[xmlsec] nss updates

Andrew Fan Andrew.Fan at sun.com
Mon Jul 28 19:30:35 PDT 2003

Hi Tej,

You are right. And it is hard to find the key type of the wrapped key in 
the xmlSec context, I have failed to struggleing on a whole day to find 
the type.

Tej Arora wrote:

>Hi Andrew,
>Here's the response to your questions on a case by case basis:
>1) DES3 wrapping:
>The Encryption spec defines the wrap/unwrap procecure
>which treats the key to be wrapped as common data.
>See 5.6.2 CMS Triple DES Key Wrap in the XML Encryption spec.
>Aleksey has faithfully implemented that specification in
>xmlsec-openssl, and xmlsec-nss reflects that.
>2) AES wrapping:
>a) The spec clearly states that the the information to be
>wrapped NEED NOT BE A KEY. See 5.6.3 AES KeyWrap in the
>encryption spec
>b) Why CKM_NETSCAPE_AES_KEY_WRAP?. As far as I know, there
>is no standard OID for AES WRAP defined by the PKCS11 spec.
>The CKM_NETSCAPE_AES_KEY_WRAP mechanism is only implemented
>by NSS's softtoken.
>That is the the ONLY AES wrap mechanism available to me in NSS.
>3) RSA wrapping:
>The encryption spec (see 5.4 Key Transport) allows for 2 possibilities:
>a) the encrypted data is a key
>b) the encrypted data is not a key
>However, there is distinction between the two cases.
>In case (a) the type of the key being wrapped is specified
>by the ALGORITHM attribute of ENCRYPTIONMETHOD element under
>I'm not sure this distinction is visible in the
>Transform Klass that does the RSA wrapping.  Aleksey?.
>In order for me to use PK11_PubWrapSymKey instead of
>PK11_PubEncryptRaw, I need to know the type of the
>key I'm wrapping.
>Andrew Fan wrote:
> > Hi Tej,
> >
> > I have a look at your implementation of symmetric key wrap and
> > transport. I find that you treated symmetric key as a common data when
> > wraping or transporting, and use the the interfaces: PK11_CipherOp,
> > PK11_PubEncryptRaw, and PK11_PubDecryptRaw.  To my knowledge, PKCS11 has
> > a function named C_WrapKey do the things like key wrap and key
> > transport, it is designed following some standards, such as PKCS1 and
> > KEK, there is a little defference for wrap a key  comparing with
> > encrypting a block data. I search the NSS, and find some functions like
> > C_WrapKey, such as PK11_WrapSymKey/PK11_UnwrapSymKey and
> > PK11_PubWrapSymKey/PK11_PubUnwrapSymKey. I wander why you do not use
> > these functions? I do not carefully check NSS sources, so I don't know
> > whether you're right or not. Are you sure you had got the right result?
> >
> > Anyhow, I suggest use the C_WrapKey like functions because it is the
> > default ones, which will ensure you get the correct result, I think.
> >
> > BTW, I also notice that you use a crypto mechanism named
> > CKM_NETSCAPE_AES_KEY_WRAP, which will result you depending NSS internal
> > PKCS11 implementation, as will refuse you useing third party pkcs11
> > devices, such as smart card.
> >
> > Andrew
> >
> >
>xmlsec mailing list
>xmlsec at aleksey.com

More information about the xmlsec mailing list