Subrata Mazumdar wrote, On 2008-08-07 05:34:
Subrata, I apologize for not responding sooner.
> Is it possible to import the PKCS#8 file for private key together with
> the related X.509 cert file using PK11_ImportEncryptedPrivateKeyInfo()?
Yes, it should be possible.
> I have tried and was not successful.
> The PKCS#8 file was created using the
> PK11_ExportEncryptedPrivateKeyInfo().
One would hope that NSS can import what it exports. :)
> The PKCS#8 file is valid one - I tested it with OpenSSL.
>
> Here is the code fragment that I have used :
> CERTCertificate* keyCert = ....;
> SECItem* publicValue = NULL;
> SECKEYPublicKey* pubKey = CERT_ExtractPublicKey(keyCert);
> KeyType keyType = pubKey->keyType;
> publicValue = CERT_getPublicValueAndType(pubKey, &keyType); // My code
> unsigned int keyUsage = keyCert->keyUsage;
>
> SECItem pkcs8Pw; // Initialized with uuencoded password
> SECKEYEncryptedPrivateKeyInfo* encPrivateKeyInfo = NULL;
> //initialized with PKCS#8 data
> PRBool isPerm = PR_TRUE;
> PRBool isPrivate = PR_TRUE;
> PK11SlotInfo* slot = PK11_GetInternalSlot();
There's the problem (assuming you're not in FIPS mode).
> srv = PK11_ImportEncryptedPrivateKeyInfo(
> slot,
> encPrivateKeyInfo, &pkcs8Pw,
> &nicknameItem,
> publicValue,
> isPerm, isPrivate,
> keyType, keyUsage,
> NULL // I made sure that I am already
> authenticated to the token
> );
NSS's "softoken" PKCS#11 module implements two slots, each with one
non-removable token (when not in FIPS mode, you're not using FIPS mode,
are you?)
The two slots/tokens have these names:
slot: NSS Internal Cryptographic Services
token: NSS Generic Crypto Services
slot: NSS User Private Key and Certificate Services
token: NSS Certificate DB
NSS offers two functions that return pointers to NSS's PK11SlotInfo objects
for those two slots. Those functions are
PK11SlotInfo *PK11_GetInternalSlot(void);
PK11SlotInfo *PK11_GetInternalKeySlot(void);
The first of those functions (without the word Key in the name) returns a
pointer to the PK11SlotInfo object for the "Generic" token in the "Internal"
slot. The other function (with the word Key in the name) returns a pointer
to the "Cert DB" token in the "Key and Cert Services" slot.
The tokens have these properties:
Generic:
- no login is necessary or possible
- does all cryptographic mechanisms
- supports only session objects, not token objects.
(In NSS parlance, it supports only certs for which the "isPerm"
attribute is false.)
- supports only public objects, not private objects (that is, it
supports only objects whose CKA_PRIVATE attribute is false).
Private objects are those that can only be accessed while logged in
to the token. The CKA_PRIVATE attribute should not be confused with
the CKO_PRIVATE_KEY object class. They're very different.
Cert DB:
- is a true superset of the capabilities of the generic token,
does everything the generic token does, plus more.
- supports both session and token objects ("isPerm" true or false)
- supports both public and private objects
- login is necessary to use private objects
When NSS's softoken module is in "FIPS mode", there is no "generic" token
because FIPS mode forbids operating without login. Also, the cert DB token
forces all objects to be private objects, as FIPS requires.
Anyway, your sample code appears to be trying to import the key as a
"permanent" (token) object in the Generic slot, which doesn't support that.
_______________________________________________
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
