>Hmmm S/MIME uses DES3_CBC as:
>1.2.840.113549.2.7 I wonder what is different between ANSI-X9.42 and S/MIME?
I don't know. Any ideas how I can find out? I tried an internet search, but
unsuccessfully up to now.
>> Now NSS does recognize the encryption algorithm used, but i get some
>> unexplained results. First of all, the plain data which would be present in
>> the returned ContentInfo structure is not 'plain' data at all, it seems to
>> be encrypted still. It is other data than I entered into the function, so
>> that leads me to believe that maybe the session key was not decrypted
>> properly, or maybe the above added mechanism is wrong. Any help here?
>
>It's quite possible that ANSI x9.42 means something different than the
>standard S/MIME function. If it is only the first 8 bytes of output that are
>different, then it's most likely an issue with the IV (in CBC mode the rest of
>the stream is self correcting). If ANSIx9.42 encodes the IV differently than
>S/MIME, NSS will end up getting the wrong IV.
The entire output is different than expected (still looks encrypted, but is one
byte shorter (removed padding?)), so could it be not just an IV problem?
>> Also, if I do not provide a callback function for SEC_PKCS7DecodeItem, I get
>> only the last 7 bytes of the 'decrypted' data in the data field of the
>> returned SECItem structure, while the len filed indicates that there should
>> have been 15637 bytes. If I do provide a callback however, I can see that it
>> gets called twice: the first time with 15630 bytes of data, the second time
>> with the last 7 bytes. Is this (maybe) a bug?
>No the callback is for streaming the data. The fact it will split up the
>decoded output is normal.
I expected that, but I did not expect I could only get the last part of the
decrypted data (with SEC_PKCS7GetContent) if I did not use the callback.
>Are you running inside something like a browser, or is this your own
>application. If the latter, you should depend on the application's password
>callback, if the latter you will need to provide your own. The description of
>what actually happens sound like you are inside a browser.
This is my own application, but it makes use (via secmod.db) of a pkcs#11 dll
to access an IAR card which contains all the certificates and private keys. The
dll itself puts up a message box if authentication is needed. I've verified
that the CKF_PROTECTED_AUTHENTICATION_PATH flag in the token info flags is set,
so NSS should be able to handle that. I do not think that this is part of the
problem, as the token is indeed asking me for authentication (for the correct
certificate even) when I call SEC_PKCS7DecodeItem.
---------------------------------
Yahoo! Messenger with Voice. Make PC-to-Phone Calls to the US (and 30+
countries) for 2ยข/min or less.
_______________________________________________
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
