question regarding PK11_FindFixedKey() in pk11skey.c

Mon, 23 Nov 2009 13:55:09 -0800 

Dear newsgroup,
Could you please give me a hand? I've got a problem understanding the relationship between physical/logical reader, slot, token, and PK11SlotInfo, NSSToken, PKCS11-Object, Symkeys, Secret keys, fixed keys, in NSS's PKCS11 implementation. Please just put a "true" or "false" after my lines, if you think my list of question's too long: 


If I remember well, the PKCS11 specs tell that there's exactly 1 
crypto-object per token (soft or hardware).
This object can have several attributes, and can be a symetric key for 
different cryptography algorithms (mechanisms)like DES3, which is the 
one I'm interested in.


A token, with lets say a DES3 symkey as object, can be plugged into a slot.
I thought that's a 1:1 relationship too.

PK11SlotInfo has info about that slot, and the (only one?) token it has 
plugged in (or not).

If that's true, I don't understand the key arrays
PK11SymKey *freeSymKeysWithSessionHead;
PK11SymKey *freeSymKeysHead;
in PK11SlotInfo, and neither why they are tagged as "free".

Or, maybe, an idea that I just had: Does the slotinfo-object points to 1 
token, but has several NSS-pk11symkeys-representations of the 
key-crypto-object in the token, with any of them with opened session, 
others not?? but why "free?"



Now I'm looking in pk11skey.c in order to find the place where a 
pk11SymKey NSS-Object (say a PK11SymKey) is created and "filled" with 
key-data from pkcs11-object in the token, to have an example and see how 
that works.

(maybe it's a bad function to do so).
"filled", if I understand correctly, means "has a session to...".

But I guess the key data is copied to the raw-key-data of the 
pkcs11-object (or a pointer references it).


My question is:

What do those code-lines do? Why do I need them in order to find the 
key-id, before a key can be found using that key-id?


PK11_SETATTRS(attrs, CKA_CLASS, &keyclass, sizeof(keyclass)); attrs++;
PK11_SETATTRS(attrs, CKA_TOKEN, &ckTrue, sizeof(ckTrue)); attrs++;
     if (keyID) {
         PK11_SETATTRS(attrs, CKA_ID, keyID->data, keyID->len); attrs++;
     }
     tsize = attrs - findTemp;
     PORT_Assert(tsize <= sizeof(findTemp)/sizeof(CK_ATTRIBUTE));



By the way, I don't know why this key is called "fixed", and do I need 
to have opened sessions at that point?

I don't know if FindFixedKey() looks into tokens

or looks in existing NSS-PK11SymKey-Objects which already have sessions 
opened.



If you can see that I'm wrong in my structure-conception, please tell me ^^



--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto






















					Reply via email to