Re: undefined reference to '_InterlockedIncrement' when compiling nss under MinGW
hi, Thanks for the instruction. I tried the build of nss on with mozillabuild tool (with MS VC and MS SDK, using MS compiler for compilation) on Win7. And the build did pass. But the build with MinGW/MSYS (using gcc for compilation) still failed. I hope the build (with MS compiler) can be used for my software (which uses gcc for compilation). Best Regards, Weizhong Qiang On Sep 15, 2012, at 4:34 AM, wdeng wrote: > Did you configure the building system yourself? > Usually I build firefox on windows with the MozillaBuild tool which can be > got at: > http://ftp.mozilla.org/pub/mozilla.org/mozilla/libraries/win32/MozillaBuildSetup-Latest.exe > > How to build firefox on windows, the reference is: > https://developer.mozilla.org/en-US/docs/Developer_Guide/Build_Instructions/Windows_Prerequisites > > It's a pity that I never build nss seperately, but if you have built firefox > you have nss built too. > > Hope it can help you. > > BRs > > > > On 09/14/2012 07:37 PM, weizhong qiang wrote: >> hi all, >> Since I need to call nss API inside the software (a middleware which is >> supposed to generally run on Win/Linux/MacOS) which I am developing, I have >> to compile nss under MinGW. >> But I always get the "undefined reference" error, when I run "make >> nss_build_all" under mozilla/security/nss. I have tried the different >> versions of MinGW as well as the versions of nss source, but still all can >> not get compiled. >> The following is the log. >> Thanks a lot for your instruction. >> >> Best Regards, >> Weizhong Qiang >> >> >> >> >> gcc -mwindows -o prtpd.o -c -g -UNDEBUG -DDEBUG_arc -DDEBUG=1 >> -DXP_PC=1 -DWIN32=1 -DWINNT=1 -D_X86_=1 -DHAVE_STRERROR=1 -DFORCE_PR_LOG >> -D_NSPR_BUILD_ -I../../../../../dist/WINNT6.1_DBG.OBJ/include >> -I../../../../pr/include -I../../../../pr/include/private >> ../../../../pr/src/threads/prtpd.c >> In file included from ../../../../pr/include/md/prosdep.h:20:0, >> from ../../../../pr/include/private/primpl.h:44, >> from ../../../../pr/src/threads/prtpd.c:37: >> ../../../../pr/include/md/_winnt.h:489:34: warning: 'thread' attribute >> directive ignored >> ../../../../pr/include/md/_winnt.h:507:34: warning: 'thread' attribute >> directive ignored >> ../../../../pr/include/md/_winnt.h:523:34: warning: 'thread' attribute >> directive ignored >> ../../../../pr/include/md/_winnt.h:539:1: warning: 'thread' attribute >> directive ignored >> make[4]: Leaving directory >> `/home/arc/nss-3.13.6/mozilla/nsprpub/WINNT6.1_DBG.OBJ/pr/src/threads' >> make build >> make[4]: Entering directory >> `/home/arc/nss-3.13.6/mozilla/nsprpub/WINNT6.1_DBG.OBJ/pr/src' >> gcc -mwindows -o prvrsion.o -c -g -UNDEBUG -DDEBUG_arc -DDEBUG=1 >> -DXP_PC=1 -DWIN32=1 -DWINNT=1 -D_X86_=1 -DHAVE_STRERROR=1 -DFORCE_PR_LOG >> -D_NSPR_BUILD_ -I../../../../dist/WINNT6.1_DBG.OBJ/include >> -I../../../pr/include -I../../../pr/include/private -I. >> ../../../pr/src/prvrsion.c >> rm -f libnspr4_s.a >> /c/MinGW4nss2/bin//ar cr libnspr4_s.a ./prvrsion.o io/./prfdcach.o >> io/./prmwait.o io/./prmapopt.o io/./priometh.o io/./pripv6.o io/./prlayer.o >> io/./prlog.o io/./prmmap.o io/./prpolevt.o io/./prprf.o io/./prscanf.o >> io/./prstdio.o threads/./prcmon.o threads/./prrwlock.o threads/./prtpd.o >> linking/./prlink.o malloc/./prmalloc.o malloc/./prmem.o md/./prosdep.o >> memory/./prshm.o memory/./prshma.o memory/./prseg.o misc/./pralarm.o >> misc/./pratom.o misc/./prcountr.o misc/./prdtoa.o misc/./prenv.o >> misc/./prerr.o misc/./prerror.o misc/./prerrortable.o misc/./prinit.o >> misc/./prinrval.o misc/./pripc.o misc/./prlog2.o misc/./prlong.o >> misc/./prnetdb.o misc/./praton.o misc/./prolock.o misc/./prrng.o >> misc/./prsystem.o misc/./prthinfo.o misc/./prtpool.o misc/./prtrace.o >> misc/./prtime.o io/./prdir.o io/./prfile.o io/./prio.o io/./prsocket.o >> misc/./pripcsem.o threads/./prcthr.o threads/./prdump.o threads/./prmon.o >> threads/./prsem.o threads/combined/./prucpu.o threads/combined/./prucv.o >> threads / > co >> mbined/./prulock.o threads/combined/./prustack.o >> threads/combined/./pruthr.o md/windows/./ntmisc.o md/windows/./ntsec.o >> md/windows/./ntsem.o md/windows/./ntinrval.o md/windows/./ntgc.o >> md/windows/./ntio.o md/windows/./ntthread.o md/windows/./ntdllmn.o >> md/windows/./win32_errors.o md/windows/./w32ipcsem.o md/windows/./w32poll.o >> md/windows/.
Re: undefined reference to '_InterlockedIncrement' when compiling nss under MinGW
hi, Thanks for your help. For the two different patches, your patch still gets the same error; the other patch gets better result(nspr compilation passed), but another error appears ("cl: command not found"), I don't know why the the compilation before this error uses gcc to compile, but why here "cl" is used for compilation. I also tried the "mozilla-build" together with MS VC, and the compilation passed. Best Regards, Weizhong /***/ package: https://bug748217.bugzilla.mozilla.org/attachment.cgi?id=617774 I still get the same error: Result: gcc -mwindows -shared -Wl,--export-all-symbols -Wl,--out-implib -Wl,./libnspr4.a -o libnspr4.dll ./prvrsion.o io/./prfdcach.o io/./prmwait.o io/./prmapopt.o io/./priometh.o io/./pripv6.o io/./prlayer.o io/./prlog.o io/./prmmap.o io/./prpolevt.o io/./prprf.o io/./prscanf.o io/./prstdio.o threads/./prcmon.o threads/./prrwlock.o threads/./prtpd.o linking/./prlink.o malloc/./prmalloc.o malloc/./prmem.o md/./prosdep.o memory/./prshm.o memory/./prshma.o memory/./prseg.o misc/./pralarm.o misc/./pratom.o misc/./prcountr.o misc/./prdtoa.o misc/./prenv.o misc/./prerr.o misc/./prerror.o misc/./prerrortable.o misc/./prinit.o misc/./prinrval.o misc/./pripc.o misc/./prlog2.o misc/./prlong.o misc/./prnetdb.o misc/./praton.o misc/./prolock.o misc/./prrng.o misc/./prsystem.o misc/./prthinfo.o misc/./prtpool.o misc/./prtrace.o misc/./prtime.o io/./prdir.o io/./prfile.o io/./prio.o io/./prsocket.o misc/./pripcsem.o threads/./prcthr.o threads/./prdump.o threads/./prmon.o threads/./prsem.o threa ds/combined/./prucpu.o threads/combined/./prucv.o threads/combined/./prulock.o threads/combined/./prustack.o threads/combined/./pruthr.o md/windows/./ntmisc.o md/windows/./ntsec.o md/windows/./ntsem.o md/windows/./ntinrval.o md/windows/./ntgc.o md/windows/./ntio.o md/windows/./ntthread.o md/windows/./ntdllmn.o md/windows/./win32_errors.o md/windows/./w32ipcsem.o md/windows/./w32poll.o md/windows/./w32rng.o md/windows/./w32shm.o ./nspr.res -ladvapi32 -lwsock32 -lwinmm Creating library file: ./libnspr4.athreads/./prtpd.o: In function `PR_NewThreadPrivateIndex': C:\MinGW4nss\msys\1.0\home\arc\nss-3.13.6_617774\mozilla\nsprpub\WINNT6.1_DBG.OBJ\pr\src\threads/../../../../pr/src/threads/prtpd.c:108: undefined reference to `_InterlockedIncrement' misc/./prinit.o: In function `PR_CallOnce': C:\MinGW4nss\msys\1.0\home\arc\nss-3.13.6_617774\mozilla\nsprpub\WINNT6.1_DBG.OBJ\pr\src\misc/../../../../pr/src/misc/prinit.c:774: undefined reference to `_InterlockedExchange' misc/./prinit.o: In function `PR_CallOnceWithArg': C:\MinGW4nss\msys\1.0\home\arc\nss-3.13.6_617774\mozilla\nsprpub\WINNT6.1_DBG.OBJ\pr\src\misc/../../../../pr/src/misc/prinit.c:803: undefined reference to `_InterlockedExchange' threads/combined/./pruthr.o: In function `PR_CreateThread': C:\MinGW4nss\msys\1.0\home\arc\nss-3.13.6_617774\mozilla\nsprpub\WINNT6.1_DBG.OBJ\pr\src\threads\combined/../../../../../pr/src/threads/combined/pruthr.c:1137: undefined reference to `_InterlockedIncrement' C:\MinGW4nss\msys\1.0\home\arc\nss-3.13.6_617774\mozilla\nsprpub\WINNT6.1_DBG.OBJ\pr\src\threads\combined/../../../../../pr/src/threads/combined/pruthr.c:1139: undefined reference to `_InterlockedIncrement ' collect2: ld returned 1 exit status make[4]: *** [libnspr4.dll] Error 1 make[4]: Leaving directory `/home/arc/nss-3.13.6_617774/mozilla/nsprpub/WINNT6.1_DBG.OBJ/pr/src' make[3]: *** [export] Error 2 make[3]: Leaving directory `/home/arc/nss-3.13.6_617774/mozilla/nsprpub/WINNT6.1_DBG.OBJ/pr/src' make[2]: *** [export] Error 2 make[2]: Leaving directory `/home/arc/nss-3.13.6_617774/mozilla/nsprpub/WINNT6.1_DBG.OBJ/pr' make[1]: *** [export] Error 2 make[1]: Leaving directory `/home/arc/nss-3.13.6_617774/mozilla/nsprpub/WINNT6.1_DBG.OBJ' make: *** [build_nspr] Error 2 /***/ package from this links: https://bugzilla.mozilla.org/show_bug.cgi?id=779649 Better Result, but not : . cd src; make libs make[2]: Entering directory `/home/arc/nss-3.13.6/mozilla/security/dbm/src' cl -FoWINNT6.1_DBG.OBJ/db.obj -c -Zi -FdWINNT6.1_DBG.OBJ/ -Od -W3 -nologo -D_CRT_SECURE_NO_WARNINGS -D_CRT_NONSTDC_NO_WARNINGS -MD -we4002 -we4003 -we4004 -we4006 -we4009 -we4013 -we4015 -we4028 -we4033 -we4035 -we4045 -we4047 -we4053 -we4054 -we4063 -we4064 -we4078 -we4087 -we4098 -we4390 -we4551 -we4553 -we4715 -GT -DXP_PC -DDEBUG -D_DEBUG -UNDEBUG -DDEBUG_arc -DWIN32 -D_X86_ -D_WINDOWS -DWINNT -DUSE_UTIL_DIRECTLY -DSTDC_HEADERS -DHAVE_STRERROR -DHAVE_SNPRINTF -DMEMMOVE -D__DBINTERFACE_PRIVATE -I../../../dist/WINNT6.1_DBG.OBJ/include -I../../../dist/public/dbm -I../../../dist/private/dbm -I../../../dbm/include "/home/arc/nss-3.13.6/mozilla/security/dbm/src/../../../dbm/src/db.c" /bin/sh: cl: command not found make[2]: *** [WINNT6.1_DBG.OBJ/db.obj] Error 127 make[2]: Leaving directory `/home/arc/nss-3.13.6/mozilla/security/dbm/src' make[1]: *** [libs] Error 2
undefined reference to '_InterlockedIncrement' when compiling nss under MinGW
hi all, Since I need to call nss API inside the software (a middleware which is supposed to generally run on Win/Linux/MacOS) which I am developing, I have to compile nss under MinGW. But I always get the "undefined reference" error, when I run "make nss_build_all" under mozilla/security/nss. I have tried the different versions of MinGW as well as the versions of nss source, but still all can not get compiled. The following is the log. Thanks a lot for your instruction. Best Regards, Weizhong Qiang gcc -mwindows -o prtpd.o -c -g -UNDEBUG -DDEBUG_arc -DDEBUG=1 -DXP_PC=1 -DWIN32=1 -DWINNT=1 -D_X86_=1 -DHAVE_STRERROR=1 -DFORCE_PR_LOG -D_NSPR_BUILD_ -I../../../../../dist/WINNT6.1_DBG.OBJ/include -I../../../../pr/include -I../../../../pr/include/private ../../../../pr/src/threads/prtpd.c In file included from ../../../../pr/include/md/prosdep.h:20:0, from ../../../../pr/include/private/primpl.h:44, from ../../../../pr/src/threads/prtpd.c:37: ../../../../pr/include/md/_winnt.h:489:34: warning: 'thread' attribute directive ignored ../../../../pr/include/md/_winnt.h:507:34: warning: 'thread' attribute directive ignored ../../../../pr/include/md/_winnt.h:523:34: warning: 'thread' attribute directive ignored ../../../../pr/include/md/_winnt.h:539:1: warning: 'thread' attribute directive ignored make[4]: Leaving directory `/home/arc/nss-3.13.6/mozilla/nsprpub/WINNT6.1_DBG.OBJ/pr/src/threads' make build make[4]: Entering directory `/home/arc/nss-3.13.6/mozilla/nsprpub/WINNT6.1_DBG.OBJ/pr/src' gcc -mwindows -o prvrsion.o -c -g -UNDEBUG -DDEBUG_arc -DDEBUG=1 -DXP_PC=1 -DWIN32=1 -DWINNT=1 -D_X86_=1 -DHAVE_STRERROR=1 -DFORCE_PR_LOG -D_NSPR_BUILD_ -I../../../../dist/WINNT6.1_DBG.OBJ/include -I../../../pr/include -I../../../pr/include/private -I. ../../../pr/src/prvrsion.c rm -f libnspr4_s.a /c/MinGW4nss2/bin//ar cr libnspr4_s.a ./prvrsion.o io/./prfdcach.o io/./prmwait.o io/./prmapopt.o io/./priometh.o io/./pripv6.o io/./prlayer.o io/./prlog.o io/./prmmap.o io/./prpolevt.o io/./prprf.o io/./prscanf.o io/./prstdio.o threads/./prcmon.o threads/./prrwlock.o threads/./prtpd.o linking/./prlink.o malloc/./prmalloc.o malloc/./prmem.o md/./prosdep.o memory/./prshm.o memory/./prshma.o memory/./prseg.o misc/./pralarm.o misc/./pratom.o misc/./prcountr.o misc/./prdtoa.o misc/./prenv.o misc/./prerr.o misc/./prerror.o misc/./prerrortable.o misc/./prinit.o misc/./prinrval.o misc/./pripc.o misc/./prlog2.o misc/./prlong.o misc/./prnetdb.o misc/./praton.o misc/./prolock.o misc/./prrng.o misc/./prsystem.o misc/./prthinfo.o misc/./prtpool.o misc/./prtrace.o misc/./prtime.o io/./prdir.o io/./prfile.o io/./prio.o io/./prsocket.o misc/./pripcsem.o threads/./prcthr.o threads/./prdump.o threads/./prmon.o threads/./prsem.o threads/combined/./prucpu.o threads/combined/./prucv.o threads/co mbined/./prulock.o threads/combined/./prustack.o threads/combined/./pruthr.o md/windows/./ntmisc.o md/windows/./ntsec.o md/windows/./ntsem.o md/windows/./ntinrval.o md/windows/./ntgc.o md/windows/./ntio.o md/windows/./ntthread.o md/windows/./ntdllmn.o md/windows/./win32_errors.o md/windows/./w32ipcsem.o md/windows/./w32poll.o md/windows/./w32rng.o md/windows/./w32shm.o ranlib libnspr4_s.a /c/MinGW4nss2/bin//windres -O coff --use-temp-file -DDEBUG_arc -DDEBUG=1 -DXP_PC=1 -DWIN32=1 -DWINNT=1 -D_X86_=1 -DHAVE_STRERROR=1 -DFORCE_PR_LOG -D_NSPR_BUILD_ --include-dir ../../../../dist/WINNT6.1_DBG.OBJ/include --include-dir ../../../pr/include --include-dir ../../../pr/include/private -o nspr.res ../../../pr/src/nspr.rc ./nspr.res finished rm -f libnspr4.dll gcc -mwindows -shared -Wl,--export-all-symbols -Wl,--out-implib -Wl,./libnspr4.a -o libnspr4.dll ./prvrsion.o io/./prfdcach.o io/./prmwait.o io/./prmapopt.o io/./priometh.o io/./pripv6.o io/./prlayer.o io/./prlog.o io/./prmmap.o io/./prpolevt.o io/./prprf.o io/./prscanf.o io/./prstdio.o threads/./prcmon.o threads/./prrwlock.o threads/./prtpd.o linking/./prlink.o malloc/./prmalloc.o malloc/./prmem.o md/./prosdep.o memory/./prshm.o memory/./prshma.o memory/./prseg.o misc/./pralarm.o misc/./pratom.o misc/./prcountr.o misc/./prdtoa.o misc/./prenv.o misc/./prerr.o misc/./prerror.o misc/./prerrortable.o misc/./prinit.o misc/./prinrval.o misc/./pripc.o misc/./prlog2.o misc/./prlong.o misc/./prnetdb.o misc/./praton.o misc/./prolock.o misc/./prrng.o misc/./prsystem.o misc/./prthinfo.o misc/./prtpool.o misc/./prtrace.o misc/./prtime.o io/./prdir.o io/./prfile.o io/./prio.o io/./prsocket.o misc/./pripcsem.o threads/./prcthr.o threads/./prdump.o threads/./prmon.o threads/./prsem.o threa ds/combined/./prucpu.o threads/combined/./prucv.o threads/combined/./prulock.o threads/combined/./prustack.o threads/combined/./pruthr.o md/windows/./ntmisc.o md/windows/./ntsec.o md/windows/./ntsem.o md/windows/./ntinrval.o md/windows/./ntgc
Re: how to get CKA_PRIVATE_EXPONENT attribute from a private key?
hi, I solved the problem by generating the key pair with "isPerm" to be PR_FALSE, and then importing the private key using PK11_ImportDERPrivateKeyInfoAndReturnKey. Best Regards, Weizhong Qiang On Jan 31, 2012, at 7:28 AM, weizhong qiang wrote: > hi Robert and others, > See the attachment for more complete test case of generating and reading a > key. > I found if I set the "isPerm" parameter to be PR_FALSE (see line 78 of the > test case), the private key is not sensitive. > If I set the "isPerm" parameter to be PR_TRUE, then not mater the > "IsSensitive" (the next parameter after "isPerm") is PR_TRUE or PR_FALSE, the > private key always sensitive. > Is it a feature? > > Thanks and Best Regards, > Weizhong Qiang > > > > > On Jan 28, 2012, at 4:16 PM, weizhong qiang wrote: > >> hi, >> >> On Jan 27, 2012, at 6:52 PM, Robert Relyea wrote: >> >>> On 01/26/2012 11:53 PM, weizhong qiang wrote: >>>> hi, >>>> I did found that the CKA_SENSITIVE is "true" by using the following code: >>>> rv = PK11_ReadRawAttribute(PK11_TypePrivKey, privKey, >>>> CKA_SENSITIVE,&value); >>>> if (rv != SECSuccess) { >>>> NSSUtilLogger.msg(ERROR, "Failed to read CKA_SENSITIVE attribute >>>> from private key."); >>>> } >>>> if ((value.len == 1)&& (value.data != NULL)) >>>> std::cout<< !!(*(CK_BBOOL*)value.data)<>>> >>>> But I did set sensitive parameter to be PR_FALSE when generate the key >>>> pair, see the following: >>>> *privk = PK11_GenerateKeyPair(slot, CKM_RSA_PKCS_KEY_PAIR_GEN,&rsaParams, >>>> pubk, PR_FALSE, PR_FALSE, NULL); >>>> >>>> How could the key still be sensitive? Is there anywhere that I should set? >>> Hmm, your right, that doesn't seem right. Do you have a simple test case >>> that reproduces this? >> >> Yes, Please see the following attachment for the test case. If you would >> help, you need to change the path of nss db, and certname, password etc. >> >> >> >>> >>> Also which version of NSS are you running? >> >> Name: NSS >> Description: Mozilla Network Security Services >> Version: 3.12.9+ckbi-1.82 >> >> >>> Are you sure that slot points to the internal token? >> >> Yes, you can see the code of test case, I explicitly point to the internal >> token. >> >>> Are you in FIPS mode? (in which case you don't have a choice on sensitive >>> or not). >> >> I did not enable FIPS mode. I suppose FIPS will not be enabled by default? >> >> Best Regard, >> Weizhong Qiang >> >>> >>> NSS uses exactly this method to generate a key it's going to load into a >>> token that doesn't support CKM_RSA_PKCS_KEY_PAIR_GEN. >>> >>> bob >>> >>>> >>>> Best Regards >>>> Weizhong Qiang >>>> >>>> >>>> On Jan 26, 2012, at 6:57 PM, Robert Relyea wrote: >>>> >>>>> On 01/26/2012 07:55 AM, weizhong qiang wrote: >>>>>> On Jan 26, 2012, at 4:44 PM, helpcrypto helpcrypto wrote: >>>>>> >>>>>>> AFAIK, returning or not the attributes from an object, depends on the >>>>>>> token. >>>>>> Everything I am operating is on the nss internal softoken. >>>>> Right softoken enforces good hygiene. >>>>> In truth, access to those attributes are controlled through a couple of >>>>> other attributes: >>>>> >>>>> CKA_PRIVATE - access to the object requires authentication. >>>>> >>>>> CKA_SENSITIVE - direct access to the sensitive/private attributes of this >>>>> object is prohibitted. >>>>> >>>>> CKA_EXTRACTABLE - this object can be extracted from the token. >>>>> >>>>> If Private is set, then you need to log in to do any of the actions below. >>>>> >>>>> If both Sensitve and Extractable is set, then you can extract the object >>>>> by wrapping it, but you can't access the unencrypted attributes. >>>>> >>>>> If Senstive is FALSE and Extractable is TRUE, you can either extract the >>>>> object by wrapping it, or by reading the attributes directly. >>
Re: how to get CKA_PRIVATE_EXPONENT attribute from a private key?
hi Robert and others, See the attachment for more complete test case of generating and reading a key. I found if I set the "isPerm" parameter to be PR_FALSE (see line 78 of the test case), the private key is not sensitive. If I set the "isPerm" parameter to be PR_TRUE, then not mater the "IsSensitive" (the next parameter after "isPerm") is PR_TRUE or PR_FALSE, the private key always sensitive. Is it a feature? Thanks and Best Regards, Weizhong Qiang On Jan 28, 2012, at 4:16 PM, weizhong qiang wrote: > hi, > > On Jan 27, 2012, at 6:52 PM, Robert Relyea wrote: > >> On 01/26/2012 11:53 PM, weizhong qiang wrote: >>> hi, >>> I did found that the CKA_SENSITIVE is "true" by using the following code: >>>rv = PK11_ReadRawAttribute(PK11_TypePrivKey, privKey, >>> CKA_SENSITIVE,&value); >>>if (rv != SECSuccess) { >>> NSSUtilLogger.msg(ERROR, "Failed to read CKA_SENSITIVE attribute >>> from private key."); >>>} >>> if ((value.len == 1)&& (value.data != NULL)) >>> std::cout<< !!(*(CK_BBOOL*)value.data)<>> >>> But I did set sensitive parameter to be PR_FALSE when generate the key >>> pair, see the following: >>> *privk = PK11_GenerateKeyPair(slot, CKM_RSA_PKCS_KEY_PAIR_GEN,&rsaParams, >>>pubk, PR_FALSE, PR_FALSE, NULL); >>> >>> How could the key still be sensitive? Is there anywhere that I should set? >> Hmm, your right, that doesn't seem right. Do you have a simple test case >> that reproduces this? > > Yes, Please see the following attachment for the test case. If you would > help, you need to change the path of nss db, and certname, password etc. > > > >> >> Also which version of NSS are you running? > > Name: NSS > Description: Mozilla Network Security Services > Version: 3.12.9+ckbi-1.82 > > >> Are you sure that slot points to the internal token? > > Yes, you can see the code of test case, I explicitly point to the internal > token. > >> Are you in FIPS mode? (in which case you don't have a choice on sensitive or >> not). > > I did not enable FIPS mode. I suppose FIPS will not be enabled by default? > > Best Regard, > Weizhong Qiang > >> >> NSS uses exactly this method to generate a key it's going to load into a >> token that doesn't support CKM_RSA_PKCS_KEY_PAIR_GEN. >> >> bob >> >>> >>> Best Regards >>> Weizhong Qiang >>> >>> >>> On Jan 26, 2012, at 6:57 PM, Robert Relyea wrote: >>> >>>> On 01/26/2012 07:55 AM, weizhong qiang wrote: >>>>> On Jan 26, 2012, at 4:44 PM, helpcrypto helpcrypto wrote: >>>>> >>>>>> AFAIK, returning or not the attributes from an object, depends on the >>>>>> token. >>>>> Everything I am operating is on the nss internal softoken. >>>> Right softoken enforces good hygiene. >>>> In truth, access to those attributes are controlled through a couple of >>>> other attributes: >>>> >>>> CKA_PRIVATE - access to the object requires authentication. >>>> >>>> CKA_SENSITIVE - direct access to the sensitive/private attributes of this >>>> object is prohibitted. >>>> >>>> CKA_EXTRACTABLE - this object can be extracted from the token. >>>> >>>> If Private is set, then you need to log in to do any of the actions below. >>>> >>>> If both Sensitve and Extractable is set, then you can extract the object >>>> by wrapping it, but you can't access the unencrypted attributes. >>>> >>>> If Senstive is FALSE and Extractable is TRUE, you can either extract the >>>> object by wrapping it, or by reading the attributes directly. >>>> >>>> If Extractable is FALSE, then you can't extract the object at all (either >>>> by wrapping it or by reading the attributes directly). >>>> >>>> Most tokens set Extratable to FALSE. >>>> >>>> bob >>>> >>>>> >>>>>> I recommend you reading about CKO_PRIVATE_KEY on PKCS#11 standard to >>>>>> understand what can be happening. >>>>>> For example if token=card, CKA_PRIME_1 *musnt* be on the card, as far >>>>>> is not *needed* to do cryptographic operations. >>>>>> >>>>>>
Re: how to get CKA_PRIVATE_EXPONENT attribute from a private key?
hi, On Jan 27, 2012, at 6:52 PM, Robert Relyea wrote: > On 01/26/2012 11:53 PM, weizhong qiang wrote: >> hi, >> I did found that the CKA_SENSITIVE is "true" by using the following code: >> rv = PK11_ReadRawAttribute(PK11_TypePrivKey, privKey, >> CKA_SENSITIVE,&value); >> if (rv != SECSuccess) { >> NSSUtilLogger.msg(ERROR, "Failed to read CKA_SENSITIVE attribute >> from private key."); >> } >>if ((value.len == 1)&& (value.data != NULL)) >> std::cout<< !!(*(CK_BBOOL*)value.data)<> >> But I did set sensitive parameter to be PR_FALSE when generate the key pair, >> see the following: >> *privk = PK11_GenerateKeyPair(slot, CKM_RSA_PKCS_KEY_PAIR_GEN,&rsaParams, >> pubk, PR_FALSE, PR_FALSE, NULL); >> >> How could the key still be sensitive? Is there anywhere that I should set? > Hmm, your right, that doesn't seem right. Do you have a simple test case that > reproduces this? Yes, Please see the following attachment for the test case. If you would help, you need to change the path of nss db, and certname, password etc. > > Also which version of NSS are you running? Name: NSS Description: Mozilla Network Security Services Version: 3.12.9+ckbi-1.82 > Are you sure that slot points to the internal token? Yes, you can see the code of test case, I explicitly point to the internal token. > Are you in FIPS mode? (in which case you don't have a choice on sensitive or > not). I did not enable FIPS mode. I suppose FIPS will not be enabled by default? Best Regard, Weizhong Qiang > > NSS uses exactly this method to generate a key it's going to load into a > token that doesn't support CKM_RSA_PKCS_KEY_PAIR_GEN. > > bob > >> >> Best Regards >> Weizhong Qiang >> >> >> On Jan 26, 2012, at 6:57 PM, Robert Relyea wrote: >> >>> On 01/26/2012 07:55 AM, weizhong qiang wrote: >>>> On Jan 26, 2012, at 4:44 PM, helpcrypto helpcrypto wrote: >>>> >>>>> AFAIK, returning or not the attributes from an object, depends on the >>>>> token. >>>> Everything I am operating is on the nss internal softoken. >>> Right softoken enforces good hygiene. >>> In truth, access to those attributes are controlled through a couple of >>> other attributes: >>> >>> CKA_PRIVATE - access to the object requires authentication. >>> >>> CKA_SENSITIVE - direct access to the sensitive/private attributes of this >>> object is prohibitted. >>> >>> CKA_EXTRACTABLE - this object can be extracted from the token. >>> >>> If Private is set, then you need to log in to do any of the actions below. >>> >>> If both Sensitve and Extractable is set, then you can extract the object by >>> wrapping it, but you can't access the unencrypted attributes. >>> >>> If Senstive is FALSE and Extractable is TRUE, you can either extract the >>> object by wrapping it, or by reading the attributes directly. >>> >>> If Extractable is FALSE, then you can't extract the object at all (either >>> by wrapping it or by reading the attributes directly). >>> >>> Most tokens set Extratable to FALSE. >>> >>> bob >>> >>>> >>>>> I recommend you reading about CKO_PRIVATE_KEY on PKCS#11 standard to >>>>> understand what can be happening. >>>>> For example if token=card, CKA_PRIME_1 *musnt* be on the card, as far >>>>> is not *needed* to do cryptographic operations. >>>>> >>>>> El día 26 de enero de 2012 14:08, weizhong qiang >>>>>escribió: >>>>>> hi, >>>>>> Is there a fact that nss does not permit the reading of the attribute >>>>>> CKA_PRIVATE_EXPONENT, CKA_PRIME_1, etc.? >>>>>> Because with all of the eight attributes, it is possible to compose the >>>>>> content of the private key, but the outputting of private key is not >>>>>> allowed in nss? >>>>>> >>>>>> Thanks and Best Regards, >>>>>> Weizhong Qiang >>>>>> >>>>>> On Jan 26, 2012, at 9:43 AM, helpcrypto helpcrypto wrote: >>>>>> >>>>>>> Is eny error shown at NSSUtilLogger.msg(ERROR, "Failed to read >>>>>>> attribute %x from private key.", type); ? >>>>>>> >>>>>&g
Re: how to get CKA_PRIVATE_EXPONENT attribute from a private key?
hi, On Jan 27, 2012, at 6:41 PM, Robert Relyea wrote: > On 01/26/2012 06:50 PM, weizhong qiang wrote: >> hi, >> >> On Jan 26, 2012, at 6:28 PM, Robert Relyea wrote: >> >>> On 01/26/2012 05:08 AM, weizhong qiang wrote: >>>> hi, >>>> Is there a fact that nss does not permit the reading of the attribute >>>> CKA_PRIVATE_EXPONENT, CKA_PRIME_1, etc.? >>>> Because with all of the eight attributes, it is possible to compose the >>>> content of the private key, but the outputting of private key is not >>>> allowed in nss? >>>> >>>> Thanks and Best Regards, >>>> Weizhong Qiang >>> These are private attributes. You are correct, applications aren't allowed >>> to get them. It's bad security hygene to access private cryptographic >>> components in the application itself, thought it's almost the first thing >>> new crypto programmers try to do. >>> >>> My real question here is Why do you want to get the CKA_PRIVATE_EXPONENT? >> I need to get CKA_PRIVATE_EXPONENT and some other private attributes, in >> order to compute the private key, so as to output this private key without >> encryption. I just knew that nss itself does not support the outputting of >> private key without encryption. > Right. That is how NSS enforces that semantic. >> The outputting of private key that nss support is only the pk12 that >> requires encryption of private key. >> I reason I want to do this is that I use the certificate in nss softoken to >> sign a proxy certificate (rfc 3820), and then I need to output the private >> key (generate by nss) that is relevant to this proxy certificate. > I'm still not clear why the key needs to be in the clear. Are you trying to > use the key with some other software? All major crypto toolkits allow > importing keys using pkcs 12, or is the proxy using your own code (which is > really a bad idea given the plethera of tested and available open source > crypto libraries out there). In the Grid computing area, the private key of proxy (a proxy includes both X509 and private key) by default needs to be un-encrypted, so that the delegation can be processed automatically (see: http://globus.org/toolkit/docs/4.0/security/key-index.html). Before the proxy normally is generated by the file-based certificate and key, now we need it to be generated by the credential from nss softoken. I am using nss API to achieve this. To clarify my problem, I use nss API to generate a proxy (i.e., a RSA key pair is generated inside nss, and then the public key is used for an EEC credential in nss DB to sign a proxy certificate), but since the private key is still inside nss db, I need to output the private key together with the signed certificate. PKCS12 is the option for outputting, but the private key encryption is not needed for me here, because a private key of proxy must not be encrypted. So that is the reason why I need to output a un-encrypted key. Best Regards Weizhong Qiang > > bob >> >> Best Regards, >> Weizhong Qiang >> >>> bob >>> >>> -- >>> dev-tech-crypto mailing list >>> dev-tech-crypto@lists.mozilla.org >>> https://lists.mozilla.org/listinfo/dev-tech-crypto > > > -- > dev-tech-crypto mailing list > dev-tech-crypto@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-tech-crypto -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: how to get CKA_PRIVATE_EXPONENT attribute from a private key?
hi, I did found that the CKA_SENSITIVE is "true" by using the following code: rv = PK11_ReadRawAttribute(PK11_TypePrivKey, privKey, CKA_SENSITIVE, &value); if (rv != SECSuccess) { NSSUtilLogger.msg(ERROR, "Failed to read CKA_SENSITIVE attribute from private key."); } if ((value.len == 1) && (value.data != NULL)) std::cout<< !!(*(CK_BBOOL*)value.data)< On 01/26/2012 07:55 AM, weizhong qiang wrote: >> On Jan 26, 2012, at 4:44 PM, helpcrypto helpcrypto wrote: >> >>> AFAIK, returning or not the attributes from an object, depends on the token. >> Everything I am operating is on the nss internal softoken. > > Right softoken enforces good hygiene. > In truth, access to those attributes are controlled through a couple of other > attributes: > > CKA_PRIVATE - access to the object requires authentication. > > CKA_SENSITIVE - direct access to the sensitive/private attributes of this > object is prohibitted. > > CKA_EXTRACTABLE - this object can be extracted from the token. > > If Private is set, then you need to log in to do any of the actions below. > > If both Sensitve and Extractable is set, then you can extract the object by > wrapping it, but you can't access the unencrypted attributes. > > If Senstive is FALSE and Extractable is TRUE, you can either extract the > object by wrapping it, or by reading the attributes directly. > > If Extractable is FALSE, then you can't extract the object at all (either by > wrapping it or by reading the attributes directly). > > Most tokens set Extratable to FALSE. > > bob > >> >> >>> I recommend you reading about CKO_PRIVATE_KEY on PKCS#11 standard to >>> understand what can be happening. >>> For example if token=card, CKA_PRIME_1 *musnt* be on the card, as far >>> is not *needed* to do cryptographic operations. >>> >>> El día 26 de enero de 2012 14:08, weizhong qiang >>> escribió: >>>> hi, >>>> Is there a fact that nss does not permit the reading of the attribute >>>> CKA_PRIVATE_EXPONENT, CKA_PRIME_1, etc.? >>>> Because with all of the eight attributes, it is possible to compose the >>>> content of the private key, but the outputting of private key is not >>>> allowed in nss? >>>> >>>> Thanks and Best Regards, >>>> Weizhong Qiang >>>> >>>> On Jan 26, 2012, at 9:43 AM, helpcrypto helpcrypto wrote: >>>> >>>>> Is eny error shown at NSSUtilLogger.msg(ERROR, "Failed to read >>>>> attribute %x from private key.", type); ? >>>>> >>>>> El día 25 de enero de 2012 17:04, weizhong qiang >>>>> escribió: >>>>>> hi all, >>>>>> I tried to get the attributes from a private key (see the following code >>>>>> piece). But only the CKA_MODULUS and CKA_PUBLIC_EXPONENT can be got, >>>>>> others (CKA_PRIVATE_EXPONENT etc.) can not be got. >>>>>> Could you tell me how to solve it? >>>>>> By the way, I generate rsa key pair without "sensitive" >>>>>> (PK11_GenerateKeyPair(slot, CKM_RSA_PKCS_KEY_PAIR_GEN,&rsaParams, pubk, >>>>>> PR_TRUE, PR_FALSE, NULL); ), so I suppose the private key is not >>>>>> protected by password, and can be output? >>>>>> >>>>>> Best Regards, >>>>>> Weizhong Qiang >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> // >>>>>> static bool ReadPrivKeyAttribute(SECKEYPrivateKey* key, >>>>>> CK_ATTRIBUTE_TYPE type, std::vector* output) { >>>>>>SECItem item; >>>>>>SECStatus rv; >>>>>>rv = PK11_ReadRawAttribute(PK11_TypePrivKey, key, type,&item); >>>>>>if (rv != SECSuccess) { >>>>>> NSSUtilLogger.msg(ERROR, "Failed to read attribute %x from private >>>>>> key.", type); >>>>>> return false; >>>>>>} >>>>>>output->assign(item.data, item.data + item.len); >>>>>>SECITEM_FreeItem(&item, PR_FALSE); >>>>>>return true; >>>>>> } >>>>>> >>>>>> static bool ExportPrivateKey(SECKEYPrivateKey* key, std::vector* >>>>>> output) { >>>>>>PrivateKeyI
Re: how to get CKA_PRIVATE_EXPONENT attribute from a private key?
hi, On Jan 26, 2012, at 6:28 PM, Robert Relyea wrote: > On 01/26/2012 05:08 AM, weizhong qiang wrote: >> hi, >> Is there a fact that nss does not permit the reading of the attribute >> CKA_PRIVATE_EXPONENT, CKA_PRIME_1, etc.? >> Because with all of the eight attributes, it is possible to compose the >> content of the private key, but the outputting of private key is not allowed >> in nss? >> >> Thanks and Best Regards, >> Weizhong Qiang > These are private attributes. You are correct, applications aren't allowed to > get them. It's bad security hygene to access private cryptographic components > in the application itself, thought it's almost the first thing new crypto > programmers try to do. > > My real question here is Why do you want to get the CKA_PRIVATE_EXPONENT? I need to get CKA_PRIVATE_EXPONENT and some other private attributes, in order to compute the private key, so as to output this private key without encryption. I just knew that nss itself does not support the outputting of private key without encryption. The outputting of private key that nss support is only the pk12 that requires encryption of private key. I reason I want to do this is that I use the certificate in nss softoken to sign a proxy certificate (rfc 3820), and then I need to output the private key (generate by nss) that is relevant to this proxy certificate. Best Regards, Weizhong Qiang > > bob > > -- > dev-tech-crypto mailing list > dev-tech-crypto@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-tech-crypto -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: how to get CKA_PRIVATE_EXPONENT attribute from a private key?
On Jan 26, 2012, at 4:44 PM, helpcrypto helpcrypto wrote: > AFAIK, returning or not the attributes from an object, depends on the token. Everything I am operating is on the nss internal softoken. > I recommend you reading about CKO_PRIVATE_KEY on PKCS#11 standard to > understand what can be happening. > For example if token=card, CKA_PRIME_1 *musnt* be on the card, as far > is not *needed* to do cryptographic operations. > > El día 26 de enero de 2012 14:08, weizhong qiang > escribió: >> hi, >> Is there a fact that nss does not permit the reading of the attribute >> CKA_PRIVATE_EXPONENT, CKA_PRIME_1, etc.? >> Because with all of the eight attributes, it is possible to compose the >> content of the private key, but the outputting of private key is not allowed >> in nss? >> >> Thanks and Best Regards, >> Weizhong Qiang >> >> On Jan 26, 2012, at 9:43 AM, helpcrypto helpcrypto wrote: >> >>> Is eny error shown at NSSUtilLogger.msg(ERROR, "Failed to read >>> attribute %x from private key.", type); ? >>> >>> El día 25 de enero de 2012 17:04, weizhong qiang >>> escribió: >>>> hi all, >>>> I tried to get the attributes from a private key (see the following code >>>> piece). But only the CKA_MODULUS and CKA_PUBLIC_EXPONENT can be got, >>>> others (CKA_PRIVATE_EXPONENT etc.) can not be got. >>>> Could you tell me how to solve it? >>>> By the way, I generate rsa key pair without "sensitive" >>>> (PK11_GenerateKeyPair(slot, CKM_RSA_PKCS_KEY_PAIR_GEN, &rsaParams, pubk, >>>> PR_TRUE, PR_FALSE, NULL); ), so I suppose the private key is not protected >>>> by password, and can be output? >>>> >>>> Best Regards, >>>> Weizhong Qiang >>>> >>>> >>>> >>>> >>>> // >>>> static bool ReadPrivKeyAttribute(SECKEYPrivateKey* key, CK_ATTRIBUTE_TYPE >>>> type, std::vector* output) { >>>>SECItem item; >>>>SECStatus rv; >>>>rv = PK11_ReadRawAttribute(PK11_TypePrivKey, key, type, &item); >>>>if (rv != SECSuccess) { >>>> NSSUtilLogger.msg(ERROR, "Failed to read attribute %x from private >>>> key.", type); >>>> return false; >>>>} >>>>output->assign(item.data, item.data + item.len); >>>>SECITEM_FreeItem(&item, PR_FALSE); >>>>return true; >>>> } >>>> >>>> static bool ExportPrivateKey(SECKEYPrivateKey* key, std::vector* >>>> output) { >>>>PrivateKeyInfoCodec private_key_info(true); >>>> >>>>// Manually read the component attributes of the private key and build >>>> up >>>>// the PrivateKeyInfo. >>>>if (!ReadPrivKeyAttribute(key, CKA_MODULUS, private_key_info.modulus()) >>>> || >>>> !ReadPrivKeyAttribute(key, CKA_PUBLIC_EXPONENT, >>>> private_key_info.public_exponent()) || >>>> !ReadPrivKeyAttribute(key, CKA_PRIVATE_EXPONENT, >>>> private_key_info.private_exponent()) || >>>> !ReadPrivKeyAttribute(key, CKA_PRIME_1, private_key_info.prime1()) || >>>> !ReadPrivKeyAttribute(key, CKA_PRIME_2, private_key_info.prime2()) || >>>> !ReadPrivKeyAttribute(key, CKA_EXPONENT_1, >>>> private_key_info.exponent1()) || >>>> !ReadPrivKeyAttribute(key, CKA_EXPONENT_2, >>>> private_key_info.exponent2()) || >>>> !ReadPrivKeyAttribute(key, CKA_COEFFICIENT, >>>> private_key_info.coefficient())) { >>>> return false; >>>>} >>>> >>>>return private_key_info.Export(output); >>>> } >>>> >>>> -- >>>> dev-tech-crypto mailing list >>>> dev-tech-crypto@lists.mozilla.org >>>> https://lists.mozilla.org/listinfo/dev-tech-crypto >>> -- >>> dev-tech-crypto mailing list >>> dev-tech-crypto@lists.mozilla.org >>> https://lists.mozilla.org/listinfo/dev-tech-crypto >> >> -- >> dev-tech-crypto mailing list >> dev-tech-crypto@lists.mozilla.org >> https://lists.mozilla.org/listinfo/dev-tech-crypto > -- > dev-tech-crypto mailing list > dev-tech-crypto@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-tech-crypto -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: how to get CKA_PRIVATE_EXPONENT attribute from a private key?
hi, Is there a fact that nss does not permit the reading of the attribute CKA_PRIVATE_EXPONENT, CKA_PRIME_1, etc.? Because with all of the eight attributes, it is possible to compose the content of the private key, but the outputting of private key is not allowed in nss? Thanks and Best Regards, Weizhong Qiang On Jan 26, 2012, at 9:43 AM, helpcrypto helpcrypto wrote: > Is eny error shown at NSSUtilLogger.msg(ERROR, "Failed to read > attribute %x from private key.", type); ? > > El día 25 de enero de 2012 17:04, weizhong qiang > escribió: >> hi all, >> I tried to get the attributes from a private key (see the following code >> piece). But only the CKA_MODULUS and CKA_PUBLIC_EXPONENT can be got, others >> (CKA_PRIVATE_EXPONENT etc.) can not be got. >> Could you tell me how to solve it? >> By the way, I generate rsa key pair without "sensitive" >> (PK11_GenerateKeyPair(slot, CKM_RSA_PKCS_KEY_PAIR_GEN, &rsaParams, pubk, >> PR_TRUE, PR_FALSE, NULL); ), so I suppose the private key is not protected >> by password, and can be output? >> >> Best Regards, >> Weizhong Qiang >> >> >> >> >> // >> static bool ReadPrivKeyAttribute(SECKEYPrivateKey* key, CK_ATTRIBUTE_TYPE >> type, std::vector* output) { >>SECItem item; >>SECStatus rv; >>rv = PK11_ReadRawAttribute(PK11_TypePrivKey, key, type, &item); >>if (rv != SECSuccess) { >> NSSUtilLogger.msg(ERROR, "Failed to read attribute %x from private >> key.", type); >> return false; >>} >>output->assign(item.data, item.data + item.len); >>SECITEM_FreeItem(&item, PR_FALSE); >>return true; >> } >> >> static bool ExportPrivateKey(SECKEYPrivateKey* key, std::vector* >> output) { >>PrivateKeyInfoCodec private_key_info(true); >> >>// Manually read the component attributes of the private key and build up >>// the PrivateKeyInfo. >>if (!ReadPrivKeyAttribute(key, CKA_MODULUS, private_key_info.modulus()) || >> !ReadPrivKeyAttribute(key, CKA_PUBLIC_EXPONENT, >> private_key_info.public_exponent()) || >> !ReadPrivKeyAttribute(key, CKA_PRIVATE_EXPONENT, >> private_key_info.private_exponent()) || >> !ReadPrivKeyAttribute(key, CKA_PRIME_1, private_key_info.prime1()) || >> !ReadPrivKeyAttribute(key, CKA_PRIME_2, private_key_info.prime2()) || >> !ReadPrivKeyAttribute(key, CKA_EXPONENT_1, >> private_key_info.exponent1()) || >> !ReadPrivKeyAttribute(key, CKA_EXPONENT_2, >> private_key_info.exponent2()) || >> !ReadPrivKeyAttribute(key, CKA_COEFFICIENT, >> private_key_info.coefficient())) { >> return false; >>} >> >>return private_key_info.Export(output); >> } >> >> -- >> dev-tech-crypto mailing list >> dev-tech-crypto@lists.mozilla.org >> https://lists.mozilla.org/listinfo/dev-tech-crypto > -- > dev-tech-crypto mailing list > dev-tech-crypto@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-tech-crypto -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: how to get CKA_PRIVATE_EXPONENT attribute from a private key?
The rv value gives SECFailure. Thanks 在 2012-1-26 下午5:29,"helpcrypto helpcrypto" 写道: > my mistake. i mean the RV value > -- > dev-tech-crypto mailing list > dev-tech-crypto@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-tech-crypto > -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: how to get CKA_PRIVATE_EXPONENT attribute from a private key?
Hi, It gives number 123, which is the type CKA_PRIVATE_EXPONENT. Thanks Weizhong qiang 在 2012-1-26 下午4:43,"helpcrypto helpcrypto" 写道: > Is eny error shown at NSSUtilLogger.msg(ERROR, "Failed to read > attribute %x from private key.", type); ? > > El día 25 de enero de 2012 17:04, weizhong qiang > escribió: > > hi all, > > I tried to get the attributes from a private key (see the following code > piece). But only the CKA_MODULUS and CKA_PUBLIC_EXPONENT can be got, others > (CKA_PRIVATE_EXPONENT etc.) can not be got. > > Could you tell me how to solve it? > > By the way, I generate rsa key pair without "sensitive" > (PK11_GenerateKeyPair(slot, CKM_RSA_PKCS_KEY_PAIR_GEN, &rsaParams, pubk, > PR_TRUE, PR_FALSE, NULL); ), so I suppose the private key is not protected > by password, and can be output? > > > > Best Regards, > > Weizhong Qiang > > > > > > > > > > // > > static bool ReadPrivKeyAttribute(SECKEYPrivateKey* key, > CK_ATTRIBUTE_TYPE type, std::vector* output) { > >SECItem item; > >SECStatus rv; > >rv = PK11_ReadRawAttribute(PK11_TypePrivKey, key, type, &item); > >if (rv != SECSuccess) { > > NSSUtilLogger.msg(ERROR, "Failed to read attribute %x from private > key.", type); > > return false; > >} > >output->assign(item.data, item.data + item.len); > >SECITEM_FreeItem(&item, PR_FALSE); > >return true; > > } > > > > static bool ExportPrivateKey(SECKEYPrivateKey* key, std::vector* > output) { > >PrivateKeyInfoCodec private_key_info(true); > > > >// Manually read the component attributes of the private key and > build up > >// the PrivateKeyInfo. > >if (!ReadPrivKeyAttribute(key, CKA_MODULUS, > private_key_info.modulus()) || > > !ReadPrivKeyAttribute(key, CKA_PUBLIC_EXPONENT, > private_key_info.public_exponent()) || > > !ReadPrivKeyAttribute(key, CKA_PRIVATE_EXPONENT, > private_key_info.private_exponent()) || > > !ReadPrivKeyAttribute(key, CKA_PRIME_1, private_key_info.prime1()) > || > > !ReadPrivKeyAttribute(key, CKA_PRIME_2, private_key_info.prime2()) > || > > !ReadPrivKeyAttribute(key, CKA_EXPONENT_1, > private_key_info.exponent1()) || > > !ReadPrivKeyAttribute(key, CKA_EXPONENT_2, > private_key_info.exponent2()) || > > !ReadPrivKeyAttribute(key, CKA_COEFFICIENT, > private_key_info.coefficient())) { > > return false; > >} > > > >return private_key_info.Export(output); > > } > > > > -- > > dev-tech-crypto mailing list > > dev-tech-crypto@lists.mozilla.org > > https://lists.mozilla.org/listinfo/dev-tech-crypto > -- > dev-tech-crypto mailing list > dev-tech-crypto@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-tech-crypto -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
how to get CKA_PRIVATE_EXPONENT attribute from a private key?
hi all, I tried to get the attributes from a private key (see the following code piece). But only the CKA_MODULUS and CKA_PUBLIC_EXPONENT can be got, others (CKA_PRIVATE_EXPONENT etc.) can not be got. Could you tell me how to solve it? By the way, I generate rsa key pair without "sensitive" (PK11_GenerateKeyPair(slot, CKM_RSA_PKCS_KEY_PAIR_GEN, &rsaParams, pubk, PR_TRUE, PR_FALSE, NULL); ), so I suppose the private key is not protected by password, and can be output? Best Regards, Weizhong Qiang // static bool ReadPrivKeyAttribute(SECKEYPrivateKey* key, CK_ATTRIBUTE_TYPE type, std::vector* output) { SECItem item; SECStatus rv; rv = PK11_ReadRawAttribute(PK11_TypePrivKey, key, type, &item); if (rv != SECSuccess) { NSSUtilLogger.msg(ERROR, "Failed to read attribute %x from private key.", type); return false; } output->assign(item.data, item.data + item.len); SECITEM_FreeItem(&item, PR_FALSE); return true; } static bool ExportPrivateKey(SECKEYPrivateKey* key, std::vector* output) { PrivateKeyInfoCodec private_key_info(true); // Manually read the component attributes of the private key and build up // the PrivateKeyInfo. if (!ReadPrivKeyAttribute(key, CKA_MODULUS, private_key_info.modulus()) || !ReadPrivKeyAttribute(key, CKA_PUBLIC_EXPONENT, private_key_info.public_exponent()) || !ReadPrivKeyAttribute(key, CKA_PRIVATE_EXPONENT, private_key_info.private_exponent()) || !ReadPrivKeyAttribute(key, CKA_PRIME_1, private_key_info.prime1()) || !ReadPrivKeyAttribute(key, CKA_PRIME_2, private_key_info.prime2()) || !ReadPrivKeyAttribute(key, CKA_EXPONENT_1, private_key_info.exponent1()) || !ReadPrivKeyAttribute(key, CKA_EXPONENT_2, private_key_info.exponent2()) || !ReadPrivKeyAttribute(key, CKA_COEFFICIENT, private_key_info.coefficient())) { return false; } return private_key_info.Export(output); } -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto