Thanks ro reply and thanks for the information, but is there a way to access the NSS (shared) Database with OpenSSL in C++? The Code you told me is using the binary files. So first i want a solution for accessing it in C++-Code. Is it possible in a (easy) way?
2016-11-03 1:37 GMT+01:00 David Woodhouse <dw...@infradead.org>: > On Wed, 2016-11-02 at 16:57 -0700, Opa114 wrote: > > Is it possible to access (read & write) the NSS (shared) Database > > (cert8.db & cert9.db) with OpenSSL? I mainly use OpenSSL, but now i > > need access to the NSS Databases and i don't want to use both > > libraries - NSS and OpenSSL - at the same time. > > > > So is it possible and if yes how? > > You can use keys from the NSS database, fairly easily... > > $ cat ~/.config/pkcs11/modules/nss.module > # Load the NSS libsoftokn.so.3 PKCS#11 library as a module. Note that we > pass > # some custom non-standard initialization arguments, as NSS expects. > module: /lib64/libsoftokn3.so > x-init-reserved: configdir='sql:/home/dwmw2/.pki/nssdb' certPrefix='' > keyPrefix='' secmod='secmod.db' > $ p11tool --list-token-urls | grep NSS > pkcs11:model=NSS%203;manufacturer=Mozilla%20Foundation;serial= > 0000000000000000;token=NSS%20Generic%20Crypto%20Services > pkcs11:model=NSS%203;manufacturer=Mozilla%20Foundation;serial= > 0000000000000000;token=NSS%20Certificate%20DB > $ openssl pkeyutl -sign -engine pkcs11 -keyform engine -inkey > 'pkcs11:token=NSS%20Certificate%20DB;object=dwmw2%40infradead.org%27s%20StartCom%20Ltd.%20ID' > -in foo -out bar > engine "pkcs11" set. > Missing CKA_ALWAYS_AUTHENTICATE attribute > > That's on a modern Linux system; in some legacy cases you might need to > mess with the OpenSSL PKCS#11 engine quite a lot to tell it which > module to load — and if you do load libsoftokn.so directly instead of > through p11-kit, I'm not sure the OpenSSL engine will let you set the > standard-violating pReserved field in the module init args. Burt > basically, yes. You can do that much at least from OpenSSL. > > You can read certificates too, but via a special engine command so it > doesn't work for example on the 'openssl s_client -cert ...' command > line. > > If you want to *write*, as you said, then you're going to need to use > libp11 rather than the engine: https://github.com/OpenSC/libp11/ > > -- > dwmw2 > > > -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
