Thanks Nelson.
Your suggestion about using PK11_GetInternalKeySlot() solved the problem.
---
Subrata
Nelson B Bolyard wrote:
> Subrata Mazumdar wrote, On 2008-08-07 05:34:
>
> Subrata, I apologize for not responding sooner.
>
>
>> Is it possible to import the PKCS#8 file for private key together with
>> the related X.509 cert file using PK11_ImportEncryptedPrivateKeyInfo()?
>>
>
> Yes, it should be possible.
>
>
>> I have tried and was not successful.
>> The PKCS#8 file was created using the
>> PK11_ExportEncryptedPrivateKeyInfo().
>>
>
> One would hope that NSS can import what it exports. :)
>
>
>> The PKCS#8 file is valid one - I tested it with OpenSSL.
>>
>> Here is the code fragment that I have used :
>> CERTCertificate* keyCert = ....;
>> SECItem* publicValue = NULL;
>> SECKEYPublicKey* pubKey = CERT_ExtractPublicKey(keyCert);
>> KeyType keyType = pubKey->keyType;
>> publicValue = CERT_getPublicValueAndType(pubKey, &keyType); // My
>> code
>> unsigned int keyUsage = keyCert->keyUsage;
>>
>> SECItem pkcs8Pw; // Initialized with uuencoded password
>> SECKEYEncryptedPrivateKeyInfo* encPrivateKeyInfo = NULL;
>> //initialized with PKCS#8 data
>> PRBool isPerm = PR_TRUE;
>> PRBool isPrivate = PR_TRUE;
>> PK11SlotInfo* slot = PK11_GetInternalSlot();
>>
>
> There's the problem (assuming you're not in FIPS mode).
>
>
>> srv = PK11_ImportEncryptedPrivateKeyInfo(
>> slot,
>> encPrivateKeyInfo, &pkcs8Pw,
>> &nicknameItem,
>> publicValue,
>> isPerm, isPrivate,
>> keyType, keyUsage,
>> NULL // I made sure that I am already
>> authenticated to the token
>> );
>>
>
> NSS's "softoken" PKCS#11 module implements two slots, each with one
> non-removable token (when not in FIPS mode, you're not using FIPS mode,
> are you?)
>
> The two slots/tokens have these names:
>
> slot: NSS Internal Cryptographic Services
> token: NSS Generic Crypto Services
>
> slot: NSS User Private Key and Certificate Services
> token: NSS Certificate DB
>
> NSS offers two functions that return pointers to NSS's PK11SlotInfo objects
> for those two slots. Those functions are
> PK11SlotInfo *PK11_GetInternalSlot(void);
> PK11SlotInfo *PK11_GetInternalKeySlot(void);
>
> The first of those functions (without the word Key in the name) returns a
> pointer to the PK11SlotInfo object for the "Generic" token in the "Internal"
> slot. The other function (with the word Key in the name) returns a pointer
> to the "Cert DB" token in the "Key and Cert Services" slot.
>
> The tokens have these properties:
> Generic:
> - no login is necessary or possible
> - does all cryptographic mechanisms
> - supports only session objects, not token objects.
> (In NSS parlance, it supports only certs for which the "isPerm"
> attribute is false.)
> - supports only public objects, not private objects (that is, it
> supports only objects whose CKA_PRIVATE attribute is false).
> Private objects are those that can only be accessed while logged in
> to the token. The CKA_PRIVATE attribute should not be confused with
> the CKO_PRIVATE_KEY object class. They're very different.
>
> Cert DB:
> - is a true superset of the capabilities of the generic token,
> does everything the generic token does, plus more.
> - supports both session and token objects ("isPerm" true or false)
> - supports both public and private objects
> - login is necessary to use private objects
>
> When NSS's softoken module is in "FIPS mode", there is no "generic" token
> because FIPS mode forbids operating without login. Also, the cert DB token
> forces all objects to be private objects, as FIPS requires.
>
> Anyway, your sample code appears to be trying to import the key as a
> "permanent" (token) object in the Generic slot, which doesn't support that.
>
_______________________________________________
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
