Robert Relyea wrote:
Does NSS support RFC2898 (derivation of keys from a passphrase), and if so, what set of functions should I be looking at to use this?Yes, The standard NSS PBE interface supports PBKDF2 automatically on reading if the algid specifying the PBE is PBEDKF2. On generation, if you specify a symmetric key algorithm the the standard PK11_CreatePBEAlgorithmID rather than a PBE algorithm, NSS will generate a PKCS #5 v2 algorithm id (using PBKDF2). There is also a new Create algorithm ID called PK11_CreatePBEV2AlgorithmID which allows you to fully specify each of the fields of the PBE.
Ok, so if I am understanding you correctly, would the following code do the trick?
slot = PK11_GetBestSlot(cipherMech, NULL);
SECOidTag algorithm = PK11_MechanismToAlgtag(cipherMech);
SECAlgorithmID * algid = PK11_CreatePBEAlgorithmID(algorithm, 0,
saltItem);
key->symKey = PK11_PBEKeyGen(slot, algid, passItem,
faulty3DES, wincx);
What value should I use for "cipherMech"? I found these two constants
that might do the trick, are either of these relevant?
/* CKM_PKCS5_PBKD2 is new for v2.10 */ #define CKM_PKCS5_PBKD2 0x000003B0 #define CKM_PBA_SHA1_WITH_SHA1_HMAC 0x000003C0 What does "faulty3DES" mean, and what value should I use for wincx?I could find no reference to "PBEDKF2" in the header files, I am interpreting this correctly?
Regards, Graham --
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
