2008/9/6 Graham Leggett <[EMAIL PROTECTED]>: > > Hmmm - I spent last weekend going through the PKCS #11 standard, which > defines an API that seems different to the PK11_CipherOp and friends that I > was seeing in the examples.
Right. Each crypto module exports the PKCS #11 API, with function names like C_Encrypt. The PK11_ functions in NSS allow you to manage and use multiple crypto modules. They dispatch crypto operations to the appropriate the crypto modules. They're also supposed to hide the complexity of the PKCS #11 API, but some of it still "leaks" through. > Ah ok - I have up till now being looking for comments and documentation > within the header files rather than the code itself. Documentation does > exist in the header files, although nothing that explains how different > things relate to one another. Ideally we should move the comments that document the functions to the header files or our documentation websites. Our documentation is adequate in some areas but is lacking in other areas. The PK11_ functions for crypto operations are an area that need more documentation. > I think a big source of confusion is that everything is an OID, or > everything is a mechanism, but not all OID or mechanisms are relevant for > every situation, and this isn't clear from each function call. > > For example, the PK11_CreatePBEV2AlgorithmID function contains a SECOidTag > prfAlgTag parameter, but what this parameter was (the pseudo random > function) I only discovered after tripping over it mentioned in a section of > the PKCS5 spec that I was reading looking for something else. > > I think it would help immensely if there were doxygen (or whatever other > tool) comments in the header files to generate docs from automatically. This > is typically the starting point for me when looking for information about a > function that wasn't found in the man pages. Our team has recognized the need for better developer documentation. I hope we will have some results soon. For now, I highly recommend using our MXR source code search to supplement the documentation: http://mxr.mozilla.org/security/ > The only mechanism that I cannot find an oid for is CKM_DES3_ECB - do you > know which SEC_OID_* macro I should be using? > > The PK11_MechanismToAlgtag function for CKM_DES3_ECB returns > SEC_OID_UNKNOWN. I don't know either. Does anyone know? Does the lack of a SECOidTag for CKM_DES3_ECB prevent you from using some NSS functionality? I did some web searches for the OID. The OID for DES-EDE is "1.3.14.3.2.17": http://www.alvestrand.no/objectid/1.3.14.3.2.17.html But I'm not sure if that's the ECB mode. NSS's SECOidTag for this OID is SEC_OID_DES_EDE. In our OID table, this OID doesn't correspond to any PKCS #11 mechanism: http://mxr.mozilla.org/security/source/security/nss/lib/util/secoid.c#611 611 OD( desede, SEC_OID_DES_EDE, 612 "DES-EDE", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ), Wan-Teh _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
