[xmlsec] Re: Generate symmetric key

Aleksey Sanin aleksey at aleksey.com
Wed Jun 18 08:41:50 PDT 2003

As you can see from the code, there is a special GenerateKey function.
Yes, the simplest implementation I have for NSS does use the random
generator but it was only a result of copy/paste from GnuTLS/OpenSSL code.
It would be great to have  symmetric key generated on crypto token.
However, you need to remember that you might need to get *raw* symmetric
key data in some cases (encrypting with encrypted key).

Bottom line: I have no problems with your suggestions. But you might want
to talk with Tej about that too.


Andrew Fan wrote:

> Hi Aleksey,
> I noticed that in the implementation of xmlSec on top of NSS, every 
> symmetic key( symkeys.c ) is generated from calling 
> PK11_RandomGenerate( unsigned char* data , int len ), which calling 
> the C_GenerateRandom of PKCS#11, and creating an internal pkcs11 slot 
> for C_GenerateRandom.
> I think it is unreasonable. 1. a symmetric key should be created in the
> user practice context, i.e., a certain slot and an a certain session. 
> 2. a symmetic key should be created by the crypto device( C_GenerateKey )
> instead of constructed from a random. 3. although from a random, it is
> possible to create a symmetric key,  it is not a recommendable
> solution. 4. this implementation hides the mechanism of crypto device.
> What's your idea about this questions?
> Regards,
> Andrew

More information about the xmlsec mailing list