2009/4/30 Robert Relyea <rrel...@redhat.com>: > Nelson B Bolyard wrote: >>> >>> 2. In the longer term, I will need to decode file such as the one I >>> sent on openssl mailing list (**), does NSS support this kind of file ? >>> (**) http://www.mail-archive.com/openssl-us...@openssl.org/msg56902.html >>> >> >> The file shown there uses Password Based Encryption features of RFC 3369 >> and RFC 3211, which are not supported by NSS at this time. (BTW, RFC 3211 >> wasn't in your list.) >> >> NSS 3.12 offers the low level PBKDF2 functions, but that support has not >> been integrated into NSS's CMS library, libSMIME, AFAIK. >> >> (Bob, feel free to correct me if I'm mistaken about that) >> > > The PBE support in the cms library is incomplete. It is missing the > following: > > 1) The PBE recipient info oid would have to be added to cmsrecinfo.c, along > with some way of passing in the password. (actually the only need would be > to generate a fake key and add the password, CMS will already handle PBE > encrypted blocks properly if the password can be supplied). > > 2) Probably some interface changes to allow that password to be set (maybe > as simple as setting it on the appropriate cms_info structure). If full PKCS > 5v2 is needed on the creation side, there will need to be a new interface > for that (decrypt is already handled properly). > > 3) Testing. > > Short answer cmsutil certainly wont' decrypt PBE encrypted data without some > extra work. > This work would certainly be accepted, if done properly (probably means a > callback to get the password, which would allow thunderbird to automatically > start handling PBE data).
A long week end is coming, I'll try to see if this is an easy -for me- feature to add. Thanks, -- Mathieu -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
