Re: how to get CKA_PRIVATE_EXPONENT attribute from a private key?
hi, I solved the problem by generating the key pair with isPerm to be PR_FALSE, and then importing the private key using PK11_ImportDERPrivateKeyInfoAndReturnKey. Best Regards, Weizhong Qiang On Jan 31, 2012, at 7:28 AM, weizhong qiang wrote: hi Robert and others, See the attachment for more complete test case of generating and reading a key. I found if I set the isPerm parameter to be PR_FALSE (see line 78 of the test case), the private key is not sensitive. If I set the isPerm parameter to be PR_TRUE, then not mater the IsSensitive (the next parameter after isPerm) is PR_TRUE or PR_FALSE, the private key always sensitive. Is it a feature? Thanks and Best Regards, Weizhong Qiang test_nssprivatekey.cpp On Jan 28, 2012, at 4:16 PM, weizhong qiang wrote: hi, On Jan 27, 2012, at 6:52 PM, Robert Relyea wrote: On 01/26/2012 11:53 PM, weizhong qiang wrote: hi, I did found that the CKA_SENSITIVE is true by using the following code: rv = PK11_ReadRawAttribute(PK11_TypePrivKey, privKey, CKA_SENSITIVE,value); if (rv != SECSuccess) { NSSUtilLogger.msg(ERROR, Failed to read CKA_SENSITIVE attribute from private key.); } if ((value.len == 1) (value.data != NULL)) std::cout !!(*(CK_BBOOL*)value.data)std::endl; But I did set sensitive parameter to be PR_FALSE when generate the key pair, see the following: *privk = PK11_GenerateKeyPair(slot, CKM_RSA_PKCS_KEY_PAIR_GEN,rsaParams, pubk, PR_FALSE, PR_FALSE, NULL); How could the key still be sensitive? Is there anywhere that I should set? Hmm, your right, that doesn't seem right. Do you have a simple test case that reproduces this? Yes, Please see the following attachment for the test case. If you would help, you need to change the path of nss db, and certname, password etc. mail_about_privatekey.rtf Also which version of NSS are you running? Name: NSS Description: Mozilla Network Security Services Version: 3.12.9+ckbi-1.82 Are you sure that slot points to the internal token? Yes, you can see the code of test case, I explicitly point to the internal token. Are you in FIPS mode? (in which case you don't have a choice on sensitive or not). I did not enable FIPS mode. I suppose FIPS will not be enabled by default? Best Regard, Weizhong Qiang NSS uses exactly this method to generate a key it's going to load into a token that doesn't support CKM_RSA_PKCS_KEY_PAIR_GEN. bob Best Regards Weizhong Qiang On Jan 26, 2012, at 6:57 PM, Robert Relyea wrote: On 01/26/2012 07:55 AM, weizhong qiang wrote: On Jan 26, 2012, at 4:44 PM, helpcrypto helpcrypto wrote: AFAIK, returning or not the attributes from an object, depends on the token. Everything I am operating is on the nss internal softoken. Right softoken enforces good hygiene. In truth, access to those attributes are controlled through a couple of other attributes: CKA_PRIVATE - access to the object requires authentication. CKA_SENSITIVE - direct access to the sensitive/private attributes of this object is prohibitted. CKA_EXTRACTABLE - this object can be extracted from the token. If Private is set, then you need to log in to do any of the actions below. If both Sensitve and Extractable is set, then you can extract the object by wrapping it, but you can't access the unencrypted attributes. If Senstive is FALSE and Extractable is TRUE, you can either extract the object by wrapping it, or by reading the attributes directly. If Extractable is FALSE, then you can't extract the object at all (either by wrapping it or by reading the attributes directly). Most tokens set Extratable to FALSE. bob I recommend you reading about CKO_PRIVATE_KEY on PKCS#11 standard to understand what can be happening. For example if token=card, CKA_PRIME_1 *musnt* be on the card, as far is not *needed* to do cryptographic operations. El día 26 de enero de 2012 14:08, weizhong qiang weizhongqi...@gmail.com escribió: hi, Is there a fact that nss does not permit the reading of the attribute CKA_PRIVATE_EXPONENT, CKA_PRIME_1, etc.? Because with all of the eight attributes, it is possible to compose the content of the private key, but the outputting of private key is not allowed in nss? Thanks and Best Regards, Weizhong Qiang On Jan 26, 2012, at 9:43 AM, helpcrypto helpcrypto wrote: Is eny error shown at NSSUtilLogger.msg(ERROR, Failed to read attribute %x from private key., type); ? El día 25 de enero de 2012 17:04, weizhong qiang weizhongqi...@gmail.com escribió: hi all, I tried to get the attributes from a private key (see the following code piece). But only the CKA_MODULUS and CKA_PUBLIC_EXPONENT can be got, others (CKA_PRIVATE_EXPONENT etc.) can not be got. Could you tell me how to solve it? By the way, I generate rsa key pair without sensitive (PK11_GenerateKeyPair(slot,
Re: how to get CKA_PRIVATE_EXPONENT attribute from a private key?
hi Robert and others, See the attachment for more complete test case of generating and reading a key. I found if I set the isPerm parameter to be PR_FALSE (see line 78 of the test case), the private key is not sensitive. If I set the isPerm parameter to be PR_TRUE, then not mater the IsSensitive (the next parameter after isPerm) is PR_TRUE or PR_FALSE, the private key always sensitive. Is it a feature? Thanks and Best Regards, Weizhong Qiang On Jan 28, 2012, at 4:16 PM, weizhong qiang wrote: hi, On Jan 27, 2012, at 6:52 PM, Robert Relyea wrote: On 01/26/2012 11:53 PM, weizhong qiang wrote: hi, I did found that the CKA_SENSITIVE is true by using the following code: rv = PK11_ReadRawAttribute(PK11_TypePrivKey, privKey, CKA_SENSITIVE,value); if (rv != SECSuccess) { NSSUtilLogger.msg(ERROR, Failed to read CKA_SENSITIVE attribute from private key.); } if ((value.len == 1) (value.data != NULL)) std::cout !!(*(CK_BBOOL*)value.data)std::endl; But I did set sensitive parameter to be PR_FALSE when generate the key pair, see the following: *privk = PK11_GenerateKeyPair(slot, CKM_RSA_PKCS_KEY_PAIR_GEN,rsaParams, pubk, PR_FALSE, PR_FALSE, NULL); How could the key still be sensitive? Is there anywhere that I should set? Hmm, your right, that doesn't seem right. Do you have a simple test case that reproduces this? Yes, Please see the following attachment for the test case. If you would help, you need to change the path of nss db, and certname, password etc. mail_about_privatekey.rtf Also which version of NSS are you running? Name: NSS Description: Mozilla Network Security Services Version: 3.12.9+ckbi-1.82 Are you sure that slot points to the internal token? Yes, you can see the code of test case, I explicitly point to the internal token. Are you in FIPS mode? (in which case you don't have a choice on sensitive or not). I did not enable FIPS mode. I suppose FIPS will not be enabled by default? Best Regard, Weizhong Qiang NSS uses exactly this method to generate a key it's going to load into a token that doesn't support CKM_RSA_PKCS_KEY_PAIR_GEN. bob Best Regards Weizhong Qiang On Jan 26, 2012, at 6:57 PM, Robert Relyea wrote: On 01/26/2012 07:55 AM, weizhong qiang wrote: On Jan 26, 2012, at 4:44 PM, helpcrypto helpcrypto wrote: AFAIK, returning or not the attributes from an object, depends on the token. Everything I am operating is on the nss internal softoken. Right softoken enforces good hygiene. In truth, access to those attributes are controlled through a couple of other attributes: CKA_PRIVATE - access to the object requires authentication. CKA_SENSITIVE - direct access to the sensitive/private attributes of this object is prohibitted. CKA_EXTRACTABLE - this object can be extracted from the token. If Private is set, then you need to log in to do any of the actions below. If both Sensitve and Extractable is set, then you can extract the object by wrapping it, but you can't access the unencrypted attributes. If Senstive is FALSE and Extractable is TRUE, you can either extract the object by wrapping it, or by reading the attributes directly. If Extractable is FALSE, then you can't extract the object at all (either by wrapping it or by reading the attributes directly). Most tokens set Extratable to FALSE. bob I recommend you reading about CKO_PRIVATE_KEY on PKCS#11 standard to understand what can be happening. For example if token=card, CKA_PRIME_1 *musnt* be on the card, as far is not *needed* to do cryptographic operations. El día 26 de enero de 2012 14:08, weizhong qiang weizhongqi...@gmail.com escribió: hi, Is there a fact that nss does not permit the reading of the attribute CKA_PRIVATE_EXPONENT, CKA_PRIME_1, etc.? Because with all of the eight attributes, it is possible to compose the content of the private key, but the outputting of private key is not allowed in nss? Thanks and Best Regards, Weizhong Qiang On Jan 26, 2012, at 9:43 AM, helpcrypto helpcrypto wrote: Is eny error shown at NSSUtilLogger.msg(ERROR, Failed to read attribute %x from private key., type); ? El día 25 de enero de 2012 17:04, weizhong qiang weizhongqi...@gmail.com escribió: hi all, I tried to get the attributes from a private key (see the following code piece). But only the CKA_MODULUS and CKA_PUBLIC_EXPONENT can be got, others (CKA_PRIVATE_EXPONENT etc.) can not be got. Could you tell me how to solve it? By the way, I generate rsa key pair without sensitive (PK11_GenerateKeyPair(slot, CKM_RSA_PKCS_KEY_PAIR_GEN,rsaParams, pubk, PR_TRUE, PR_FALSE, NULL); ), so I suppose the private key is not protected by password, and can be output? Best Regards, Weizhong Qiang // static bool ReadPrivKeyAttribute(SECKEYPrivateKey* key, CK_ATTRIBUTE_TYPE type,
Re: how to get CKA_PRIVATE_EXPONENT attribute from a private key?
hi, On Jan 27, 2012, at 6:41 PM, Robert Relyea wrote: On 01/26/2012 06:50 PM, weizhong qiang wrote: hi, On Jan 26, 2012, at 6:28 PM, Robert Relyea wrote: On 01/26/2012 05:08 AM, weizhong qiang wrote: hi, Is there a fact that nss does not permit the reading of the attribute CKA_PRIVATE_EXPONENT, CKA_PRIME_1, etc.? Because with all of the eight attributes, it is possible to compose the content of the private key, but the outputting of private key is not allowed in nss? Thanks and Best Regards, Weizhong Qiang These are private attributes. You are correct, applications aren't allowed to get them. It's bad security hygene to access private cryptographic components in the application itself, thought it's almost the first thing new crypto programmers try to do. My real question here is Why do you want to get the CKA_PRIVATE_EXPONENT? I need to get CKA_PRIVATE_EXPONENT and some other private attributes, in order to compute the private key, so as to output this private key without encryption. I just knew that nss itself does not support the outputting of private key without encryption. Right. That is how NSS enforces that semantic. The outputting of private key that nss support is only the pk12 that requires encryption of private key. I reason I want to do this is that I use the certificate in nss softoken to sign a proxy certificate (rfc 3820), and then I need to output the private key (generate by nss) that is relevant to this proxy certificate. I'm still not clear why the key needs to be in the clear. Are you trying to use the key with some other software? All major crypto toolkits allow importing keys using pkcs 12, or is the proxy using your own code (which is really a bad idea given the plethera of tested and available open source crypto libraries out there). In the Grid computing area, the private key of proxy (a proxy includes both X509 and private key) by default needs to be un-encrypted, so that the delegation can be processed automatically (see: http://globus.org/toolkit/docs/4.0/security/key-index.html). Before the proxy normally is generated by the file-based certificate and key, now we need it to be generated by the credential from nss softoken. I am using nss API to achieve this. To clarify my problem, I use nss API to generate a proxy (i.e., a RSA key pair is generated inside nss, and then the public key is used for an EEC credential in nss DB to sign a proxy certificate), but since the private key is still inside nss db, I need to output the private key together with the signed certificate. PKCS12 is the option for outputting, but the private key encryption is not needed for me here, because a private key of proxy must not be encrypted. So that is the reason why I need to output a un-encrypted key. Best Regards Weizhong Qiang bob Best Regards, Weizhong Qiang bob -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: how to get CKA_PRIVATE_EXPONENT attribute from a private key?
hi, On Jan 27, 2012, at 6:52 PM, Robert Relyea wrote: On 01/26/2012 11:53 PM, weizhong qiang wrote: hi, I did found that the CKA_SENSITIVE is true by using the following code: rv = PK11_ReadRawAttribute(PK11_TypePrivKey, privKey, CKA_SENSITIVE,value); if (rv != SECSuccess) { NSSUtilLogger.msg(ERROR, Failed to read CKA_SENSITIVE attribute from private key.); } if ((value.len == 1) (value.data != NULL)) std::cout !!(*(CK_BBOOL*)value.data)std::endl; But I did set sensitive parameter to be PR_FALSE when generate the key pair, see the following: *privk = PK11_GenerateKeyPair(slot, CKM_RSA_PKCS_KEY_PAIR_GEN,rsaParams, pubk, PR_FALSE, PR_FALSE, NULL); How could the key still be sensitive? Is there anywhere that I should set? Hmm, your right, that doesn't seem right. Do you have a simple test case that reproduces this? Yes, Please see the following attachment for the test case. If you would help, you need to change the path of nss db, and certname, password etc. Also which version of NSS are you running? Name: NSS Description: Mozilla Network Security Services Version: 3.12.9+ckbi-1.82 Are you sure that slot points to the internal token? Yes, you can see the code of test case, I explicitly point to the internal token. Are you in FIPS mode? (in which case you don't have a choice on sensitive or not). I did not enable FIPS mode. I suppose FIPS will not be enabled by default? Best Regard, Weizhong Qiang NSS uses exactly this method to generate a key it's going to load into a token that doesn't support CKM_RSA_PKCS_KEY_PAIR_GEN. bob Best Regards Weizhong Qiang On Jan 26, 2012, at 6:57 PM, Robert Relyea wrote: On 01/26/2012 07:55 AM, weizhong qiang wrote: On Jan 26, 2012, at 4:44 PM, helpcrypto helpcrypto wrote: AFAIK, returning or not the attributes from an object, depends on the token. Everything I am operating is on the nss internal softoken. Right softoken enforces good hygiene. In truth, access to those attributes are controlled through a couple of other attributes: CKA_PRIVATE - access to the object requires authentication. CKA_SENSITIVE - direct access to the sensitive/private attributes of this object is prohibitted. CKA_EXTRACTABLE - this object can be extracted from the token. If Private is set, then you need to log in to do any of the actions below. If both Sensitve and Extractable is set, then you can extract the object by wrapping it, but you can't access the unencrypted attributes. If Senstive is FALSE and Extractable is TRUE, you can either extract the object by wrapping it, or by reading the attributes directly. If Extractable is FALSE, then you can't extract the object at all (either by wrapping it or by reading the attributes directly). Most tokens set Extratable to FALSE. bob I recommend you reading about CKO_PRIVATE_KEY on PKCS#11 standard to understand what can be happening. For example if token=card, CKA_PRIME_1 *musnt* be on the card, as far is not *needed* to do cryptographic operations. El día 26 de enero de 2012 14:08, weizhong qiang weizhongqi...@gmail.com escribió: hi, Is there a fact that nss does not permit the reading of the attribute CKA_PRIVATE_EXPONENT, CKA_PRIME_1, etc.? Because with all of the eight attributes, it is possible to compose the content of the private key, but the outputting of private key is not allowed in nss? Thanks and Best Regards, Weizhong Qiang On Jan 26, 2012, at 9:43 AM, helpcrypto helpcrypto wrote: Is eny error shown at NSSUtilLogger.msg(ERROR, Failed to read attribute %x from private key., type); ? El día 25 de enero de 2012 17:04, weizhong qiang weizhongqi...@gmail.com escribió: hi all, I tried to get the attributes from a private key (see the following code piece). But only the CKA_MODULUS and CKA_PUBLIC_EXPONENT can be got, others (CKA_PRIVATE_EXPONENT etc.) can not be got. Could you tell me how to solve it? By the way, I generate rsa key pair without sensitive (PK11_GenerateKeyPair(slot, CKM_RSA_PKCS_KEY_PAIR_GEN,rsaParams, pubk, PR_TRUE, PR_FALSE, NULL); ), so I suppose the private key is not protected by password, and can be output? Best Regards, Weizhong Qiang // static bool ReadPrivKeyAttribute(SECKEYPrivateKey* key, CK_ATTRIBUTE_TYPE type, std::vectoruint8* output) { SECItem item; SECStatus rv; rv = PK11_ReadRawAttribute(PK11_TypePrivKey, key, type,item); if (rv != SECSuccess) { NSSUtilLogger.msg(ERROR, Failed to read attribute %x from private key., type); return false; } output-assign(item.data, item.data + item.len); SECITEM_FreeItem(item, PR_FALSE); return true; } static bool ExportPrivateKey(SECKEYPrivateKey* key, std::vectoruint8* output) { PrivateKeyInfoCodec private_key_info(true); // Manually read the component
Re: how to get CKA_PRIVATE_EXPONENT attribute from a private key?
On 01/26/2012 06:50 PM, weizhong qiang wrote: hi, On Jan 26, 2012, at 6:28 PM, Robert Relyea wrote: On 01/26/2012 05:08 AM, weizhong qiang wrote: hi, Is there a fact that nss does not permit the reading of the attribute CKA_PRIVATE_EXPONENT, CKA_PRIME_1, etc.? Because with all of the eight attributes, it is possible to compose the content of the private key, but the outputting of private key is not allowed in nss? Thanks and Best Regards, Weizhong Qiang These are private attributes. You are correct, applications aren't allowed to get them. It's bad security hygene to access private cryptographic components in the application itself, thought it's almost the first thing new crypto programmers try to do. My real question here is Why do you want to get the CKA_PRIVATE_EXPONENT? I need to get CKA_PRIVATE_EXPONENT and some other private attributes, in order to compute the private key, so as to output this private key without encryption. I just knew that nss itself does not support the outputting of private key without encryption. Right. That is how NSS enforces that semantic. The outputting of private key that nss support is only the pk12 that requires encryption of private key. I reason I want to do this is that I use the certificate in nss softoken to sign a proxy certificate (rfc 3820), and then I need to output the private key (generate by nss) that is relevant to this proxy certificate. I'm still not clear why the key needs to be in the clear. Are you trying to use the key with some other software? All major crypto toolkits allow importing keys using pkcs 12, or is the proxy using your own code (which is really a bad idea given the plethera of tested and available open source crypto libraries out there). bob Best Regards, Weizhong Qiang bob -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: how to get CKA_PRIVATE_EXPONENT attribute from a private key?
On 01/26/2012 11:53 PM, weizhong qiang wrote: hi, I did found that the CKA_SENSITIVE is true by using the following code: rv = PK11_ReadRawAttribute(PK11_TypePrivKey, privKey, CKA_SENSITIVE,value); if (rv != SECSuccess) { NSSUtilLogger.msg(ERROR, Failed to read CKA_SENSITIVE attribute from private key.); } if ((value.len == 1) (value.data != NULL)) std::cout !!(*(CK_BBOOL*)value.data)std::endl; But I did set sensitive parameter to be PR_FALSE when generate the key pair, see the following: *privk = PK11_GenerateKeyPair(slot, CKM_RSA_PKCS_KEY_PAIR_GEN,rsaParams, pubk, PR_FALSE, PR_FALSE, NULL); How could the key still be sensitive? Is there anywhere that I should set? Hmm, your right, that doesn't seem right. Do you have a simple test case that reproduces this? Also which version of NSS are you running? Are you sure that slot points to the internal token? Are you in FIPS mode? (in which case you don't have a choice on sensitive or not). NSS uses exactly this method to generate a key it's going to load into a token that doesn't support CKM_RSA_PKCS_KEY_PAIR_GEN. bob Best Regards Weizhong Qiang On Jan 26, 2012, at 6:57 PM, Robert Relyea wrote: On 01/26/2012 07:55 AM, weizhong qiang wrote: On Jan 26, 2012, at 4:44 PM, helpcrypto helpcrypto wrote: AFAIK, returning or not the attributes from an object, depends on the token. Everything I am operating is on the nss internal softoken. Right softoken enforces good hygiene. In truth, access to those attributes are controlled through a couple of other attributes: CKA_PRIVATE - access to the object requires authentication. CKA_SENSITIVE - direct access to the sensitive/private attributes of this object is prohibitted. CKA_EXTRACTABLE - this object can be extracted from the token. If Private is set, then you need to log in to do any of the actions below. If both Sensitve and Extractable is set, then you can extract the object by wrapping it, but you can't access the unencrypted attributes. If Senstive is FALSE and Extractable is TRUE, you can either extract the object by wrapping it, or by reading the attributes directly. If Extractable is FALSE, then you can't extract the object at all (either by wrapping it or by reading the attributes directly). Most tokens set Extratable to FALSE. bob I recommend you reading about CKO_PRIVATE_KEY on PKCS#11 standard to understand what can be happening. For example if token=card, CKA_PRIME_1 *musnt* be on the card, as far is not *needed* to do cryptographic operations. El día 26 de enero de 2012 14:08, weizhong qiang weizhongqi...@gmail.com escribió: hi, Is there a fact that nss does not permit the reading of the attribute CKA_PRIVATE_EXPONENT, CKA_PRIME_1, etc.? Because with all of the eight attributes, it is possible to compose the content of the private key, but the outputting of private key is not allowed in nss? Thanks and Best Regards, Weizhong Qiang On Jan 26, 2012, at 9:43 AM, helpcrypto helpcrypto wrote: Is eny error shown at NSSUtilLogger.msg(ERROR, Failed to read attribute %x from private key., type); ? El día 25 de enero de 2012 17:04, weizhong qiang weizhongqi...@gmail.com escribió: hi all, I tried to get the attributes from a private key (see the following code piece). But only the CKA_MODULUS and CKA_PUBLIC_EXPONENT can be got, others (CKA_PRIVATE_EXPONENT etc.) can not be got. Could you tell me how to solve it? By the way, I generate rsa key pair without sensitive (PK11_GenerateKeyPair(slot, CKM_RSA_PKCS_KEY_PAIR_GEN,rsaParams, pubk, PR_TRUE, PR_FALSE, NULL); ), so I suppose the private key is not protected by password, and can be output? Best Regards, Weizhong Qiang // static bool ReadPrivKeyAttribute(SECKEYPrivateKey* key, CK_ATTRIBUTE_TYPE type, std::vectoruint8* output) { SECItem item; SECStatus rv; rv = PK11_ReadRawAttribute(PK11_TypePrivKey, key, type,item); if (rv != SECSuccess) { NSSUtilLogger.msg(ERROR, Failed to read attribute %x from private key., type); return false; } output-assign(item.data, item.data + item.len); SECITEM_FreeItem(item, PR_FALSE); return true; } static bool ExportPrivateKey(SECKEYPrivateKey* key, std::vectoruint8* output) { PrivateKeyInfoCodec private_key_info(true); // Manually read the component attributes of the private key and build up // the PrivateKeyInfo. if (!ReadPrivKeyAttribute(key, CKA_MODULUS, private_key_info.modulus()) || !ReadPrivKeyAttribute(key, CKA_PUBLIC_EXPONENT, private_key_info.public_exponent()) || !ReadPrivKeyAttribute(key, CKA_PRIVATE_EXPONENT, private_key_info.private_exponent()) || !ReadPrivKeyAttribute(key, CKA_PRIME_1, private_key_info.prime1()) || !ReadPrivKeyAttribute(key, CKA_PRIME_2, private_key_info.prime2()) || !ReadPrivKeyAttribute(key, CKA_EXPONENT_1, private_key_info.exponent1()) ||
Re: how to get CKA_PRIVATE_EXPONENT attribute from a private key?
Is eny error shown at NSSUtilLogger.msg(ERROR, Failed to read attribute %x from private key., type); ? El día 25 de enero de 2012 17:04, weizhong qiang weizhongqi...@gmail.com escribió: hi all, I tried to get the attributes from a private key (see the following code piece). But only the CKA_MODULUS and CKA_PUBLIC_EXPONENT can be got, others (CKA_PRIVATE_EXPONENT etc.) can not be got. Could you tell me how to solve it? By the way, I generate rsa key pair without sensitive (PK11_GenerateKeyPair(slot, CKM_RSA_PKCS_KEY_PAIR_GEN, rsaParams, pubk, PR_TRUE, PR_FALSE, NULL); ), so I suppose the private key is not protected by password, and can be output? Best Regards, Weizhong Qiang // static bool ReadPrivKeyAttribute(SECKEYPrivateKey* key, CK_ATTRIBUTE_TYPE type, std::vectoruint8* output) { SECItem item; SECStatus rv; rv = PK11_ReadRawAttribute(PK11_TypePrivKey, key, type, item); if (rv != SECSuccess) { NSSUtilLogger.msg(ERROR, Failed to read attribute %x from private key., type); return false; } output-assign(item.data, item.data + item.len); SECITEM_FreeItem(item, PR_FALSE); return true; } static bool ExportPrivateKey(SECKEYPrivateKey* key, std::vectoruint8* output) { PrivateKeyInfoCodec private_key_info(true); // Manually read the component attributes of the private key and build up // the PrivateKeyInfo. if (!ReadPrivKeyAttribute(key, CKA_MODULUS, private_key_info.modulus()) || !ReadPrivKeyAttribute(key, CKA_PUBLIC_EXPONENT, private_key_info.public_exponent()) || !ReadPrivKeyAttribute(key, CKA_PRIVATE_EXPONENT, private_key_info.private_exponent()) || !ReadPrivKeyAttribute(key, CKA_PRIME_1, private_key_info.prime1()) || !ReadPrivKeyAttribute(key, CKA_PRIME_2, private_key_info.prime2()) || !ReadPrivKeyAttribute(key, CKA_EXPONENT_1, private_key_info.exponent1()) || !ReadPrivKeyAttribute(key, CKA_EXPONENT_2, private_key_info.exponent2()) || !ReadPrivKeyAttribute(key, CKA_COEFFICIENT, private_key_info.coefficient())) { return false; } return private_key_info.Export(output); } -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: how to get CKA_PRIVATE_EXPONENT attribute from a private key?
Hi, It gives number 123, which is the type CKA_PRIVATE_EXPONENT. Thanks Weizhong qiang 在 2012-1-26 下午4:43,helpcrypto helpcrypto helpcry...@gmail.com写道: Is eny error shown at NSSUtilLogger.msg(ERROR, Failed to read attribute %x from private key., type); ? El día 25 de enero de 2012 17:04, weizhong qiang weizhongqi...@gmail.com escribió: hi all, I tried to get the attributes from a private key (see the following code piece). But only the CKA_MODULUS and CKA_PUBLIC_EXPONENT can be got, others (CKA_PRIVATE_EXPONENT etc.) can not be got. Could you tell me how to solve it? By the way, I generate rsa key pair without sensitive (PK11_GenerateKeyPair(slot, CKM_RSA_PKCS_KEY_PAIR_GEN, rsaParams, pubk, PR_TRUE, PR_FALSE, NULL); ), so I suppose the private key is not protected by password, and can be output? Best Regards, Weizhong Qiang // static bool ReadPrivKeyAttribute(SECKEYPrivateKey* key, CK_ATTRIBUTE_TYPE type, std::vectoruint8* output) { SECItem item; SECStatus rv; rv = PK11_ReadRawAttribute(PK11_TypePrivKey, key, type, item); if (rv != SECSuccess) { NSSUtilLogger.msg(ERROR, Failed to read attribute %x from private key., type); return false; } output-assign(item.data, item.data + item.len); SECITEM_FreeItem(item, PR_FALSE); return true; } static bool ExportPrivateKey(SECKEYPrivateKey* key, std::vectoruint8* output) { PrivateKeyInfoCodec private_key_info(true); // Manually read the component attributes of the private key and build up // the PrivateKeyInfo. if (!ReadPrivKeyAttribute(key, CKA_MODULUS, private_key_info.modulus()) || !ReadPrivKeyAttribute(key, CKA_PUBLIC_EXPONENT, private_key_info.public_exponent()) || !ReadPrivKeyAttribute(key, CKA_PRIVATE_EXPONENT, private_key_info.private_exponent()) || !ReadPrivKeyAttribute(key, CKA_PRIME_1, private_key_info.prime1()) || !ReadPrivKeyAttribute(key, CKA_PRIME_2, private_key_info.prime2()) || !ReadPrivKeyAttribute(key, CKA_EXPONENT_1, private_key_info.exponent1()) || !ReadPrivKeyAttribute(key, CKA_EXPONENT_2, private_key_info.exponent2()) || !ReadPrivKeyAttribute(key, CKA_COEFFICIENT, private_key_info.coefficient())) { return false; } return private_key_info.Export(output); } -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: how to get CKA_PRIVATE_EXPONENT attribute from a private key?
my mistake. i mean the RV value -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: how to get CKA_PRIVATE_EXPONENT attribute from a private key?
The rv value gives SECFailure. Thanks 在 2012-1-26 下午5:29,helpcrypto helpcrypto helpcry...@gmail.com写道: my mistake. i mean the RV value -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: how to get CKA_PRIVATE_EXPONENT attribute from a private key?
hi, Is there a fact that nss does not permit the reading of the attribute CKA_PRIVATE_EXPONENT, CKA_PRIME_1, etc.? Because with all of the eight attributes, it is possible to compose the content of the private key, but the outputting of private key is not allowed in nss? Thanks and Best Regards, Weizhong Qiang On Jan 26, 2012, at 9:43 AM, helpcrypto helpcrypto wrote: Is eny error shown at NSSUtilLogger.msg(ERROR, Failed to read attribute %x from private key., type); ? El día 25 de enero de 2012 17:04, weizhong qiang weizhongqi...@gmail.com escribió: hi all, I tried to get the attributes from a private key (see the following code piece). But only the CKA_MODULUS and CKA_PUBLIC_EXPONENT can be got, others (CKA_PRIVATE_EXPONENT etc.) can not be got. Could you tell me how to solve it? By the way, I generate rsa key pair without sensitive (PK11_GenerateKeyPair(slot, CKM_RSA_PKCS_KEY_PAIR_GEN, rsaParams, pubk, PR_TRUE, PR_FALSE, NULL); ), so I suppose the private key is not protected by password, and can be output? Best Regards, Weizhong Qiang // static bool ReadPrivKeyAttribute(SECKEYPrivateKey* key, CK_ATTRIBUTE_TYPE type, std::vectoruint8* output) { SECItem item; SECStatus rv; rv = PK11_ReadRawAttribute(PK11_TypePrivKey, key, type, item); if (rv != SECSuccess) { NSSUtilLogger.msg(ERROR, Failed to read attribute %x from private key., type); return false; } output-assign(item.data, item.data + item.len); SECITEM_FreeItem(item, PR_FALSE); return true; } static bool ExportPrivateKey(SECKEYPrivateKey* key, std::vectoruint8* output) { PrivateKeyInfoCodec private_key_info(true); // Manually read the component attributes of the private key and build up // the PrivateKeyInfo. if (!ReadPrivKeyAttribute(key, CKA_MODULUS, private_key_info.modulus()) || !ReadPrivKeyAttribute(key, CKA_PUBLIC_EXPONENT, private_key_info.public_exponent()) || !ReadPrivKeyAttribute(key, CKA_PRIVATE_EXPONENT, private_key_info.private_exponent()) || !ReadPrivKeyAttribute(key, CKA_PRIME_1, private_key_info.prime1()) || !ReadPrivKeyAttribute(key, CKA_PRIME_2, private_key_info.prime2()) || !ReadPrivKeyAttribute(key, CKA_EXPONENT_1, private_key_info.exponent1()) || !ReadPrivKeyAttribute(key, CKA_EXPONENT_2, private_key_info.exponent2()) || !ReadPrivKeyAttribute(key, CKA_COEFFICIENT, private_key_info.coefficient())) { return false; } return private_key_info.Export(output); } -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: how to get CKA_PRIVATE_EXPONENT attribute from a private key?
AFAIK, returning or not the attributes from an object, depends on the token. I recommend you reading about CKO_PRIVATE_KEY on PKCS#11 standard to understand what can be happening. For example if token=card, CKA_PRIME_1 *musnt* be on the card, as far is not *needed* to do cryptographic operations. El día 26 de enero de 2012 14:08, weizhong qiang weizhongqi...@gmail.com escribió: hi, Is there a fact that nss does not permit the reading of the attribute CKA_PRIVATE_EXPONENT, CKA_PRIME_1, etc.? Because with all of the eight attributes, it is possible to compose the content of the private key, but the outputting of private key is not allowed in nss? Thanks and Best Regards, Weizhong Qiang On Jan 26, 2012, at 9:43 AM, helpcrypto helpcrypto wrote: Is eny error shown at NSSUtilLogger.msg(ERROR, Failed to read attribute %x from private key., type); ? El día 25 de enero de 2012 17:04, weizhong qiang weizhongqi...@gmail.com escribió: hi all, I tried to get the attributes from a private key (see the following code piece). But only the CKA_MODULUS and CKA_PUBLIC_EXPONENT can be got, others (CKA_PRIVATE_EXPONENT etc.) can not be got. Could you tell me how to solve it? By the way, I generate rsa key pair without sensitive (PK11_GenerateKeyPair(slot, CKM_RSA_PKCS_KEY_PAIR_GEN, rsaParams, pubk, PR_TRUE, PR_FALSE, NULL); ), so I suppose the private key is not protected by password, and can be output? Best Regards, Weizhong Qiang // static bool ReadPrivKeyAttribute(SECKEYPrivateKey* key, CK_ATTRIBUTE_TYPE type, std::vectoruint8* output) { SECItem item; SECStatus rv; rv = PK11_ReadRawAttribute(PK11_TypePrivKey, key, type, item); if (rv != SECSuccess) { NSSUtilLogger.msg(ERROR, Failed to read attribute %x from private key., type); return false; } output-assign(item.data, item.data + item.len); SECITEM_FreeItem(item, PR_FALSE); return true; } static bool ExportPrivateKey(SECKEYPrivateKey* key, std::vectoruint8* output) { PrivateKeyInfoCodec private_key_info(true); // Manually read the component attributes of the private key and build up // the PrivateKeyInfo. if (!ReadPrivKeyAttribute(key, CKA_MODULUS, private_key_info.modulus()) || !ReadPrivKeyAttribute(key, CKA_PUBLIC_EXPONENT, private_key_info.public_exponent()) || !ReadPrivKeyAttribute(key, CKA_PRIVATE_EXPONENT, private_key_info.private_exponent()) || !ReadPrivKeyAttribute(key, CKA_PRIME_1, private_key_info.prime1()) || !ReadPrivKeyAttribute(key, CKA_PRIME_2, private_key_info.prime2()) || !ReadPrivKeyAttribute(key, CKA_EXPONENT_1, private_key_info.exponent1()) || !ReadPrivKeyAttribute(key, CKA_EXPONENT_2, private_key_info.exponent2()) || !ReadPrivKeyAttribute(key, CKA_COEFFICIENT, private_key_info.coefficient())) { return false; } return private_key_info.Export(output); } -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: how to get CKA_PRIVATE_EXPONENT attribute from a private key?
On Jan 26, 2012, at 4:44 PM, helpcrypto helpcrypto wrote: AFAIK, returning or not the attributes from an object, depends on the token. Everything I am operating is on the nss internal softoken. I recommend you reading about CKO_PRIVATE_KEY on PKCS#11 standard to understand what can be happening. For example if token=card, CKA_PRIME_1 *musnt* be on the card, as far is not *needed* to do cryptographic operations. El día 26 de enero de 2012 14:08, weizhong qiang weizhongqi...@gmail.com escribió: hi, Is there a fact that nss does not permit the reading of the attribute CKA_PRIVATE_EXPONENT, CKA_PRIME_1, etc.? Because with all of the eight attributes, it is possible to compose the content of the private key, but the outputting of private key is not allowed in nss? Thanks and Best Regards, Weizhong Qiang On Jan 26, 2012, at 9:43 AM, helpcrypto helpcrypto wrote: Is eny error shown at NSSUtilLogger.msg(ERROR, Failed to read attribute %x from private key., type); ? El día 25 de enero de 2012 17:04, weizhong qiang weizhongqi...@gmail.com escribió: hi all, I tried to get the attributes from a private key (see the following code piece). But only the CKA_MODULUS and CKA_PUBLIC_EXPONENT can be got, others (CKA_PRIVATE_EXPONENT etc.) can not be got. Could you tell me how to solve it? By the way, I generate rsa key pair without sensitive (PK11_GenerateKeyPair(slot, CKM_RSA_PKCS_KEY_PAIR_GEN, rsaParams, pubk, PR_TRUE, PR_FALSE, NULL); ), so I suppose the private key is not protected by password, and can be output? Best Regards, Weizhong Qiang // static bool ReadPrivKeyAttribute(SECKEYPrivateKey* key, CK_ATTRIBUTE_TYPE type, std::vectoruint8* output) { SECItem item; SECStatus rv; rv = PK11_ReadRawAttribute(PK11_TypePrivKey, key, type, item); if (rv != SECSuccess) { NSSUtilLogger.msg(ERROR, Failed to read attribute %x from private key., type); return false; } output-assign(item.data, item.data + item.len); SECITEM_FreeItem(item, PR_FALSE); return true; } static bool ExportPrivateKey(SECKEYPrivateKey* key, std::vectoruint8* output) { PrivateKeyInfoCodec private_key_info(true); // Manually read the component attributes of the private key and build up // the PrivateKeyInfo. if (!ReadPrivKeyAttribute(key, CKA_MODULUS, private_key_info.modulus()) || !ReadPrivKeyAttribute(key, CKA_PUBLIC_EXPONENT, private_key_info.public_exponent()) || !ReadPrivKeyAttribute(key, CKA_PRIVATE_EXPONENT, private_key_info.private_exponent()) || !ReadPrivKeyAttribute(key, CKA_PRIME_1, private_key_info.prime1()) || !ReadPrivKeyAttribute(key, CKA_PRIME_2, private_key_info.prime2()) || !ReadPrivKeyAttribute(key, CKA_EXPONENT_1, private_key_info.exponent1()) || !ReadPrivKeyAttribute(key, CKA_EXPONENT_2, private_key_info.exponent2()) || !ReadPrivKeyAttribute(key, CKA_COEFFICIENT, private_key_info.coefficient())) { return false; } return private_key_info.Export(output); } -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: how to get CKA_PRIVATE_EXPONENT attribute from a private key?
On 01/26/2012 07:55 AM, weizhong qiang wrote: On Jan 26, 2012, at 4:44 PM, helpcrypto helpcrypto wrote: AFAIK, returning or not the attributes from an object, depends on the token. Everything I am operating is on the nss internal softoken. Right softoken enforces good hygiene. In truth, access to those attributes are controlled through a couple of other attributes: CKA_PRIVATE - access to the object requires authentication. CKA_SENSITIVE - direct access to the sensitive/private attributes of this object is prohibitted. CKA_EXTRACTABLE - this object can be extracted from the token. If Private is set, then you need to log in to do any of the actions below. If both Sensitve and Extractable is set, then you can extract the object by wrapping it, but you can't access the unencrypted attributes. If Senstive is FALSE and Extractable is TRUE, you can either extract the object by wrapping it, or by reading the attributes directly. If Extractable is FALSE, then you can't extract the object at all (either by wrapping it or by reading the attributes directly). Most tokens set Extratable to FALSE. bob I recommend you reading about CKO_PRIVATE_KEY on PKCS#11 standard to understand what can be happening. For example if token=card, CKA_PRIME_1 *musnt* be on the card, as far is not *needed* to do cryptographic operations. El día 26 de enero de 2012 14:08, weizhong qiang weizhongqi...@gmail.com escribió: hi, Is there a fact that nss does not permit the reading of the attribute CKA_PRIVATE_EXPONENT, CKA_PRIME_1, etc.? Because with all of the eight attributes, it is possible to compose the content of the private key, but the outputting of private key is not allowed in nss? Thanks and Best Regards, Weizhong Qiang On Jan 26, 2012, at 9:43 AM, helpcrypto helpcrypto wrote: Is eny error shown at NSSUtilLogger.msg(ERROR, Failed to read attribute %x from private key., type); ? El día 25 de enero de 2012 17:04, weizhong qiang weizhongqi...@gmail.com escribió: hi all, I tried to get the attributes from a private key (see the following code piece). But only the CKA_MODULUS and CKA_PUBLIC_EXPONENT can be got, others (CKA_PRIVATE_EXPONENT etc.) can not be got. Could you tell me how to solve it? By the way, I generate rsa key pair without sensitive (PK11_GenerateKeyPair(slot, CKM_RSA_PKCS_KEY_PAIR_GEN,rsaParams, pubk, PR_TRUE, PR_FALSE, NULL); ), so I suppose the private key is not protected by password, and can be output? Best Regards, Weizhong Qiang // static bool ReadPrivKeyAttribute(SECKEYPrivateKey* key, CK_ATTRIBUTE_TYPE type, std::vectoruint8* output) { SECItem item; SECStatus rv; rv = PK11_ReadRawAttribute(PK11_TypePrivKey, key, type,item); if (rv != SECSuccess) { NSSUtilLogger.msg(ERROR, Failed to read attribute %x from private key., type); return false; } output-assign(item.data, item.data + item.len); SECITEM_FreeItem(item, PR_FALSE); return true; } static bool ExportPrivateKey(SECKEYPrivateKey* key, std::vectoruint8* output) { PrivateKeyInfoCodec private_key_info(true); // Manually read the component attributes of the private key and build up // the PrivateKeyInfo. if (!ReadPrivKeyAttribute(key, CKA_MODULUS, private_key_info.modulus()) || !ReadPrivKeyAttribute(key, CKA_PUBLIC_EXPONENT, private_key_info.public_exponent()) || !ReadPrivKeyAttribute(key, CKA_PRIVATE_EXPONENT, private_key_info.private_exponent()) || !ReadPrivKeyAttribute(key, CKA_PRIME_1, private_key_info.prime1()) || !ReadPrivKeyAttribute(key, CKA_PRIME_2, private_key_info.prime2()) || !ReadPrivKeyAttribute(key, CKA_EXPONENT_1, private_key_info.exponent1()) || !ReadPrivKeyAttribute(key, CKA_EXPONENT_2, private_key_info.exponent2()) || !ReadPrivKeyAttribute(key, CKA_COEFFICIENT, private_key_info.coefficient())) { return false; } return private_key_info.Export(output); } -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: how to get CKA_PRIVATE_EXPONENT attribute from a private key?
On 01/26/2012 05:08 AM, weizhong qiang wrote: hi, Is there a fact that nss does not permit the reading of the attribute CKA_PRIVATE_EXPONENT, CKA_PRIME_1, etc.? Because with all of the eight attributes, it is possible to compose the content of the private key, but the outputting of private key is not allowed in nss? Thanks and Best Regards, Weizhong Qiang These are private attributes. You are correct, applications aren't allowed to get them. It's bad security hygene to access private cryptographic components in the application itself, thought it's almost the first thing new crypto programmers try to do. My real question here is Why do you want to get the CKA_PRIVATE_EXPONENT? bob -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: how to get CKA_PRIVATE_EXPONENT attribute from a private key?
hi, On Jan 26, 2012, at 6:28 PM, Robert Relyea wrote: On 01/26/2012 05:08 AM, weizhong qiang wrote: hi, Is there a fact that nss does not permit the reading of the attribute CKA_PRIVATE_EXPONENT, CKA_PRIME_1, etc.? Because with all of the eight attributes, it is possible to compose the content of the private key, but the outputting of private key is not allowed in nss? Thanks and Best Regards, Weizhong Qiang These are private attributes. You are correct, applications aren't allowed to get them. It's bad security hygene to access private cryptographic components in the application itself, thought it's almost the first thing new crypto programmers try to do. My real question here is Why do you want to get the CKA_PRIVATE_EXPONENT? I need to get CKA_PRIVATE_EXPONENT and some other private attributes, in order to compute the private key, so as to output this private key without encryption. I just knew that nss itself does not support the outputting of private key without encryption. The outputting of private key that nss support is only the pk12 that requires encryption of private key. I reason I want to do this is that I use the certificate in nss softoken to sign a proxy certificate (rfc 3820), and then I need to output the private key (generate by nss) that is relevant to this proxy certificate. Best Regards, Weizhong Qiang bob -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
how to get CKA_PRIVATE_EXPONENT attribute from a private key?
hi all, I tried to get the attributes from a private key (see the following code piece). But only the CKA_MODULUS and CKA_PUBLIC_EXPONENT can be got, others (CKA_PRIVATE_EXPONENT etc.) can not be got. Could you tell me how to solve it? By the way, I generate rsa key pair without sensitive (PK11_GenerateKeyPair(slot, CKM_RSA_PKCS_KEY_PAIR_GEN, rsaParams, pubk, PR_TRUE, PR_FALSE, NULL); ), so I suppose the private key is not protected by password, and can be output? Best Regards, Weizhong Qiang // static bool ReadPrivKeyAttribute(SECKEYPrivateKey* key, CK_ATTRIBUTE_TYPE type, std::vectoruint8* output) { SECItem item; SECStatus rv; rv = PK11_ReadRawAttribute(PK11_TypePrivKey, key, type, item); if (rv != SECSuccess) { NSSUtilLogger.msg(ERROR, Failed to read attribute %x from private key., type); return false; } output-assign(item.data, item.data + item.len); SECITEM_FreeItem(item, PR_FALSE); return true; } static bool ExportPrivateKey(SECKEYPrivateKey* key, std::vectoruint8* output) { PrivateKeyInfoCodec private_key_info(true); // Manually read the component attributes of the private key and build up // the PrivateKeyInfo. if (!ReadPrivKeyAttribute(key, CKA_MODULUS, private_key_info.modulus()) || !ReadPrivKeyAttribute(key, CKA_PUBLIC_EXPONENT, private_key_info.public_exponent()) || !ReadPrivKeyAttribute(key, CKA_PRIVATE_EXPONENT, private_key_info.private_exponent()) || !ReadPrivKeyAttribute(key, CKA_PRIME_1, private_key_info.prime1()) || !ReadPrivKeyAttribute(key, CKA_PRIME_2, private_key_info.prime2()) || !ReadPrivKeyAttribute(key, CKA_EXPONENT_1, private_key_info.exponent1()) || !ReadPrivKeyAttribute(key, CKA_EXPONENT_2, private_key_info.exponent2()) || !ReadPrivKeyAttribute(key, CKA_COEFFICIENT, private_key_info.coefficient())) { return false; } return private_key_info.Export(output); } -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto