[prev in list] [next in list] [prev in thread] [next in thread] 

List:       mozilla-crypto
Subject:    Re: PKCS #11 RSA signature question...
From:       Robert Relyea <relyea () netscape ! com>
Date:       2001-03-20 17:21:57
[Download RAW message or body]

> 
> I have written a PKCS#11 software implementation, and I am trying to
> generate a certification request from Netscape. From the logs I see some
> sequence of events:  the key pair is generated, then the public key modulus
> is read, and when time comes for signature to be calculated, I see a Decrypt
> operation with CKM_RSA_PKCS Mechanism, and data which does not look like
> padded DigestInfo (it looks quite random to me). Can you give me a hint what
> that data is, please!

Ah, what you are seeing is the key verification step of key generation. 
You should see a Decrypt and a Sign operation against the private key. 
The data is an RSA encrypted PKCS #1 block in which a test string has 
been crypted (I believe the string is "Mozilla Rules").

These tests are to verify that the public key and private key are truly 
pairs (that no math hiccup happened in the keygen). It was added for 
FIPs reasons, but it's good key hygiene anyway, so we do the key 
verification on all keys in all modes.

You can see the code that is making these calls in 
mozilla/security/nss/lib/pk11wrap/pk11skey.c

bob

[prev in list] [next in list] [prev in thread] [next in thread]