I was playing around with the Sun PKCS11 provider and accessing NSS directly
while in FIPS mode. It appears nss 3.12 (on Vista 32-bit) has issues reporting
key sizes both to Java and using symkeyutil directly:
Attempting to create a 128 byte (1024 bit) aes key on the token:
C:\nss\fips>symkeyutil -K -n aesKey3 -t aes -s 128 -d .
Enter Password or Pin for "NSS FIPS 140-2 Certificate DB":
aesKey3 128 1024 aes <restricted>
Here's the output showing all keys (aesKey and aesKey2 were created using
sunPKCS11-nss):
C:\nss\fips>symkeyutil -L -d .
Enter Password or Pin for "NSS FIPS 140-2 Certificate DB":
Name Len Strength Type Data
NSS FIPS 140-2 Certificate DB:
aesKey3 -2147483648 0 aes <restricted>
aesKey2 268435456 -2147483648 aes <restricted>
aesKey 268435456 -2147483648 aes <restricted>
Now, I switched to NSS 3.11.4 libraries/utils (which are the FIPS certified
ones anyway) and the output changes:
C:\nss\fips>symkeyutil -L -d .
Enter Password or Pin for "NSS FIPS 140-2 Certificate DB":
Name Len Strength Type Data
NSS FIPS 140-2 Certificate DB:
aesKey3 128 1024 aes <restricted>
aesKey2 16 128 aes <restricted>
aesKey 16 128 aes <restricted>
Doing the following in Java to generate a store a key (Provider "p" is the Sun
PKCS11 one I initialized with the config at the end of email):
KeyGenerator keyGen = KeyGenerator.getInstance("AES", p);
keyGen.init(128);
SecretKey rawKey = keyGen.generateKey();
System.out.println("Generated symmetric key:" + rawKey.toString());
ks.setEntry("javaAES", new KeyStore.SecretKeyEntry(rawKey), new
KeyStore.PasswordProtection(password));
ks.store(null, password);
Some output from test program showing it's session key at first, then after
importing it's token key:
Generated symmetric key:SunPKCS11-NSSfips AES secret key, 128 bits (id 1,
session object, sensitive, extractable)
Stored aesKey on token
pulled sym key out of keystore? SunPKCS11-NSSfips AES secret key, 16 bits (id
3126949473, token object, sensitive, extractable)
yields the following:
C:\nss\fips>symkeyutil -L -d .
Enter Password or Pin for "NSS FIPS 140-2 Certificate DB":
Name Len Strength Type Data
NSS FIPS 140-2 Certificate DB:
javaAES 16 128 aes <restricted>
Deleting javaAES using symkeyutil, switching back to nss 3.12 libs/utils and
re-running test program...
Generated symmetric key:SunPKCS11-NSSfips AES secret key, 128 bits (id 1,
session object, sensitive, extractable)
Stored aesKey on token
pulled sym key out of keystore? SunPKCS11-NSSfips AES secret key, 268435456
bits (id 3663820385, token object, sensitive, extractable)
Exception in thread "main" java.security.InvalidKeyException: Illegal key size
at javax.crypto.Cipher.a(DashoA13*..)
at javax.crypto.Cipher.init(DashoA13*..)
at javax.crypto.Cipher.init(DashoA13*..)
at NssPkcs11.main(NssPkcs11.java:64)
and symkeyutil output:
C:\nss\fips>symkeyutil -L -d .
Enter Password or Pin for "NSS FIPS 140-2 Certificate DB":
Name Len Strength Type Data
NSS FIPS 140-2 Certificate DB:
javaAES 268435456 -2147483648 aes <restricted>
I must admit I don't know as much about C/C++ as I'd like but is this just a
signed/unsigned problem?
I have all NSS libs/utils in /usr/mozilla
I have a db in /nss/fips that's in fips mode
My pkcs11 cfg file for the sun PKCS11 provider contains the following:
name = NSSfips
nssLibraryDirectory = /usr/mozilla
nssSecmodDirectory = /nss/fips
nssModule = fips
nssDbMode = readWrite
Should I file a bug or am I just doing something stupid?
Dave
_______________________________________________
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
