Yevgeniy Gubenko wrote:
You can load an wrapped key from a 3rd party app, but that's not recommended. Your app should work with standard keys. Apps that aren't written to use the standard key interface can't use smart cards and will be viewed as deficient.Thanks a lot for your answer. I still need some clarifications: 1. If I understand you right, when I have to use a predefined persistent key to do a crypto with it, there is no way, other than importing the key into a PKCS#11 token as a token object in NSS db? (Even if the key is an input from third party application).
yes. Again loading keys from the application level is also bad crypto hygeine. It makes it difficult to determine (from a systems point of view), if the app is properly handling the key life cycle. Keys should be acquired by the following means:2. As you noticed, in FIPS mode symmetric keys may not be imported in plain non-encrypted form. But if they should be encrypted before the import act, there must be another key to encrypt the imported key with it. But this key also must be stored in PKCS#11 token, right? If So, it should generated by NSS or be imported by itself?
Generated. Unwraped Derived.
3. Some other related question: when I try to export some symmetric Key from
NSS to datafile by:
symkeyutil -E -n testaes -k aestest.txt -d .
I get an exception: symkeyutil: Failure to load dynamic library.
Any idea what can be wrong? Maybe my NSS libraries should be located in the
some specific folder which is transparent to symkeyutil command?
1) symkeyutil is not complete (or even close to complete).2) exporting a key unencrypted is also considered a real no-no. Many tokens (including the FIPS token) does not allow it. Applications should not depend on this behavior.
bob
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
