Dave Townsend wrote:
I've spent much of the afternoon delving through the NSS APIs trying to figure out how to achieve my goals. I'm basicaly working on signing and verifying data with public and private keys. I've figured that SGN_SignData and VFY_VerifyData are my friends (or should I be using the PK11_Sign/Verify functions or even what are the sign and verify stuff in security/nss/lib/freebl about?)Anyway basic issue is that I need a SECKEYPublicKey and SECKEYPrivateKey. I can see how to create them in NSS for use, I've also found a technical note which suggests how to bring a public key into NSS, however I don't see anything about serializing/restoring a private key or how to get a created public key out of NSS. Can anyone point me in the right direction?
Hi david, You have 2 options when extracting the public key.The first option is the preferred option : SECKEY_EncodeDERSubjectPublicKeyInfo() It takes a public key and returns a SECitem which is a DER encoded blob that represents that public key, including the public key type. You an reimport such a blob with
SECKEY_DecodeDERSubjectPublicKeyInfo() and SECKEY_ExtractPublicKey();This option lets you save and restore public keys without having algorithm specific data in your application.
The second option is to examine the specific component in the SECKEYPublicKey object. Unfortunately the object is a public data structure, so the fields are available to the application. The definition is in keythi.h. In this case, your code would have to change it support any new public keys NSS supports.
Private Keys are another matter. It is not possible to get private keys out of NSS unencrypted, in some cases it is not possible to get private keys out of NSS at all (if they happenned to be stored on a particular token). In this case the functions you want are is PK11_ExportEncryptedPrivateKeyInfo. It uses a PBE to export the private key. If you have a fixed key, you can use PK11_WrapPrivKey() to get the private key out. NOTE: neither of these work if the private key is in a token which never releases the private key. To restore a private key, you can use PK11_ImportEncryptedPrivateKeyInfo() for the former and PK11_UnwrapPrivkey for the latter.
bob
Dave _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
