On 01/26/2012 11:53 PM, weizhong qiang wrote:
hi,
I did found that the CKA_SENSITIVE is "true" by using the following code:
rv = PK11_ReadRawAttribute(PK11_TypePrivKey, privKey,
CKA_SENSITIVE,&value);
if (rv != SECSuccess) {
NSSUtilLogger.msg(ERROR, "Failed to read CKA_SENSITIVE attribute from
private key.");
}
if ((value.len == 1)&& (value.data != NULL))
std::cout<< !!(*(CK_BBOOL*)value.data)<<std::endl;
But I did set sensitive parameter to be PR_FALSE when generate the key pair,
see the following:
*privk = PK11_GenerateKeyPair(slot, CKM_RSA_PKCS_KEY_PAIR_GEN,&rsaParams,
pubk, PR_FALSE, PR_FALSE, NULL);
How could the key still be sensitive? Is there anywhere that I should set?
Hmm, your right, that doesn't seem right. Do you have a simple test case
that reproduces this?
Also which version of NSS are you running?
Are you sure that slot points to the internal token?
Are you in FIPS mode? (in which case you don't have a choice on
sensitive or not).
NSS uses exactly this method to generate a key it's going to load into a
token that doesn't support CKM_RSA_PKCS_KEY_PAIR_GEN.
bob
Best Regards
Weizhong Qiang
On Jan 26, 2012, at 6:57 PM, Robert Relyea wrote:
On 01/26/2012 07:55 AM, weizhong qiang wrote:
On Jan 26, 2012, at 4:44 PM, helpcrypto helpcrypto wrote:
AFAIK, returning or not the attributes from an object, depends on the token.
Everything I am operating is on the nss internal softoken.
Right softoken enforces good hygiene.
In truth, access to those attributes are controlled through a couple of other
attributes:
CKA_PRIVATE - access to the object requires authentication.
CKA_SENSITIVE - direct access to the sensitive/private attributes of this
object is prohibitted.
CKA_EXTRACTABLE - this object can be extracted from the token.
If Private is set, then you need to log in to do any of the actions below.
If both Sensitve and Extractable is set, then you can extract the object by
wrapping it, but you can't access the unencrypted attributes.
If Senstive is FALSE and Extractable is TRUE, you can either extract the object
by wrapping it, or by reading the attributes directly.
If Extractable is FALSE, then you can't extract the object at all (either by
wrapping it or by reading the attributes directly).
Most tokens set Extratable to FALSE.
bob
I recommend you reading about CKO_PRIVATE_KEY on PKCS#11 standard to
understand what can be happening.
For example if token=card, CKA_PRIME_1 *musnt* be on the card, as far
is not *needed* to do cryptographic operations.
El día 26 de enero de 2012 14:08, weizhong qiang
<weizhongqi...@gmail.com> escribió:
hi,
Is there a fact that nss does not permit the reading of the attribute
CKA_PRIVATE_EXPONENT, CKA_PRIME_1, etc.?
Because with all of the eight attributes, it is possible to compose the content
of the private key, but the outputting of private key is not allowed in nss?
Thanks and Best Regards,
Weizhong Qiang
On Jan 26, 2012, at 9:43 AM, helpcrypto helpcrypto wrote:
Is eny error shown at NSSUtilLogger.msg(ERROR, "Failed to read
attribute %x from private key.", type); ?
El día 25 de enero de 2012 17:04, weizhong qiang
<weizhongqi...@gmail.com> escribió:
hi all,
I tried to get the attributes from a private key (see the following code
piece). But only the CKA_MODULUS and CKA_PUBLIC_EXPONENT can be got, others
(CKA_PRIVATE_EXPONENT etc.) can not be got.
Could you tell me how to solve it?
By the way, I generate rsa key pair without "sensitive" (PK11_GenerateKeyPair(slot,
CKM_RSA_PKCS_KEY_PAIR_GEN,&rsaParams, pubk, PR_TRUE, PR_FALSE, NULL); ), so I suppose the
private key is not protected by password, and can be output?
Best Regards,
Weizhong Qiang
/****************/
static bool ReadPrivKeyAttribute(SECKEYPrivateKey* key, CK_ATTRIBUTE_TYPE type,
std::vector<uint8>* output) {
SECItem item;
SECStatus rv;
rv = PK11_ReadRawAttribute(PK11_TypePrivKey, key, type,&item);
if (rv != SECSuccess) {
NSSUtilLogger.msg(ERROR, "Failed to read attribute %x from private key.",
type);
return false;
}
output->assign(item.data, item.data + item.len);
SECITEM_FreeItem(&item, PR_FALSE);
return true;
}
static bool ExportPrivateKey(SECKEYPrivateKey* key, std::vector<uint8>*
output) {
PrivateKeyInfoCodec private_key_info(true);
// Manually read the component attributes of the private key and build up
// the PrivateKeyInfo.
if (!ReadPrivKeyAttribute(key, CKA_MODULUS, private_key_info.modulus()) ||
!ReadPrivKeyAttribute(key, CKA_PUBLIC_EXPONENT,
private_key_info.public_exponent()) ||
!ReadPrivKeyAttribute(key, CKA_PRIVATE_EXPONENT,
private_key_info.private_exponent()) ||
!ReadPrivKeyAttribute(key, CKA_PRIME_1, private_key_info.prime1()) ||
!ReadPrivKeyAttribute(key, CKA_PRIME_2, private_key_info.prime2()) ||
!ReadPrivKeyAttribute(key, CKA_EXPONENT_1, private_key_info.exponent1())
||
!ReadPrivKeyAttribute(key, CKA_EXPONENT_2, private_key_info.exponent2())
||
!ReadPrivKeyAttribute(key, CKA_COEFFICIENT,
private_key_info.coefficient())) {
return false;
}
return private_key_info.Export(output);
}
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
