[xmlsec] nss updates
Andrew Fan
Andrew.Fan@sun.com
Mon, 28 Jul 2003 14:16:13 +0800
Hi Tej,
I have a look at your implementation of symmetric key wrap and
transport. I find that you treated symmetric key as a common data when
wraping or transporting, and use the the interfaces: PK11_CipherOp,
PK11_PubEncryptRaw, and PK11_PubDecryptRaw. To my knowledge, PKCS11 has
a function named C_WrapKey do the things like key wrap and key
transport, it is designed following some standards, such as PKCS1 and
KEK, there is a little defference for wrap a key comparing with
encrypting a block data. I search the NSS, and find some functions like
C_WrapKey, such as PK11_WrapSymKey/PK11_UnwrapSymKey and
PK11_PubWrapSymKey/PK11_PubUnwrapSymKey. I wander why you do not use
these functions? I do not carefully check NSS sources, so I don't know
whether you're right or not. Are you sure you had got the right result?
Anyhow, I suggest use the C_WrapKey like functions because it is the
default ones, which will ensure you get the correct result, I think.
BTW, I also notice that you use a crypto mechanism named
CKM_NETSCAPE_AES_KEY_WRAP, which will result you depending NSS internal
PKCS11 implementation, as will refuse you useing third party pkcs11
devices, such as smart card.
Andrew