<html>

<head>

<meta http-equiv="Content-Type" content="text/html; charset=utf-8">

</head>

<body style="overflow-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;">

Hi Martin,

<div><br>

</div>

<div>That’s how DH works. Unfortunately, DHKEM is not simply exposing DH in KEM API. Its decapsulation function is defined as [1]</div>

<div><br>

</div>

<div>

<pre class="lang-pseudocode sourcecode" style="background-color: rgb(249, 249, 249); font-family: "Roboto Mono", monospace; border: 1px solid rgb(238, 238, 238); margin-top: 0.5px; margin-bottom: 0px; padding: 1em; overflow-x: auto; max-width: calc(100% - 22px); font-size: 13.3px; break-before: auto; break-after: auto; line-height: 1.12; color: rgb(34, 34, 34); font-variant-ligatures: normal; orphans: 2; widows: 2; text-decoration-thickness: initial; text-decoration-style: initial; text-decoration-color: initial;">def Decap(enc, skR):

  pkE = DeserializePublicKey(enc)

  dh = DH(skR, pkE)

  pkRm = SerializePublicKey(pk(skR))

  kem_context = concat(enc, pkRm)

  shared_secret = ExtractAndExpand(dh, kem_context)

  return shared_secret</pre>

<div><br>

</div>

<div>Here, the DH output is fed as IKM into a HKDF and the HKDF-Expand info contains its own public key — pk(skR) — as a part.</div>

<div><br>

</div>

<div>Thanks,</div>

<div>Weijun</div>

<div><br>

</div>

<div>[1] <a href="https://www.rfc-editor.org/rfc/rfc9180.html#name-dh-based-kem-dhkem">https://www.rfc-editor.org/rfc/rfc9180.html#name-dh-based-kem-dhkem</a></div>

<div><br>

</div>

<div><br>

<blockquote type="cite">

<div>On Dec 11, 2024, at 09:44, Martin Balao <mbalao@redhat.com> wrote:</div>

<br class="Apple-interchange-newline">

<div>

<div>Hi Weijun,<br>

<br>

I am not familiar to this algorithm but the typical key-exchange APIs let you generate a key pair first and, when you invoke the secret encapsulation mechanism, you use your private key + your counter-part public key. Do you think this could be the case here?<br>

<br>

Regards,<br>

Martin.-<br>

<br>

<br>

On 12/10/24 00:07, Wei-Jun Wang wrote:<br>

<blockquote type="cite">So are you suggesting there is no such a way?<br>

I do notice that in NSS’s own HPKE implementation, the receiver needs to provide both keys [1]:<br>

SECStatus PK11_HPKE_SetupR(HpkeContext *cx, const SECKEYPublicKey *pkR, SECKEYPrivateKey *skR,<br>

                           const SECItem *enc, const SECItem *info);<br>

Maybe they also don’t have a simple way to get pkR from skR.<br>

Thanks,<br>

Weijun<br>

[1] https://urldefense.com/v3/__https://github.com/nss-dev/nss/blob/e2f270997ff9364aebb688f49b7c28698b70f24d/lib/pk11wrap/pk11pub.h*L788__;Iw!!ACWV5N9M2RV99hQ!N-hg_2MBY8A7Xq5uANI019wCfwrtROskrREyxtRKa8WKXwKZEgtWe1TNH0sMsIFnn9aIkIUBUqOIp7KE$  <https://urldefense.com/v3/__https://github.com/nss-dev/nss/blob/e2f270997ff9364aebb688f49b7c28698b70f24d/lib/pk11wrap/pk11pub.h*L788__;Iw!!ACWV5N9M2RV99hQ!N-hg_2MBY8A7Xq5uANI019wCfwrtROskrREyxtRKa8WKXwKZEgtWe1TNH0sMsIFnn9aIkIUBUqOIp7KE$

 ><br>

<blockquote type="cite">On Dec 9, 2024, at 21:27, Francisco Ferrari Bihurriet <fferrari@redhat.com> wrote:<br>

<br>

Hi Wei-Jun,<br>

<br>

As far as I know, public and private keys are different PKCS#11 objects,<br>

each one with a different CK_OBJECT_HANDLE. See for example how<br>

C_GenerateKeyPair [1] has two output parameters: CK_OBJECT_HANDLE_PTR<br>

phPublicKey amd CK_OBJECT_HANDLE_PTR phPrivateKey.<br>

<br>

NSS uses CKA_PUBLIC_KEY_INFO only when wrapping [2] / unwrapping [3]<br>

(C_WrapKey / C_UnwrapKey) RSA-PSS keys (where it stores an ASN1-encoded<br>

SubjectPublicKeyInfo with the algorithm OID and the DER encoding of the<br>

public key).<br>

<br>

Here [4] is how SunPKCS11 proceeds after calling C_GenerateKeyPair, by<br>

creating two P11Key objects for each handle (P11PublicKey and<br>

P11PrivateKey).<br>

<br>

[1]https://urldefense.com/v3/__https://docs.oasis-open.org/pkcs11/pkcs11-base/v3.0/pkcs11-base-v3.0.html*_Toc29976704__;Iw!!ACWV5N9M2RV99hQ!OmuwCcv-dJsqSgUuLEW8yqzvuB4Qwj5ay4afqgvAfvn3DiGx9lz31XjKDuAt_LABjdrwdCT8FmTTLO6ARjM$ <https://urldefense.com/v3/__https://docs.oasis-open.org/pkcs11/pkcs11-base/v3.0/pkcs11-base-v3.0.html*_Toc29976704__;Iw!!ACWV5N9M2RV99hQ!OmuwCcv-dJsqSgUuLEW8yqzvuB4Qwj5ay4afqgvAfvn3DiGx9lz31XjKDuAt_LABjdrwdCT8FmTTLO6ARjM$><br>

[2]https://urldefense.com/v3/__https://github.com/nss-dev/nss/blob/NSS_3_101_RTM/lib/softoken/pkcs11c.c*L6038-L6039__;Iw!!ACWV5N9M2RV99hQ!OmuwCcv-dJsqSgUuLEW8yqzvuB4Qwj5ay4afqgvAfvn3DiGx9lz31XjKDuAt_LABjdrwdCT8FmTT9ztKx9Y$ <https://urldefense.com/v3/__https://github.com/nss-dev/nss/blob/NSS_3_101_RTM/lib/softoken/pkcs11c.c*L6038-L6039__;Iw!!ACWV5N9M2RV99hQ!OmuwCcv-dJsqSgUuLEW8yqzvuB4Qwj5ay4afqgvAfvn3DiGx9lz31XjKDuAt_LABjdrwdCT8FmTT9ztKx9Y$><br>

[3]https://urldefense.com/v3/__https://github.com/nss-dev/nss/blob/NSS_3_101_RTM/lib/softoken/pkcs11c.c*L6604-L6605__;Iw!!ACWV5N9M2RV99hQ!OmuwCcv-dJsqSgUuLEW8yqzvuB4Qwj5ay4afqgvAfvn3DiGx9lz31XjKDuAt_LABjdrwdCT8FmTTdVw8oI8$ <https://urldefense.com/v3/__https://github.com/nss-dev/nss/blob/NSS_3_101_RTM/lib/softoken/pkcs11c.c*L6604-L6605__;Iw!!ACWV5N9M2RV99hQ!OmuwCcv-dJsqSgUuLEW8yqzvuB4Qwj5ay4afqgvAfvn3DiGx9lz31XjKDuAt_LABjdrwdCT8FmTTdVw8oI8$><br>

[4]https://urldefense.com/v3/__https://github.com/openjdk/jdk/blob/jdk-25*1/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11KeyPairGenerator.java*L424-L431__;KyM!!ACWV5N9M2RV99hQ!OmuwCcv-dJsqSgUuLEW8yqzvuB4Qwj5ay4afqgvAfvn3DiGx9lz31XjKDuAt_LABjdrwdCT8FmTTozigB-E$

 <https://urldefense.com/v3/__https://github.com/openjdk/jdk/blob/jdk-25*1/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11KeyPairGenerator.java*L424-L431__;KyM!!ACWV5N9M2RV99hQ!OmuwCcv-dJsqSgUuLEW8yqzvuB4Qwj5ay4afqgvAfvn3DiGx9lz31XjKDuAt_LABjdrwdCT8FmTTozigB-E$><br>

<br>

Regards,<br>

--<br>

Francisco<br>

<br>

On 12/10/24 01:43, Wei-Jun Wang wrote:<br>

<blockquote type="cite">Daniel suggested CKA_PUBLIC_KEY_INFO but it’s not available in NSS 3.101.<br>

<br>

<blockquote type="cite">On Dec 9, 2024, at 08:07, Wei-Jun Wang <weijun.wang@oracle.com> wrote:<br>

<br>

Hi PKCS #11 gurus,<br>

<br>

DHKEM [1] requires a function<br>

<br>

 Pk(skX): The KEM public key corresponding to the KEM private key skX.<br>

<br>

"The notation pk(skX), depending on its use and the KEM and its<br>

implementation, is either the computation of the public key using the<br>

private key, or just syntax expressing the retrieval of the public<br>

key, assuming it is stored along with the private key object."<br>

<br>

For the software side, I can calculate the public key [2] from the<br>

private key. How can I do this in PKCS #11?<br>

<br>

Thanks,<br>

Weijun<br>

<br>

[1]https://urldefense.com/v3/__https://www.rfc-editor.org/rfc/rfc9180.html*name-notation__;Iw!!ACWV5N9M2RV99hQ!OmuwCcv-dJsqSgUuLEW8yqzvuB4Qwj5ay4afqgvAfvn3DiGx9lz31XjKDuAt_LABjdrwdCT8FmTT0-STk6s$ <https://urldefense.com/v3/__https://www.rfc-editor.org/rfc/rfc9180.html*name-notation__;Iw!!ACWV5N9M2RV99hQ!OmuwCcv-dJsqSgUuLEW8yqzvuB4Qwj5ay4afqgvAfvn3DiGx9lz31XjKDuAt_LABjdrwdCT8FmTT0-STk6s$><br>

[2]https://urldefense.com/v3/__https://github.com/openjdk/jdk/blob/__;!!ACWV5N9M2RV99hQ!OmuwCcv-dJsqSgUuLEW8yqzvuB4Qwj5ay4afqgvAfvn3DiGx9lz31XjKDuAt_LABjdrwdCT8FmTTH8KrINU$ <https://urldefense.com/v3/__https://github.com/openjdk/jdk/blob/__;!!ACWV5N9M2RV99hQ!OmuwCcv-dJsqSgUuLEW8yqzvuB4Qwj5ay4afqgvAfvn3DiGx9lz31XjKDuAt_LABjdrwdCT8FmTTH8KrINU$><br>

adca97b659d725b0dd320322297dcbd1b443a047/src/java.base/share/classes/<br>

sun/security/ec/ECPrivateKeyImpl.java#L209<br>

</blockquote>

</blockquote>

</blockquote>

</blockquote>

<br>

</div>

</div>

</blockquote>

</div>

<br>

</div>

</body>

</html>