On 13 abr, 18:29, Robert Relyea <rrel...@redhat.com> wrote: > On 04/13/2011 01:22 PM, Superpacko wrote: > > > > > > > > > On 12 abr, 16:00, Robert Relyea <rrel...@redhat.com> wrote: > >> On 04/12/2011 10:55 AM, Superpacko wrote: > > >>> On 28 mar, 15:28, Robert Relyea <rrel...@redhat.com> wrote: > >>>> On 03/28/2011 05:32 AM, Superpacko wrote: > >>>>> On 23 mar, 14:40, Robert Relyea <rrel...@redhat.com> wrote: > >>>>>> On 03/23/2011 06:24 AM, Superpacko wrote:> Well, so i 've been told > >>>>>> that i shuld be able to extract the MPI as > >>>>>>> bytes and pass it to NSS since GPG original key format is PEM, i > >>>>>>> should be able to use MPIs data as raw bytes. > >>>>>> If it's really PEM (which should be a printable string), then you > >>>>>> should > >>>>>> be able to pull out the Base 64 portion and pass it to the NSS atob > >>>>>> routine: > >>>>>> ATOB_ConvertAsciiToItem() > >>>>>> It will return a secItem which has a date and a length. This secitem is > >>>>>> DER data. > >>>>>> bob > >>>>>> PEM is an ascii file in which all the data outside specific wrappers: > >>>>>> ( ------------------------- BEGIN xxxxx > >>>>>> ---------------------------------), > >>>>>> (---------------------- END xxx ------------------------) > >>>>>> are ignored. Inside the wrappers is base 64 encoded binary. Base 64 > >>>>>> takes the 27 letters of the alphabet, both upper and lower case, with > >>>>>> the 10 digits, plus and / and assigns each a value between 0 and 64. > >>>>>> The > >>>>>> binary blob is then considered a long binary integer. That integer is > >>>>>> converted to base 64 using those printable digits. The encoding used 4 > >>>>>> base 64 digits to encode 3 binary bytes (base 64 is 6 bits per value) > >>>>>> The PEM base64 pem data is DER data, so the nss der functions should > >>>>>> work for them, once you've decoded the base 64. > >>>>>> bob > >>>>>>> The thing is that the only function i found that takes unsigned char* > >>>>>>> as argument is PK11_MakeKEAPubKey, and when i try to encrypt using > >>>>>>> that key, i get error 8178 (BAD KEY) > >>>>>>> So is there a way to import a public and private key with raw bytes? > >>>>>>> so far i've seen that most functions need SECKEYPrivateKeyInfo and > >>>>>>> stuff like that. > >>>>> Thanks for the help, im going to try to extract this information from > >>>>> the key stored in the MPIs. > >>>>> Is there a way to import an RSA key from external source that is not > >>>>> DER encoded nor KEA? > >>>> Do you mean an RSA public key or an RSA private key? > >>>> bob > >>>>> otherwise im gonna have to build a custom PK11_MakeRSAPubKey to create > >>>>> a SECKEYPublicKey from raw bytes, filling the > >>>>> modulusItem.data = modulusData; > >>>>> modulusItem.len = modulusLen; > >>>>> exponentItem.data = exponentData; > >>>>> exponentItem.len = exponentLen; > >>>>> with the info from the raw bytes > >>>>> thanks again! > >>> Is still anyone here? > >>> I've managed to imort public and private keys from GPG to NSS. The > >>> only help i need now is with the RSA encryption. > >>> Im generating a asymmetric key with random bytes, and i need to > >>> encrypt this key with RSA. > >>> How am i supposed to proceed? according to what i read, i cant just > >>> encrypt the whole thing with RSA, instead i have to turn the > >>> asymmetric key into a big number and then encrypt the number with RSA. > >>> is that correct? > >>> is there any other way? how would those options be implemented using > >>> NSS functions? > >> That's correct. > > >> 1. Your best bet is to use PK11_TokenKeyGenWithFlags() to generate a new > >> symmetric key. (keyid= NULL attrrFlags = 0, > >> opFlags=CKF_ENCRYPT|CKF_WRAP, the rest the same as PK11_KeyGen()). The > >> output of this is a PK11SymKey. > > >> 2. You can wrap that symmetric key from step 1 with your imported RSA > >> (public) key with PK11_PubWrapSymKey(). You'll get a secitem 'data' > >> output here. > > >> 3. You can use PK11_WrapPrivKey() to wrap your random asymmetric key > >> with the symmetric key you generated in step 1. You'll get a second > >> secitem 'data' here. (NOTE: that this point you are through with your > >> assymetric key, you can free it with PK11_FreeSymKey()). > > >> 4. You take to two secitem data values and packages them together. > >> You'll need to identify the first secitem (from step 2) as the 'wrapped > >> symkey' and the second secitem (from step 3) as the 'wrapped private key'. > > >> To recover your key: > > >> 1. separate the 2 secitem data values from your package. > > >> 2. use PK11_PubUnwrapSymKey() with your imported RSA (private) key and > >> the 'wrapped symKey'. The result will be a PK11SymKey. > > >> 3. use PK11_UnwrapPrivKey() with the symkey returned in 2 and the > >> 'wrapped private key'. This will return the private key you can now use. > >> The symkey is not longer needed, so you can free it. > > >> There's a number of parameters for these functions I've skipped, but > >> this should get you started. > > >> bob > > >>> thanks! > >>> Sebastian. > > I followed your previous example, and got the same error. > > Generated a symmetric key with > > PK11SymKey* symkey = PK11_TokenKeyGenWithFlags(slot, > > > > CKM_AES_CBC, > > > > NULL, > > > > len, > > > > NULL, > > > > CKF_ENCRYPT|CKF_WRAP, > > > > 0, > > > > NULL); > > > did a > > PK11_PubWrapSymKey(CKM_RSA_PKCS, > > pubKey, > > symkey, > > wrapped); > > > and work fine. But when decrypting, im reading the 256 buffer (the RSA > > is 2048 bits), loading in into a SECItem and passing it to the decrypt > > method. > > PK11_PubUnwrapSymKey (privkey, wrappedKey, CKM_AES_CBC, CKF_DECRYPT, > > wrappedKey->len); > > > and theres is when i get the ASSERT error: > > file mpi.c > > Expression: mp != ((void*)0) && str != ((void*)0) && len >0 > > > Any ideas? > > Thanks a lot! > > Oops, I forgot to tell you. You should wrap Private keys with and _PAD > mechanism (CKM_AES_CBC_PAD). > > It's interesting that it asserted. We should have just returned an > error. That is probably worth a low priority bug report. > > bob
mmmmm well im not wrapping the private key. Im just using the one im importing. Im only using the symmetric key to encrypt a metadata and then wrapping that symmetric key with the recipient's public key. I've tried using CKM_AES_CBC_PAD in every CKM parameter in generateSymkey and pubWrap and pubUnwrap functions, but i get the same error. -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
