Re: Adding certificates to the nss database
Nelson B wrote: [EMAIL PROTECTED] wrote: I'm having a tricky problem. What I am trying to do is to add an object signing certificate to the NSS database. This can be done using certutil, yes. But this is a xulapp that uses nsINSSCertCache, which I fear is causing problems. You shouldn't be manipulating the cache directly. I'm surprised that it is even possible to do so. Seems like a bug. He's running a xulapp, which has the same privelleges that the browser has. It's very different from java script from a webpage. This is not having the desired effect. The consequence is that the database changes the certificate from 'u,u,u' to ',,,' when doing a certuil -L. Which causes the certificate not to show up, and a host of other problems that can be only solved by deleteing the profile. u,u,u means you have a private key associated with the cert. You will need it import a .p12 file. The only way I have managed to get it to work is by adding my certificate right after creating a certificate request, shutting down my xulapp, relaunching and readding the certificate, shutting down and relaunching again. Obviously, this is not very desirable for my users. I don't know why this particular set of steps fixes it, but it does. Very strange. I'd guess it's due to the direct manipulation of the cache. But that's a guess. Are you issuing the certificate from the cert request? I suspect you need to use an 'Import user cert' call, though importing the cert to the correct 'token' should have caused those bits to be set correctly. NSS does have some 'self-healing' if the user bits do not get set correctly (that, perhaps is why the reboots cause the cert to show up?) BTW is this an RSA or DSA key? bob smime.p7s Description: S/MIME Cryptographic Signature ___ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Getting public/private keys into/out of NSS
I've spent much of the afternoon delving through the NSS APIs trying to figure out how to achieve my goals. I'm basicaly working on signing and verifying data with public and private keys. I've figured that SGN_SignData and VFY_VerifyData are my friends (or should I be using the PK11_Sign/Verify functions or even what are the sign and verify stuff in security/nss/lib/freebl about?) Anyway basic issue is that I need a SECKEYPublicKey and SECKEYPrivateKey. I can see how to create them in NSS for use, I've also found a technical note which suggests how to bring a public key into NSS, however I don't see anything about serializing/restoring a private key or how to get a created public key out of NSS. Can anyone point me in the right direction? Dave ___ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: Link-fingerprints: weak unless link received securely
Michael Vincent van Rantwijk, MultiZilla wrote: Note that we asked (per e-mail) the top 500 download sites, and most of them prefer to wait and see what Link Fingerprinting is and can do for them, because so far nobody really believes that it will do any good for them, but that it will add extra work, errors and costs them probably an unexpected amount of (extra) money. Two responses: a) Without the raw data, this is just an appeal to authority; and b) then let's implement it, and they can stop wait and see-ing. Gerv ___ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: Link-fingerprints: weak unless link received securely
Nils Maier wrote: Michael Vincent van Rantwijk, MultiZilla schrieb: Note that we asked (per e-mail) the top 500 download sites, and most of them prefer to wait and see what Link Fingerprinting is and can do for them, because so far nobody really believes that it will do any good for them, but that it will add extra work, errors and costs them probably an unexpected amount of (extra) money. Are the results (or a more detailed summary) available somewhere? Nils Not yet... no but it will and when we do you'll be one of the first to know more about it. ___ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: Getting public/private keys into/out of NSS
Dave Townsend wrote: I've spent much of the afternoon delving through the NSS APIs trying to figure out how to achieve my goals. I'm basicaly working on signing and verifying data with public and private keys. I've figured that SGN_SignData and VFY_VerifyData are my friends (or should I be using the PK11_Sign/Verify functions or even what are the sign and verify stuff in security/nss/lib/freebl about?) Anyway basic issue is that I need a SECKEYPublicKey and SECKEYPrivateKey. I can see how to create them in NSS for use, I've also found a technical note which suggests how to bring a public key into NSS, however I don't see anything about serializing/restoring a private key or how to get a created public key out of NSS. Can anyone point me in the right direction? Dave, NSS has a pretty large number of test programs. One of them may already do what you want. If not, they should serve as good sample source for you to figure out what you need. It would help if we knew what you're trying to sign. A Jar/XPI file ? (signtool does that) A mail message ? (cmsutil does that) Other? ___ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: Link-fingerprints: weak unless link received securely
On 7/9/2007 1:07 PM, Gervase Markham wrote: Michael Vincent van Rantwijk, MultiZilla wrote: Hm, and where is this 15% coming from? Just another assumption? It's a conservative estimate of the market share of Firefox. Gerv That implies the assumption that ALL Firefox users would then be using this feature. As I previously indicated, this feature should be optional so that users could still download when there is a hash mismatch. If there is no such option, then you will be enforcing security to a greater degree than is done with SSL and X.509 certificates, which allow a user to continue even with a certificate mismatch. If there is an option, then not all users will use the new feature. By the way, my own two-week survey in May of hits to my eclectic Web pages indicated that more than 26% of the hits were from Firefox users (28.5% were from some type of Gecko engine). W3Schools -- with a somewhat specialized audience that likely skews the results -- indicates a 34% market share for Firefox in June and an overall 35.4% share for the Gecko engine. Thus, even if not all Firefox users use a link-fingerprint capability, it might still have a 15% market penetration. -- David E. Ross http://www.rossde.com/. Anyone who thinks government owns a monopoly on inefficient, obstructive bureaucracy has obviously never worked for a large corporation. © 1997 ___ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: Getting public/private keys into/out of NSS
Robert Relyea wrote: Dave Townsend wrote: Anyway basic issue is that I need a SECKEYPublicKey and SECKEYPrivateKey. I can see how to create them in NSS for use, I've also found a technical note which suggests how to bring a public key into NSS, however I don't see anything about serializing/restoring a private key or how to get a created public key out of NSS. Can anyone point me in the right direction? Hi david, You have 2 options when extracting the public key. The first option is the preferred option : SECKEY_EncodeDERSubjectPublicKeyInfo() It takes a public key and returns a SECitem which is a DER encoded blob that represents that public key, including the public key type. You an reimport such a blob with SECKEY_DecodeDERSubjectPublicKeyInfo() and SECKEY_ExtractPublicKey(); Excellent I think this is just what I needed. Tell me is the form that this comes out in standardised in any way or is it something that is NSS specific? Dave ___ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: Getting public/private keys into/out of NSS
Dave Townsend wrote: Nelson Bolyard wrote: Dave Townsend wrote: I've spent much of the afternoon delving through the NSS APIs trying to figure out how to achieve my goals. I'm basicaly working on signing and verifying data with public and private keys. I've figured that SGN_SignData and VFY_VerifyData are my friends (or should I be using the PK11_Sign/Verify functions or even what are the sign and verify stuff in security/nss/lib/freebl about?) Anyway basic issue is that I need a SECKEYPublicKey and SECKEYPrivateKey. I can see how to create them in NSS for use, I've also found a technical note which suggests how to bring a public key into NSS, however I don't see anything about serializing/restoring a private key or how to get a created public key out of NSS. Can anyone point me in the right direction? Dave, NSS has a pretty large number of test programs. One of them may already do what you want. If not, they should serve as good sample source for you to figure out what you need. It would help if we knew what you're trying to sign. A Jar/XPI file ? (signtool does that) A mail message ? (cmsutil does that) Other? It's actually other. Essentially I'm just looking for signing of some plain text. Though this actually comes out of an rdf datasource. I intend to take the relevant set properties that I need to sign into a text string then sign that and then add the signature into the rdf. I think Robert's response has got me most of the way to what I want, I think the only thing I'm a bit fuzzy on is storing and retrieving the private key in the nss database. However if you have any pointers for sample code that I can take from then that would be very useful. You really only want to store and retrieve the private keys if you you need to transport them (or back them up). Doing the latter needs to be handled carefully, and can be a source of errors in your protocol. A better way to handle it (if you absolutely must use bare keys), is store your private keys as persistant keys. You can use the KeyID and the slot the key is stored in to find the key again (PK11_FindKeyByID to find it PK11_GetLowLevelKeyIDForPrivatekey() to get the KeyID). Usually NSS uses the certificate. There are functions to help you find the most appropriate certificate, and then from that certificate find the private key that is associated with it. bob Dave ___ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto smime.p7s Description: S/MIME Cryptographic Signature ___ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto