On 04/13/2011 01:22 PM, Superpacko wrote: > On 12 abr, 16:00, Robert Relyea <rrel...@redhat.com> wrote: >> On 04/12/2011 10:55 AM, Superpacko wrote: >> >> >> >> >> >> >> >> >> >>> On 28 mar, 15:28, Robert Relyea <rrel...@redhat.com> wrote: >>>> On 03/28/2011 05:32 AM, Superpacko wrote: >>>>> On 23 mar, 14:40, Robert Relyea <rrel...@redhat.com> wrote: >>>>>> On 03/23/2011 06:24 AM, Superpacko wrote:> Well, so i 've been told that >>>>>> i shuld be able to extract the MPI as >>>>>>> bytes and pass it to NSS since GPG original key format is PEM, i >>>>>>> should be able to use MPIs data as raw bytes. >>>>>> If it's really PEM (which should be a printable string), then you should >>>>>> be able to pull out the Base 64 portion and pass it to the NSS atob >>>>>> routine: >>>>>> ATOB_ConvertAsciiToItem() >>>>>> It will return a secItem which has a date and a length. This secitem is >>>>>> DER data. >>>>>> bob >>>>>> PEM is an ascii file in which all the data outside specific wrappers: >>>>>> ( ------------------------- BEGIN xxxxx >>>>>> ---------------------------------), >>>>>> (---------------------- END xxx ------------------------) >>>>>> are ignored. Inside the wrappers is base 64 encoded binary. Base 64 >>>>>> takes the 27 letters of the alphabet, both upper and lower case, with >>>>>> the 10 digits, plus and / and assigns each a value between 0 and 64. The >>>>>> binary blob is then considered a long binary integer. That integer is >>>>>> converted to base 64 using those printable digits. The encoding used 4 >>>>>> base 64 digits to encode 3 binary bytes (base 64 is 6 bits per value) >>>>>> The PEM base64 pem data is DER data, so the nss der functions should >>>>>> work for them, once you've decoded the base 64. >>>>>> bob >>>>>>> The thing is that the only function i found that takes unsigned char* >>>>>>> as argument is PK11_MakeKEAPubKey, and when i try to encrypt using >>>>>>> that key, i get error 8178 (BAD KEY) >>>>>>> So is there a way to import a public and private key with raw bytes? >>>>>>> so far i've seen that most functions need SECKEYPrivateKeyInfo and >>>>>>> stuff like that. >>>>> Thanks for the help, im going to try to extract this information from >>>>> the key stored in the MPIs. >>>>> Is there a way to import an RSA key from external source that is not >>>>> DER encoded nor KEA? >>>> Do you mean an RSA public key or an RSA private key? >>>> bob >>>>> otherwise im gonna have to build a custom PK11_MakeRSAPubKey to create >>>>> a SECKEYPublicKey from raw bytes, filling the >>>>> modulusItem.data = modulusData; >>>>> modulusItem.len = modulusLen; >>>>> exponentItem.data = exponentData; >>>>> exponentItem.len = exponentLen; >>>>> with the info from the raw bytes >>>>> thanks again! >>> Is still anyone here? >>> I've managed to imort public and private keys from GPG to NSS. The >>> only help i need now is with the RSA encryption. >>> Im generating a asymmetric key with random bytes, and i need to >>> encrypt this key with RSA. >>> How am i supposed to proceed? according to what i read, i cant just >>> encrypt the whole thing with RSA, instead i have to turn the >>> asymmetric key into a big number and then encrypt the number with RSA. >>> is that correct? >>> is there any other way? how would those options be implemented using >>> NSS functions? >> That's correct. >> >> 1. Your best bet is to use PK11_TokenKeyGenWithFlags() to generate a new >> symmetric key. (keyid= NULL attrrFlags = 0, >> opFlags=CKF_ENCRYPT|CKF_WRAP, the rest the same as PK11_KeyGen()). The >> output of this is a PK11SymKey. >> >> 2. You can wrap that symmetric key from step 1 with your imported RSA >> (public) key with PK11_PubWrapSymKey(). You'll get a secitem 'data' >> output here. >> >> 3. You can use PK11_WrapPrivKey() to wrap your random asymmetric key >> with the symmetric key you generated in step 1. You'll get a second >> secitem 'data' here. (NOTE: that this point you are through with your >> assymetric key, you can free it with PK11_FreeSymKey()). >> >> 4. You take to two secitem data values and packages them together. >> You'll need to identify the first secitem (from step 2) as the 'wrapped >> symkey' and the second secitem (from step 3) as the 'wrapped private key'. >> >> To recover your key: >> >> 1. separate the 2 secitem data values from your package. >> >> 2. use PK11_PubUnwrapSymKey() with your imported RSA (private) key and >> the 'wrapped symKey'. The result will be a PK11SymKey. >> >> 3. use PK11_UnwrapPrivKey() with the symkey returned in 2 and the >> 'wrapped private key'. This will return the private key you can now use. >> The symkey is not longer needed, so you can free it. >> >> There's a number of parameters for these functions I've skipped, but >> this should get you started. >> >> bob >> >> >> >> >> >> >> >>> thanks! >>> Sebastian. > I followed your previous example, and got the same error. > Generated a symmetric key with > PK11SymKey* symkey = PK11_TokenKeyGenWithFlags(slot, > > CKM_AES_CBC, > > NULL, > > len, > > NULL, > > CKF_ENCRYPT|CKF_WRAP, > > 0, > > NULL); > > did a > PK11_PubWrapSymKey(CKM_RSA_PKCS, > pubKey, > symkey, > wrapped); > > and work fine. But when decrypting, im reading the 256 buffer (the RSA > is 2048 bits), loading in into a SECItem and passing it to the decrypt > method. > PK11_PubUnwrapSymKey (privkey, wrappedKey, CKM_AES_CBC, CKF_DECRYPT, > wrappedKey->len); > > and theres is when i get the ASSERT error: > file mpi.c > Expression: mp != ((void*)0) && str != ((void*)0) && len >0 > > Any ideas? > Thanks a lot! > Oops, I forgot to tell you. You should wrap Private keys with and _PAD mechanism (CKM_AES_CBC_PAD).
It's interesting that it asserted. We should have just returned an error. That is probably worth a low priority bug report. bob
-- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
