Closed
Bug 1467321
Opened 6 years ago
Closed 6 years ago
API to obtain the modulus of an RSA key
Categories
(NSS :: Libraries, defect)
Tracking
(Not tracked)
RESOLVED
WORKSFORME
People
(Reporter: edewata, Assigned: edewata)
Details
Attachments
(1 file)
768 bytes,
patch
|
KaiE
:
review-
|
Details | Diff | Splinter Review |
Currently the PK11_GetAttributes() is not exported in nss.def. This function should be exported such that it can be used to implement RSAPrivateKey.getModulus() in JSS, which is needed to fully support HSM in Dogtag PKI on Fedora 28+. Please see the following page for more info: http://www.dogtagpki.org/wiki/JSS_4.5_Supporting_RSAPrivateKey.getModulus()
Assignee | ||
Comment 1•6 years ago
|
||
Kai, could you take a look at this patch? Thanks. The patch was written for NSS 3.37, but I could update it for the next version if needed.
Comment 2•6 years ago
|
||
IMHO we must not export PK11_GetAttributes. It returns a copy of the internal storage representation, and worse, the returned data includes pointers into raw NSS storage. We should introduce a new API, which gives you the information that you require, without exposing NSS internal storage. Note that your link from dogtagpki.org points to an empty page. Also note that NSS 3.37 has already been released. Any changes to the public API must currently use version 3.38. However, this version is expected to get API frozen in 3 days, on 2018-06-14. If the patch lands after the freeze, version 3.39 must be used.
Updated•6 years ago
|
Attachment #8983989 -
Flags: review?(kaie) → review-
Comment 3•6 years ago
|
||
I'm changing the subject of this bug to describe the functionality you're requesting.
Summary: Exporting PK11_GetAttributes() → API to obtain the modulus of an RSA private key
Comment 4•6 years ago
|
||
Endi, can you please say, what input do you already have available? Internal function takes input variables PK11SlotInfo *slot CK_OBJECT_HANDLE obj Does that mean you have those available, and they identify the RSA key? I think we need an API that can give you the public key in general, or specifically an RSA public key. The modulus is a property of the RSA public key.
Summary: API to obtain the modulus of an RSA private key → API to obtain the modulus of an RSA key
Assignee | ||
Comment 5•6 years ago
|
||
Kai, thanks for looking at the patch. The URL to the design page on dogtagpki.org is actually correct, but Bugzilla would not include the parentheses in the link, so you need to copy and paste the URL manually: http://www.dogtagpki.org/wiki/JSS_4.5_Supporting_RSAPrivateKey.getModulus() The PK11_GetAttributes() is going to be used in PK11RSAPrivateKey.getModulusByteArray() like this: https://github.com/edewata/jss/blob/ticket-9/org/mozilla/jss/pkcs11/PK11PrivKey.c#L705 https://github.com/edewata/jss/blob/ticket-9/org/mozilla/jss/pkcs11/PK11RSAPrivateKey.java#L31 As you can see in the code, we have the SECKEYPrivateKey *key and PK11SlotInfo *slot. This code is part of PK11RSAPrivateKey class, so the key must be an RSA key. Let me know if you need more information. Thanks.
Comment 6•6 years ago
|
||
If you have SECKEYPrivateKey, couldn't you simply use SECKEY_ConvertToPublicKey() to get the public key?
Assignee | ||
Comment 7•6 years ago
|
||
I was not aware of SECKEY_ConvertToPublicKey(). Would that be the recommended solution, or just a temporary workaround until we have a new way to get the modulus from SECKEYPrivateKey directly? Is the public key guaranteed to exist?
Comment 8•6 years ago
|
||
Thanks Daiki, that's a great suggestion. A solution that works and doesn't require a new exported API is preferred. I wouldn't call that a workaround. As seen below, the information that comprises an RSA public key is also part of an RSA private key, so I'd assume the conversion to always succeed. struct RSAPrivateKeyStr { PLArenaPool *arena; SECItem version; SECItem modulus; SECItem publicExponent; SECItem privateExponent; SECItem prime1; SECItem prime2; SECItem exponent1; SECItem exponent2; SECItem coefficient; }; struct SECKEYRSAPublicKeyStr { PLArenaPool *arena; SECItem modulus; SECItem publicExponent; }; Could you test if it works for you? If yes, could you please resolve this bug as worksforme? Thanks
Assignee | ||
Comment 9•6 years ago
|
||
Here is the new code: https://github.com/edewata/jss/blob/ticket-9-1/org/mozilla/jss/pkcs11/PK11PrivKey.c#L705 It seems to be working fine, but does the public key object need to be freed afterwards? If so, could you show me how? Thanks.
Comment 10•6 years ago
|
||
(In reply to Endi S. Dewata from comment #9) > It seems to be working fine, great > but does the public key object need to be freed > afterwards? If so, could you show me how? I see that certutil also calls SECKEY_ConvertToPublicKey, and for cleanup it calls SECKEY_DestroyPublicKey.
Status: ASSIGNED → RESOLVED
Closed: 6 years ago
Resolution: --- → WORKSFORME
Assignee | ||
Comment 11•6 years ago
|
||
Thanks Kai & Daiki!
You need to log in
before you can comment on or make changes to this bug.
Description
•