Unable to encrypt text longer than a certain number of characters?

[deepakinseattle]

Hello, I'm just getting started using your gem (thanks, btw!). I was trying out a few things, but unfortunately I'm running into an error, one I can reproduce pretty easily by adding to the existing TestPkcs11Crypt class. When attempting to encrypt text greater than a certain length, encryption fails with :

 test_endecrypt_long(TestPkcs11Crypt):
PKCS11::CKR_DEVICE_ERROR: 48
    ./lib/pkcs11/session.rb:268:in `C_Encrypt'
    ./lib/pkcs11/session.rb:268:in `C_Encrypt'
    ./lib/pkcs11/session.rb:221:in `send'
    ./lib/pkcs11/session.rb:221:in `common_crypt'
    ./lib/pkcs11/session.rb:319:in `encrypt'
    ./test/test_pkcs11_crypt.rb:57:in `test_endecrypt_long'

This is based on a recent git clone of master. I encounter the same error using the published version of the gem, but interestingly, the length of text that triggers a failure is different between the two. Using the latest code from master, the failure begins to happen when the text length is greater than 84. Using the gem, the failure begins to happen when the text length is greater than 116. Odd, right?

diff --git a/test/test_pkcs11_crypt.rb b/test/test_pkcs11_crypt.rb
index b066540..1bd16f0 100644
--- a/test/test_pkcs11_crypt.rb
+++ b/test/test_pkcs11_crypt.rb
@@ -52,6 +52,16 @@ class TestPkcs11Crypt < Test::Unit::TestCase
     assert_equal plaintext1, plaintext2, 'Decrypted plaintext should be the same'
   end

+  def test_endecrypt
+    long_text = "Well, Prince, so Genoa and Lucca are now just family estates of the Buonapartes. But I warn you, if you don't tell me that this means war, if you still try to defend the infamies and horrors perpetrated by that Antichrist- I really believe he is Antichrist- I will have nothing more to do with you and you are no longer my friend, no longer my 'faithful slave,' as you call yourself! But how do you do? I see I have frightened you- sit down and tell me all the news."
+    cryptogram = session.encrypt( :RSA_PKCS, rsa_pub_key, long_text)
+    assert cryptogram.length>10, 'The cryptogram should contain some data'
+    assert_not_equal cryptogram, long_text, 'The cryptogram should be different to plaintext'
+    
+    long_text_decrypt = session.decrypt( :RSA_PKCS, rsa_priv_key, cryptogram)
+    assert_equal long_text, long_text_decrypt, 'Decrypted plaintext should be the same'
+  end
+
   def test_sign_verify
     plaintext = "important text"
     signature = session.sign( :SHA1_RSA_PKCS, rsa_priv_key, plaintext)

System Information :

 initialized with the version of libsoftokn3.so bundled with FF 3.6.11
 $ ruby -v
 ruby 1.8.7 (2010-01-10 patchlevel 249) [x86_64-linux]
 $ gem list --local | grep pkcs
 pkcs11 (0.1.0)         

Let me know if you have any additional questions/clarifications.

Thanks!

[larskanis]

Thanks for the report!

This is quite normal, as you use a RSA key. The maximum encryption size you may use depends on the size of the key (see PKCS#1). 84 byte is for a 768 bit RSA key. 116 byte seems to be on a 1024 bit key. The test nss database that comes with the gem, stores a 768 bit key, which is used in test_endecrypt().

You may use a symmetric (DES or AES) algorithm or a hybrid (RSA for a session key and AES for the message) to encrypt longer messages.

[deepakinseattle]

Of course, Lars! I had completely spaced on that. Thanks for the clarification.

Also, I've noticed a number of commits from you recently, when do you think you'll be releasing a newer version of the gem?

Thanks!

[larskanis]

So far, the library is already in a good shape, I think. What I want to finish before 0.2 is a complete yard-documentation of all structs, methods and constants. Althought I use the library in commercial projects, most of the work is done in my spare time. So there is no fixed plan. I guess in 1 or 2 months.

Is there something you're awaiting in particular?