Closed Bug 360600 Opened 18 years ago Closed 8 years ago

Cannot specify key usages with KEYGEN tag


(Core :: Security: PSM, defect)

1.9.0 Branch
Not set





(Reporter: m4gw4s, Unassigned)



(Whiteboard: [psm-enroll])

User-Agent:       Mozilla/5.0 (X11; U; Linux i686; en-US; rv: Gecko/20060921 Ubuntu/dapper-security Firefox/
Build Identifier: Mozilla/5.0 (X11; U; Linux i686; en-US; rv: Gecko/20060921 Ubuntu/dapper-security Firefox/

When I try to generate a signing key with a CA to my Aladdin eToken, it fails, because eToken allows only to generate signing OR encryption keys, not both.
(actually there is a workaround called split key).

Reproducible: Always

Steps to Reproduce:
1. get an eToken
2. configure it with
3. try to generate a key with a CA

Expected Results:  
libnss should set CKA_ENCRYPT or CKA_DECRYPT attribute at least in the pPrivateKeyTemplate attribute of C_GenerateKeyPair.

Yes, I guess that there is not interface yet to figure the key usage out.
It could be made an optional attribute of the keygen tag, and if it is missing, then could be asked from the user, just like the key length.

(I tried to report this bug once today, but could not find it. Sorry if it reported twice.)
The keygen tag was superseded, YEARS AGO, by the javascript method 
crypto.generateCRMFRequest, which provides a way to specify the key usages.

Google for generateCRMFRequest and try using that instead of the keygen tag.
Then, if you still cannot generate the keys you need, file a bug against
that javascript method.
Well, it seems that crypto.generateCRMFRequest calls 
PK11_GenerateKeyPair (see also PK11_GenerateKeyPairWithFlagsm both in security/nss/lib/pk11wrap/pk11akey.c) at the end of the day. The key tamplates are defined inside that function, and all templates contain all four pkcs#11 key usages.
This part of NSS should be thought out once more. Unfortunately these functions seem to be exported from the library, so maybe  a PK11_GenerateKeyPairWithUsage would do the trick...

I have set up a page to demonstarte the problem at The key algo is rsa-ex there.
The javascript errors:

Error: error:could not generate the key for algorithm rsa-ex
Source File:
Line: 19

Error: uncaught exception: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsIDOMCrypto.generateCRMFRequest]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: :: validate :: line 19"  data: no]
I have several eToken devices, and they all work fine with NSS.
I wonder why they work for me and not for the reporter.
Whiteboard: FIPS
Assignee: nobody → kaie
Component: Libraries → Security: PSM
Product: NSS → Core
QA Contact: libraries → psm
Summary: Key generation with chipcard gives wrong key usage → Cannot specify key usages with KEYGEN tag
Whiteboard: FIPS
Version: unspecified → 1.9.0 Branch
Mass change owner of unconfirmed "Core:Security UI/PSM/SMime" bugs to nobody.
Search for kaie-20100607-unconfirmed-nobody
Assignee: kaie → nobody
Whiteboard: [psm-enroll]
Resources are not being allocated to improve keygen.
Closed: 8 years ago
Resolution: --- → WONTFIX
You need to log in before you can comment on or make changes to this bug.