CKA_EXPONENT_2, private_key_info.exponent2()) > || > !ReadPrivKeyAttribute(key, CKA_COEFFICIENT, > private_key_info.coefficient())) { > return false; > } > > return private_key_info.Export(output); > } > > -- > dev-tech-crypto mailing list > dev-tech-crypto@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-tech-crypto -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: Regarding PSM with external SSL library
Ashok Subash wrote: > Hi Brian, > > We have made some progress. We could statically build nss and link on > our platform. Do you mean statically link NSS into Firefox? If so, there are several gotchas that need to be taken into account. See Wan-Teh's patch at https://bugzilla.mozilla.org/show_bug.cgi?id=534471 which addresses some/all of them on Windows for *Chrome*. I imagine the issues are similar but not quite the same for Firefox and/or for other platforms. > Is there any other porting points i've missed? Your > inputs/suggestions will help us to solve this faster. I wish I could be more helpful but it is really hard to tell the problem from the description given. Also, it is hard for me to diagnose problems with Firefox 3.6.x because I have *literally* never even checked out the source code for Firefox 3.6.x before. (I started at Mozilla during the development of 4.0.) - Brian -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: Thunderbird encrypted mail using certificate (on smartcard) isnt able to C_Decrypt the message. Why?
> Robert Relyea wrote: > Sorry my bad, I wasn't clear. The double decrypt happens in the case where > you first call C_Decrypt with pData = NULL. In that case you can return 128 > instead of decrypting the data just to get the length. In the case where > C_Decrypt is called with pData != NULL, you need to return the actual number > of bytes coded by the PKCS #1 encoding because you are actually returning > the decrypted data at this point. AFAIK first call C_Decrypt with pData=NULL and pulDataLen=0 should return the decrypt bytes length (X). Then, second call should have pData!=NULL and pulDataLen=y. if yCKR_BUFFER_TOO_SMALL Returning 128 doesnt work (and shouldnt), cause the decrypted data is 24 (always?) bytes length Anyhow, i now return the correct size (24) and dont "trust" on C_Decrypt input pulDataLen. -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto