Graham Leggett wrote, On 2008-09-06 12:51: > I think a big source of confusion is that everything is an OID, or > everything is a mechanism, but not all OID or mechanisms are relevant > for every situation, and this isn't clear from each function call.
I think this may only be true because of the involvement of PKCS5v2. If PKCS5v2 was not part of the problem space, I would have said that there was no need to use OIDs at all, none whatsoever. I would have said that PK11_ interfaces exist that can do everything you need with just mechanisms, and no OIDs. The SSL library, for example, manages to use many forms of encryption without ever identifying any of them with an OID. If I recall correctly, so does the SDR interface which is used to encrypt and decrypt users' web site passwords that are remembered by Firefox. I would have recommended that you look at the SDR interface as an example of how to do what you wanted to do, simple encryption of a string with an algorithm of your choice and an arbitrary key. But SDR doesn't use PBE and hence doesn't use PKCS#5. > For example, the PK11_CreatePBEV2AlgorithmID function contains a > SECOidTag prfAlgTag parameter, but what this parameter was (the pseudo > random function) I only discovered after tripping over it mentioned in a > section of the PKCS5 spec that I was reading looking for something else. The PKCS5v2 support is a recent addition to NSS. Apparently the new interfaces created for that rely on algorithm Ids, which include OIDs. I don't know if Algorithm Ids are an essential part of the definition of PKCS#5v2 (I don't recall and don't have time to go look right now), but if they are not, then I would imagine that the NSS team could add some additional functions to NSS's public API that allow the caller to specify mechanisms directly and avoid indirection through algorithm IDs and their associated OIDs. >> A design question: why do you want to use the ECB mode? In >> most applications, the ECB mode is less secure than the CBC >> mode. > > Completeness I guess - xml-security's API allowed you to choose both CBC > and ECB modes, so I was trying to emulate the same thing. > > The only mechanism that I cannot find an oid for is CKM_DES3_ECB - do > you know which SEC_OID_* macro I should be using? > > The PK11_MechanismToAlgtag function for CKM_DES3_ECB returns > SEC_OID_UNKNOWN. NSS exists primarily to support the implementation of standardized communication protocols such as TLS and CMS (S/MIME). None of those protocols ever uses ECB (IINM), and so support for ECB may be minimal or outright lacking. Although the XML spec may include ECB, I think people with more than a passing familiarity with encryption would not attempt to use it in any serious applications. So, you may be able to reach your goal more quickly with NSS if you can simply abandon the use of ECB and stick with CBC. This is just a suggestion, of course. _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
