NSS Sample Code 6: Persistent Symmetric Keys in NSS database
/* Example code to illustrate generation of a secret symmetric key ring
* that PERSISTS in the NSS database. The symmetric keys can then be used
* without ever exposing them in the clear.
*
* To encrypt, you need the id of the key to use.
* To decrypt, you need the ciphertext and the id of the key that was used
* to encrypt
*
* Before running this example, create the NSS database
* certutil -N -d .
* (enter "test" when prompted for password)
*/
#include "nss.h"
#include "pk11pub.h"
/* the key id can be any sequence of bytes. this example happens to use an
* integer */
void genkey(int id);
/* this callback is responsible for returning the password to the NSS
* key database. for example purposes, this function hardcodes the password.
* In a real app, this function should obtain the password using secure means
* such as prompting an operator, or retrieving it over a secure communication
* channel
*/
char *passwdcb(PK11SlotInfo *info, PRBool retry, void *arg);
int main(int argc, char **argv)
{
SECStatus rv;
/* Initialize NSS */
PK11_SetPasswordFunc(passwdcb);
/* The NSS db must be initialized read-write since we'll be creating
* keys in it. Once keys are generated, it can be opened without read-write
* subsequently (NSS_Init).
*/
rv = NSS_InitReadWrite(".");
if (rv != SECSuccess)
{
fprintf(stderr, "NSS initialization failed (err %d)\n",
PR_GetError());
exit(1);
}
/* generate a key with id 1. should succeed on first run on a fresh db,
* should fail on successive runs because key with that id already exists */
genkey(1);
/* generate a key with id 2. should succeed on first run on a fresh db,
* should fail on successive runs because key with that id already exists */
genkey(2);
/* generate a key with id 1 - this will fail because key with that id
* already exists */
genkey(1);
}
void genkey(int id)
{
PK11SlotInfo* slot = NULL;
PK11SymKey* key = NULL;
SECItem keyiditem;
int keyid[1];
CK_MECHANISM_TYPE cipherMech;
/* using CKM_AES_CBC_PAD mechanism for example */
cipherMech = CKM_AES_CBC_PAD;
slot = PK11_GetInternalKeySlot();
/* slot = PK11_GetBestSlot(cipherMech, NULL); didn't work.
* Error code: token is read-only. ??
*/
if (slot == NULL)
{
fprintf(stderr, "Unable to find security device (err %d)\n",
PR_GetError());
return;
}
keyid[0] = id;
keyiditem.type = siBuffer;
keyiditem.data = (void *)keyid;
keyiditem.len = sizeof(keyid[0]);
/* Note: keysize must be 0 for fixed key-length algorithms like DES.
* Since we're using AES in this example, we're specifying
* one of the valid keysizes (16, 24, 32)
*/
key = PK11_TokenKeyGen(slot, cipherMech, 0, 32 /*keysize*/,
&keyiditem, PR_TRUE, 0);
if (key == NULL)
{
fprintf(stderr, "PK11_TokenKeyGen failed (err %d)\n",
PR_GetError());
PK11_FreeSlot(slot);
return;
}
fprintf(stderr, "key length of generated key is %d\n",
PK11_GetKeyLength(key));
fprintf(stderr, "mechanism of key is %d (asked for %d)\n",
PK11_GetMechanism(key), cipherMech);
PK11_FreeSymKey(key);
key = PK11_FindFixedKey(slot, cipherMech, &keyiditem, 0);
if (key == NULL)
{
fprintf(stderr, "PK11_FindFixedKey failed (err %d)\n",
PR_GetError());
PK11_FreeSlot(slot);
return;
}
fprintf(stderr, "Found key!\n");
fprintf(stderr, "key length of generated key is %d\n",
PK11_GetKeyLength(key));
fprintf(stderr, "mechanism of key is %d (asked for %d)\n",
PK11_GetMechanism(key), cipherMech);
PK11_FreeSymKey(key);
PK11_FreeSlot(slot);
}
char *passwdcb(PK11SlotInfo *info, PRBool retry, void *arg)
{
if (!retry)
return PL_strdup("test");
else
return NULL;
}
