hi, I solved the problem by generating the key pair with "isPerm" to be PR_FALSE, and then importing the private key using PK11_ImportDERPrivateKeyInfoAndReturnKey.
Best Regards, Weizhong Qiang On Jan 31, 2012, at 7:28 AM, weizhong qiang wrote: > hi Robert and others, > See the attachment for more complete test case of generating and reading a > key. > I found if I set the "isPerm" parameter to be PR_FALSE (see line 78 of the > test case), the private key is not sensitive. > If I set the "isPerm" parameter to be PR_TRUE, then not mater the > "IsSensitive" (the next parameter after "isPerm") is PR_TRUE or PR_FALSE, the > private key always sensitive. > Is it a feature? > > Thanks and Best Regards, > Weizhong Qiang > > > <test_nssprivatekey.cpp> > > On Jan 28, 2012, at 4:16 PM, weizhong qiang wrote: > >> hi, >> >> On Jan 27, 2012, at 6:52 PM, Robert Relyea wrote: >> >>> On 01/26/2012 11:53 PM, weizhong qiang wrote: >>>> hi, >>>> I did found that the CKA_SENSITIVE is "true" by using the following code: >>>> rv = PK11_ReadRawAttribute(PK11_TypePrivKey, privKey, >>>> CKA_SENSITIVE,&value); >>>> if (rv != SECSuccess) { >>>> NSSUtilLogger.msg(ERROR, "Failed to read CKA_SENSITIVE attribute >>>> from private key."); >>>> } >>>> if ((value.len == 1)&& (value.data != NULL)) >>>> std::cout<< !!(*(CK_BBOOL*)value.data)<<std::endl; >>>> >>>> But I did set sensitive parameter to be PR_FALSE when generate the key >>>> pair, see the following: >>>> *privk = PK11_GenerateKeyPair(slot, CKM_RSA_PKCS_KEY_PAIR_GEN,&rsaParams, >>>> pubk, PR_FALSE, PR_FALSE, NULL); >>>> >>>> How could the key still be sensitive? Is there anywhere that I should set? >>> Hmm, your right, that doesn't seem right. Do you have a simple test case >>> that reproduces this? >> >> Yes, Please see the following attachment for the test case. If you would >> help, you need to change the path of nss db, and certname, password etc. >> >> >> <mail_about_privatekey.rtf> >>> >>> Also which version of NSS are you running? >> >> Name: NSS >> Description: Mozilla Network Security Services >> Version: 3.12.9+ckbi-1.82 >> >> >>> Are you sure that slot points to the internal token? >> >> Yes, you can see the code of test case, I explicitly point to the internal >> token. >> >>> Are you in FIPS mode? (in which case you don't have a choice on sensitive >>> or not). >> >> I did not enable FIPS mode. I suppose FIPS will not be enabled by default? >> >> Best Regard, >> Weizhong Qiang >> >>> >>> NSS uses exactly this method to generate a key it's going to load into a >>> token that doesn't support CKM_RSA_PKCS_KEY_PAIR_GEN. >>> >>> bob >>> >>>> >>>> Best Regards >>>> Weizhong Qiang >>>> >>>> >>>> On Jan 26, 2012, at 6:57 PM, Robert Relyea wrote: >>>> >>>>> On 01/26/2012 07:55 AM, weizhong qiang wrote: >>>>>> On Jan 26, 2012, at 4:44 PM, helpcrypto helpcrypto wrote: >>>>>> >>>>>>> AFAIK, returning or not the attributes from an object, depends on the >>>>>>> token. >>>>>> Everything I am operating is on the nss internal softoken. >>>>> Right softoken enforces good hygiene. >>>>> In truth, access to those attributes are controlled through a couple of >>>>> other attributes: >>>>> >>>>> CKA_PRIVATE - access to the object requires authentication. >>>>> >>>>> CKA_SENSITIVE - direct access to the sensitive/private attributes of this >>>>> object is prohibitted. >>>>> >>>>> CKA_EXTRACTABLE - this object can be extracted from the token. >>>>> >>>>> If Private is set, then you need to log in to do any of the actions below. >>>>> >>>>> If both Sensitve and Extractable is set, then you can extract the object >>>>> by wrapping it, but you can't access the unencrypted attributes. >>>>> >>>>> If Senstive is FALSE and Extractable is TRUE, you can either extract the >>>>> object by wrapping it, or by reading the attributes directly. >>>>> >>>>> If Extractable is FALSE, then you can't extract the object at all >>>>> (either by wrapping it or by reading the attributes directly). >>>>> >>>>> Most tokens set Extratable to FALSE. >>>>> >>>>> bob >>>>> >>>>>> >>>>>>> I recommend you reading about CKO_PRIVATE_KEY on PKCS#11 standard to >>>>>>> understand what can be happening. >>>>>>> For example if token=card, CKA_PRIME_1 *musnt* be on the card, as far >>>>>>> is not *needed* to do cryptographic operations. >>>>>>> >>>>>>> El día 26 de enero de 2012 14:08, weizhong qiang >>>>>>> <weizhongqi...@gmail.com> escribió: >>>>>>>> hi, >>>>>>>> Is there a fact that nss does not permit the reading of the attribute >>>>>>>> CKA_PRIVATE_EXPONENT, CKA_PRIME_1, etc.? >>>>>>>> Because with all of the eight attributes, it is possible to compose >>>>>>>> the content of the private key, but the outputting of private key is >>>>>>>> not allowed in nss? >>>>>>>> >>>>>>>> Thanks and Best Regards, >>>>>>>> Weizhong Qiang >>>>>>>> >>>>>>>> On Jan 26, 2012, at 9:43 AM, helpcrypto helpcrypto wrote: >>>>>>>> >>>>>>>>> Is eny error shown at NSSUtilLogger.msg(ERROR, "Failed to read >>>>>>>>> attribute %x from private key.", type); ? >>>>>>>>> >>>>>>>>> El día 25 de enero de 2012 17:04, weizhong qiang >>>>>>>>> <weizhongqi...@gmail.com> escribió: >>>>>>>>>> hi all, >>>>>>>>>> I tried to get the attributes from a private key (see the following >>>>>>>>>> code piece). But only the CKA_MODULUS and CKA_PUBLIC_EXPONENT can be >>>>>>>>>> got, others (CKA_PRIVATE_EXPONENT etc.) can not be got. >>>>>>>>>> Could you tell me how to solve it? >>>>>>>>>> By the way, I generate rsa key pair without "sensitive" >>>>>>>>>> (PK11_GenerateKeyPair(slot, CKM_RSA_PKCS_KEY_PAIR_GEN,&rsaParams, >>>>>>>>>> pubk, PR_TRUE, PR_FALSE, NULL); ), so I suppose the private key is >>>>>>>>>> not protected by password, and can be output? >>>>>>>>>> >>>>>>>>>> Best Regards, >>>>>>>>>> Weizhong Qiang >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> /****************/ >>>>>>>>>> static bool ReadPrivKeyAttribute(SECKEYPrivateKey* key, >>>>>>>>>> CK_ATTRIBUTE_TYPE type, std::vector<uint8>* output) { >>>>>>>>>> SECItem item; >>>>>>>>>> SECStatus rv; >>>>>>>>>> rv = PK11_ReadRawAttribute(PK11_TypePrivKey, key, type,&item); >>>>>>>>>> if (rv != SECSuccess) { >>>>>>>>>> NSSUtilLogger.msg(ERROR, "Failed to read attribute %x from >>>>>>>>>> private key.", type); >>>>>>>>>> return false; >>>>>>>>>> } >>>>>>>>>> output->assign(item.data, item.data + item.len); >>>>>>>>>> SECITEM_FreeItem(&item, PR_FALSE); >>>>>>>>>> return true; >>>>>>>>>> } >>>>>>>>>> >>>>>>>>>> static bool ExportPrivateKey(SECKEYPrivateKey* key, >>>>>>>>>> std::vector<uint8>* output) { >>>>>>>>>> PrivateKeyInfoCodec private_key_info(true); >>>>>>>>>> >>>>>>>>>> // Manually read the component attributes of the private key and >>>>>>>>>> build up >>>>>>>>>> // the PrivateKeyInfo. >>>>>>>>>> if (!ReadPrivKeyAttribute(key, CKA_MODULUS, >>>>>>>>>> private_key_info.modulus()) || >>>>>>>>>> !ReadPrivKeyAttribute(key, CKA_PUBLIC_EXPONENT, >>>>>>>>>> private_key_info.public_exponent()) || >>>>>>>>>> !ReadPrivKeyAttribute(key, CKA_PRIVATE_EXPONENT, >>>>>>>>>> private_key_info.private_exponent()) || >>>>>>>>>> !ReadPrivKeyAttribute(key, CKA_PRIME_1, >>>>>>>>>> private_key_info.prime1()) || >>>>>>>>>> !ReadPrivKeyAttribute(key, CKA_PRIME_2, >>>>>>>>>> private_key_info.prime2()) || >>>>>>>>>> !ReadPrivKeyAttribute(key, CKA_EXPONENT_1, >>>>>>>>>> private_key_info.exponent1()) || >>>>>>>>>> !ReadPrivKeyAttribute(key, CKA_EXPONENT_2, >>>>>>>>>> private_key_info.exponent2()) || >>>>>>>>>> !ReadPrivKeyAttribute(key, CKA_COEFFICIENT, >>>>>>>>>> private_key_info.coefficient())) { >>>>>>>>>> return false; >>>>>>>>>> } >>>>>>>>>> >>>>>>>>>> return private_key_info.Export(output); >>>>>>>>>> } >>>>>>>>>> >>>>>>>>>> -- >>>>>>>>>> dev-tech-crypto mailing list >>>>>>>>>> dev-tech-crypto@lists.mozilla.org >>>>>>>>>> https://lists.mozilla.org/listinfo/dev-tech-crypto >>>>>>>>> -- >>>>>>>>> dev-tech-crypto mailing list >>>>>>>>> dev-tech-crypto@lists.mozilla.org >>>>>>>>> https://lists.mozilla.org/listinfo/dev-tech-crypto >>>>>>>> -- >>>>>>>> dev-tech-crypto mailing list >>>>>>>> dev-tech-crypto@lists.mozilla.org >>>>>>>> https://lists.mozilla.org/listinfo/dev-tech-crypto >>>>>>> -- >>>>>>> dev-tech-crypto mailing list >>>>>>> dev-tech-crypto@lists.mozilla.org >>>>>>> https://lists.mozilla.org/listinfo/dev-tech-crypto >>>>> >>>>> -- >>>>> dev-tech-crypto mailing list >>>>> dev-tech-crypto@lists.mozilla.org >>>>> https://lists.mozilla.org/listinfo/dev-tech-crypto >>> >>> >>> -- >>> dev-tech-crypto mailing list >>> dev-tech-crypto@lists.mozilla.org >>> https://lists.mozilla.org/listinfo/dev-tech-crypto >> > -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto