I'm trying to understand why the PK11_Derive call:
CK_OBJECT_HANDLE key_handle = PK11_GetSymKeyHandle(key);
SECItem key_param = {
.data = (unsigned char*)&key_handle,
.len = sizeof(key_handle)
};
CK_ATTRIBUTE_TYPE operation = CKA_DERIVE;
int key_size = 0;
PK11SymKey *result = PK11_Derive(base_key,
CKM_CONCATENATE_BASE_AND_KEY, &key_param, CKM_MD5_KEY_DERIVATION,
operation, key_size);
works when "key" came from CKM_DH_PKCS_DERIVE but fails when the key
came from (CKM_ECDH1_DERIVE,CKD_NULL). Debugging suggests that the
operation is rejected in lib/softoken/pkcs11c.c by the code:
att2 = sftk_FindAttribute(newKey, CKA_VALUE);
if (att2 == NULL) {
sftk_FreeObject(newKey);
crv = CKR_KEY_HANDLE_INVALID;
break;
}
I've found a work-around is to first CKM_EXTRACT_KEY_FROM_KEY and then
use that :-/
Is this expected? And is there a clean way to detect a key like ECDH
that will cause problems.
Andrew
--
dev-tech-crypto mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-tech-crypto
