On 10/28/2010 11:39 PM, Deepak wrote: > Hello, > I've been trying to import an AES 256 encrypted RSA Private Key > imported into NSS, to function as a PKCS 11 "AES Secret Key > Object" (aka object class CKO_SECRET_KEY, key type CKK_AES), but have > been unsuccessful. > Confusion. Do you mean a pkcs #12 AES 256 bit encrypted key? That should work with pk12util.
When most people say "AES 256 encrypted RSA PrivateKey" they mean a private key wrapped with an AES 256 PBE generated key. In that case there is no need to import another AES key. I'm confused because the whole rest of this post is asking about importing AES symmetric keys. Do you have an RSA Private Key wrapped with some fixed symmetric key? > I attempted this using the symkeyutil tool, but it fails with the > following error > > $ nss-symkeyutil -K -n "Test" -t aes -s 256 -d . > Enter Password or Pin for "NSS Certificate DB": > nss-symkeyutil: Token Key Gen Failed > nss-symkeyutil: The key does not support the requested operation. > > I get the same error if I try and import a key that I generated via > openssl. > I've never heard of the nss-symkeyutil. There is a sample app called symkeyutil, but last I checked it was incomplete, though there may have been some work to get it working. From a tools perspective I don't know if there is a way to move an AES symetric key around.. But your question was an RSA private key. > Is importing AES keys (as a PKCS11 Secret Key) into NSS supported? > And if so, how do I do it? > It's not clear if you are asking 'Programmatically' or with utilities. Programmatically, The only issue importing any key is how you do it. If the token is in FIPS mode, you have to key exchange it. If it's not, PK11_ImportSymKey() should do the trick. (Caveat, not guaranteed to work in all tokens, serious security systems should be able to avoid it;). bob > The version of NSS : > $ port list installed | grep nss > nss @3.12.7 net/nss > > > Thanks! > Deepak. >
-- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
