Hi again rob/all, thx for your answer. > This appears to be your problem. I have know idea what library you are > using for your primitives (presumably openssl)
Yeah, Openssl >, but it clearly is not > decrypting the key with RSA_PKCS1_PADDING. The expected result should be > something like 24-16 bytes, which should be the symmetric key you encrypted > with. So: Its is correct Thunderbird to invoke once to C_Decrypt with 128 bytes of data, and i should return a symmetric key to decrypt the email? Did Thunderbird crypted the key with my public RSA key? how can i know if 24 or 16? does any difference if Thunderbird used 512/1024/2048 ? Which one used? > The code makes me wonder what you are trying to do, however. It looks more > like a 'simulated' smart card. Indeed, its not a real crypto card, only a not-so-smart one. > I presume that d2i_RSAPrivateKey takes the > actual private key that matches the public key used by S/MIME. Presumably > the data is stored somewhere and you aren't just 'regenerating a new key'. could you explain what 'regenerating a new key' means? The software is working perfectly for signning, which is quite similar > If you were using a smart card, I would have expected a card specific APDU > call which passes the encrypted data to the card and got the decrypted data > back. No Sir. This is not a cryptographic card. The card only stores the cert+keys, but operations are done in memory. (...do lemmonade) > It appears to be a bug in your code at this point. If you are using the > correct key, and you are using RSA_PKCS1_PADDING, your RSA_private_decrypt > should work. As im using an openssl function, i dont see the possible error in here. Still...is Thunderbird doing the following?: -Mozilla should ask for mechanisms (does) -Mozilla should see the card dont implement any symmetric mechanism (so, must handle the symmetric part of this by his own) (does?) -Mozilla should crypt/decrypt the symmetric key using my public RSA, only to do a C_Decrypt call (does??) >> Must we code C_UnWrapKey function and so to Decrypt, cause Thunderbird >> doesnt like our PKCS#11 just does CKM_RSA_PKCS? > > Thunderbird is perfectly happy with CKM_RSA_PKCS. Ill ask again: We do only CKM_RSA_PKCS. Does Mozilla Thundebird requires other mechanims to work properly? Thanks again for your time and help, im going to review the code one more time. -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
