David Allan wrote, On 2008-08-02 09:12: > Hi all, > > I would like to port the client side of a client-server application from > OpenSSL to NSS, but I've hit a snag: > > The client creates a symmetric key, encrypts it with the server's public > key and transmits it to the server. The server, over which I have no > control, expects the key to be encrypted with RSA OAEP.
So, you have a non-standard server that does not interoperate with standard clients. You probably knew that. As you probably know, the IETF standards for SSL (TLS), including TLS 1.0 (RFC 2246), TLS 1.1 (RFC 4346), and TLS 1.2 (presently an Internet Draft, <ftp://ftp.rfc-editor.org/in-notes/internet-drafts/draft-ietf-tls-rfc4346-bis-10.txt> ), all specify that the RSA encryption to be used is that specified in PKCS#1 v1.5 (or equivalently, as specified in PKCS#1 v 2.1 under the name RSASSA-PKCS1-v1_5), which is NOT OAEP, and is not interoperable with OAEP. A server that allows or requires OAEP encryption of RSA encrypted pre-master secrets is not standards compliant nor interoperable with clients that are standards compliant. NSS doesn't provide for the use of OAEP in TLS because the standards don't allow it. > I have successfully created a symmetric key, imported the server's public > key, and wrapped the symmetric key using: > > PK11_PubWrapSymKey(CKM_RSA_PKCS_OAEP, > RSAPublicKey, > UnwrappedKey, > WrappedKey); I'd guess that call failed, right? Or are you using some third party PKCS#11 module that implements it? NSS's PKCS#11 module does not implement that mechanism. > But the server rejects the key. After reading over posts to this list and > the code, I believe that RSA OAEP is not yet supported by NSS. Is that > correct? The mechanism CKM_RSA_PKCS_OAEP is not implemented in NSS's PKCS#11 modules. > Also, assuming that I'm correct in thinking that, can anybody suggest a > workaround? I think the first question to be answered is: Do you really want to be doing non-standard SSL/TLS ? If the answer to that question is yes, then you're going to need to modify/customize any SSL/TLS implementation you find. No standards-compliant implementation will do that. If the answer is yes, then you should change more than just the RSA algorithm used. You should change the cipher suite numbers used, so that you're not requiring the standard cipher suite numbers for PKCS#1 v1.5 RSA to be ambiguous and also mean OAEP. You can either find a third party PKCS#11 module that does OAEP, or add that capability to NSS, or use some other TLS implementation completely. If the server that is implementing this non-standard TLS is a product that is publicly available, I'd like to know what it is, so that the NSS team can be prepared for the inevitable non-interoperability complaints that it will generate. Please let us know. Thanks. _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
