[xmlsec] nss updates

Andrew Fan Andrew.Fan@sun.com
Mon, 28 Jul 2003 14:16:13 +0800


Hi Tej,

I have a look at your implementation of symmetric key wrap and 
transport. I find that you treated symmetric key as a common data when 
wraping or transporting, and use the the interfaces: PK11_CipherOp, 
PK11_PubEncryptRaw, and PK11_PubDecryptRaw.  To my knowledge, PKCS11 has 
a function named C_WrapKey do the things like key wrap and key 
transport, it is designed following some standards, such as PKCS1 and 
KEK, there is a little defference for wrap a key  comparing with 
encrypting a block data. I search the NSS, and find some functions like 
C_WrapKey, such as PK11_WrapSymKey/PK11_UnwrapSymKey and 
PK11_PubWrapSymKey/PK11_PubUnwrapSymKey. I wander why you do not use 
these functions? I do not carefully check NSS sources, so I don't know 
whether you're right or not. Are you sure you had got the right result?

Anyhow, I suggest use the C_WrapKey like functions because it is the 
default ones, which will ensure you get the correct result, I think.

BTW, I also notice that you use a crypto mechanism named 
CKM_NETSCAPE_AES_KEY_WRAP, which will result you depending NSS internal 
PKCS11 implementation, as will refuse you useing third party pkcs11 
devices, such as smart card.

Andrew