Nelson Bolyard wrote:
So the real question is why the function suceeds after the 'forceslot'. At some point we need to implement an actual wrap operation. If the key was not successfully moved, that wrap operation should have failed.Yes, please. You can put this text into the bug report, if you'd like. I just walked through that code again more carefully. It's definitely a bug. It's really a flaw in the design of the private function pk11_ForceSlot. That function can have any of the following outcomes:As you can see from that description, a NULL return is entirely ambiguous.It means either a) the key is fine and no slot change is needed (SUCCESS), or b) the operation CANNOT succeed because the key is not in a slot that can do the requested mechanism (FAILURE).
What is more likely is it's falling back to 'handwrap' and the handwrap function is incorrectly encoding it in PKCS1-v1.5 rather an OAEP.
In general, don't expect early failures in pk11wrap code. It's pretty tenacious in order to support recalcitrant PKCS #11 modules.;).
(BTW the bug is still valid, we either should have failed to wrap the key, or we should have produced correctly encoded OAEP).
bob
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
