PK11_Derive CKM_CONCATENATE_BASE_AND_KEY fails when KEY is from from CKM_ECDH1_DERIVE

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

PK11_Derive CKM_CONCATENATE_BASE_AND_KEY fails when KEY is from from CKM_ECDH1_DERIVE

Andrew Cagney
I'm trying to understand why the PK11_Derive call:

    CK_OBJECT_HANDLE key_handle = PK11_GetSymKeyHandle(key);
    SECItem key_param = {
        .data = (unsigned char*)&key_handle,
        .len = sizeof(key_handle)
    };
    CK_ATTRIBUTE_TYPE operation = CKA_DERIVE;
    int key_size = 0;
    PK11SymKey *result = PK11_Derive(base_key,
CKM_CONCATENATE_BASE_AND_KEY, &key_param, CKM_MD5_KEY_DERIVATION,
                     operation, key_size);

works when "key" came from CKM_DH_PKCS_DERIVE but fails when the key
came from (CKM_ECDH1_DERIVE,CKD_NULL).  Debugging suggests that the
operation is rejected in lib/softoken/pkcs11c.c by the code:

            att2 = sftk_FindAttribute(newKey, CKA_VALUE);
            if (att2 == NULL) {
                sftk_FreeObject(newKey);
                crv = CKR_KEY_HANDLE_INVALID;
                break;
            }

I've found a work-around is to first CKM_EXTRACT_KEY_FROM_KEY and then
use that :-/

Is this expected?  And is there a clean way to detect a key like ECDH
that will cause problems.

Andrew
--
dev-tech-crypto mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-tech-crypto