Nelson B Bolyard wrote:
This is true except the last statement should read (It does not store public keys except inside a certificate or paired with a private key).[EMAIL PROTECTED] wrote, On 2008-10-13 13:52:I have a crypto library which I connect to a Firefox extension using Xpcom. The library generates custom size public and private key pairs which I would like to store securely in Firefox. How would this be done?If I'm not mistaken, Firefox stores only a) private keys and b) certificates bearing public keys. It does not store public keys except inside certificates.
Actually this public key is still 'stored', but is only accessible if the token is logged in (That's because the keys are actually stored in the key database as part of the private key)*. This statement is true of the old databases. The shared database does store public keys as independent entities, and they are accessible without logging in.Typical use is to generate a key pair, then generate a signed PKCS#10 certificate signing request (CSR) which contains the public key, and send that to a CA. Once sent, the public key is forgotten until the certificate is received from the CA, bearing that same public key.
From a practical point of view, however, nelson is correct. NSS does not provide an easy way of referencing any types of bare asymetric keys without accessing them through a certificate. Firefox itself only ever uses certificates to do asymetric operations (including extracting public keys or finding corresponding private keys).
* More exact detail. NSS always asks for both keys, when generating them, to be permanent. I believe NSS also imports public keys when importing keys from PKCS #12. Under the covers in softoken, NSS 'accepts' imports of public keys for which the corresponding private key already exists. Whether or not there was an actual import, NSS 'provides' the public key for any private key in the old database. When using the shared database, this underlying trickery is not needed. The Shared database will store public keys separately from private keys just like most well written PKCS #11 modules. Firefox, in general however, does not use these bare keys, but the doe exist. No trust is given to these keys, and the ability to reference them is not necessarily coherent (they are usually referenced either by checking for their existence (we already have the public key, we just want to see if the token has it), or by use the the private key (NSS has a function to get the public key from the corresponding private key).
Do you have certificates for your public keys? _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
