> Anyway, I've tried dumping it to a file, this way: <snip> > And after that, I tried managing it with openssl command line tools, > but it doesn't seem to have a proper structure. > > ¿What are the contents of the string encprivkey->encryptedData.data? > > Is it a proper pkcs5 or pkcs8 or pkcs12 (when using the proper > algorithm, of course), or is it only the raw encrypted string? > > If so, how can i obtain the salt used by the algorithm to derivate the > key used to generate that encrypted string? > > How could I build with NSS a pkcs8 object which was treatable by > openssl?
The encrypted bytes are PKCS#8 formatted, but not openssl compatible PKCS#8 bytes. I ran into this a while back. http://groups.google.com/group/mozilla.dev.tech.crypto/browse_thread/thread/fce0519f42c5f5d1/8544462a566725bc?lnk=gst&q=pkcs8#8544462a566725bc http://groups.google.com/group/mozilla.dev.tech.crypto/browse_thread/thread/a2252f75e1a29611/c4bde3460c268162?#c4bde3460c268162 Nelson will tell you: "for about 10 years now, the NSS team's answer to inquiries about PKCS#8 have been that: - NSS doesn't support bare PKCS#8 for key import or key export. - PKCS#12 is the protocol/format which all major PKI/SSL implementations agree to support, and for which they test interoperability. - NSS team recommends that you use PKCS#12." I was using JSS at the time which called into NSS through JNI. I'm not sure if straight NSS has the same issue. IIRC the problem was with the conversion of the password from characters to bytes. I got around the problem by writing a custom character to byte converter in JSS and decrypting the EPKI data that NSS returned and then immeditately creating a new EPKI using JSS which resulted in "compatible" PKCS#8 formatted data. (EPKI = EncryptedPrivateKeyInfo = PKCS8 above) PS, use NSS's "pp" command line utility or Peter Gutmann's "dumpasn1" utility (just google it) to parse the ASN.1 data and you can see the PKCS#8 structure including the algorithm/salt and encrypted data portions. (I'm partial to dumpasn1's output). Dave _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
