Re: Accessing Firefox keystore
in the secmod.java it checks the Version of NSS: private void fetchVersions() { supported = nssVersionCheck(nssHandle, 3.7); } But the NSS Version i copied from Mozilla-Folder has verson 3.17.2.0. But this error message seems to be that there are problems with the version. -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: best practices - python-nss to serialize PEM
On Wednesday, January 14, 2015 at 2:36:45 PM UTC-5, Robert Daniels wrote: On Wednesday, January 14, 2015 at 11:27:50 AM UTC-5, John Dennis wrote: On 01/14/2015 09:58 AM, Robert Daniels wrote: Trying as you suggested today, but ran into some other thing which is puzzling. When I call cert = find_cert_from_nickname(nn, pwd) I successfully pull the server cert. I then call find_key_by_any_cert(cert, certpassword) I get an object back (nss.nss.PrivateKey). So, presumably the PK exists for the cert. However, after calling pkcx12_data = nss.pkcs12_export(nn, pwd) it throws an exception with Private Key could not be located and exported. So confused as why I can get a PrivateKey object, but not export it with the cert. Does it work using pk12util? -- John Using pk12util as: pk12util -n server cert nickname -d sql:nssdb dir -o newfile.p12 I observe that the private key, server certs and CA chain are included in the p12 file. Make that server cert singular. -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: best practices - python-nss to serialize PEM
On Wednesday, January 14, 2015 at 11:27:50 AM UTC-5, John Dennis wrote: On 01/14/2015 09:58 AM, Robert Daniels wrote: Trying as you suggested today, but ran into some other thing which is puzzling. When I call cert = find_cert_from_nickname(nn, pwd) I successfully pull the server cert. I then call find_key_by_any_cert(cert, certpassword) I get an object back (nss.nss.PrivateKey). So, presumably the PK exists for the cert. However, after calling pkcx12_data = nss.pkcs12_export(nn, pwd) it throws an exception with Private Key could not be located and exported. So confused as why I can get a PrivateKey object, but not export it with the cert. Does it work using pk12util? -- John Using pk12util as: pk12util -n server cert nickname -d sql:nssdb dir -o newfile.p12 I observe that the private key, server certs and CA chain are included in the p12 file. -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: best practices - python-nss to serialize PEM
John, Some additional observations. If I debug with a breakpoint over the password callback, it's never called when invoking pkcs12_export, however it is invoked when calling find_key_by_any_cert. I also notice 2 flavors of the callbacks for password, one taking 2 parameters and the other 3, which is confusing. find_any_key_bt_cert only works with the 3-parameeter flavor. I used a 2-param callback as was given in the sample code for test_pkcs12.py cb1(slot, retry, password) cb2(slow, retry) - Robert -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: Using JSS SSLSocket and and SSLServerSocket TLS 1.1 and 1.2
My bad, I wasn't clear (I think) that I'm talking about server side code, not client, i.e. essentially a Java based web server with the SSL Socket handled by JSS. so at this point all I have is SSLSocket.enableDefaultCipher(SSLSocket.) and socket.enableTLS(true) socket.disableSSLv3(true) type stuff. I can't seem to see anyway other than these methods to control protocols. Sincerely On Tuesday, 13 January 2015 13:14:05 UTC-5, helpcrypto helpcrypto wrote: On Mon, Jan 12, 2015 at 11:10 PM, deepr...@gmail.com wrote: Folks, Sorry for the totally newbie question but I've hunted high and low. I am supporting some Java code that uses JSS4, NSS to provide SSL Server side services. In response to Poodle I've been looking this code and was able to Enable TLS explicitly and disable SSL to mitigate that in it's most basic form. However I was hoping to be able to add at least TLS 1.1 if not 1.2 support. Java 8 enabled by default TLS 1.1 and TLS 1.2 on Java's control panel This raised dome problems tieh the protocol negotation with our legacy OAS servers. Seems Oracle didnt honor cypherHonors :P I cannot find how this is done or if possible. I've build the latest NSS code base which seemingly supports these protocols, and build JSS around it but can't seem to get a TLS 1.1/1.2 connection. The JSS source code also doesn't show any of the SHA256 ciphers etc that imply TLS 1.2..so I've come the conclusion that I cannot use JSS to execute TLS 1.1/1.2 server side connections. Probably im confused but you could try: - disabling everything but TLS1.1/1.2 and see if that works - protocol are supported but not used or are not supported at all - using -Djdk.tls.client.protocols=TLSv1,... - create a custom sslFactory and enjoy -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: best practices - python-nss to serialize PEM
On 01/14/2015 02:59 PM, Robert Daniels wrote: John, Some additional observations. If I debug with a breakpoint over the password callback, it's never called when invoking pkcs12_export, however it is invoked when calling find_key_by_any_cert. Hmmm ... that seems odd. It's NSS that decides if it needs to acquire a password in order to perform an operation. So I guess there are two possibilities here, either NSS never invoked the password callback or the python binding somehow failed to invoke the callback you set. However I would expect if that were the case you would get a subsequent error about not have permission to access the key. What version of python-nss are you using? I also notice 2 flavors of the callbacks for password, one taking 2 parameters and the other 3, which is confusing. find_any_key_bt_cert only works with the 3-parameeter flavor. I used a 2-param callback as was given in the sample code for test_pkcs12.py cb1(slot, retry, password) cb2(slow, retry) FYI The API docs for python-nss are here: https://mozilla.github.io/python-nss-docs/ Specifically the doc for setting the password callback is here: https://mozilla.github.io/python-nss-docs/nss.nss-module.html#set_password_callback which says: The callback has the signature: password_callback(slot, retry, [user_data1, ...]) - string or None I think the reason you're confused is that the callback takes 2 required parameters (slot retry), all other parameters are optional. You decide what you need to pass to the callback. In traditional C or Java code such callbacks usually have 1 user data parameter, if you only need to pass one value you pass that in the user data parameter, if you need 2 or more values you're forced to pass a complex structure. But because Python has a more relaxed calling convention it's easy to support the equivalent of varargs (variable arguments), so all you have to do is make sure your callback and what you pass have the same signature. If you pass 3 args make sure the callback accepts 3 args, etc. As for why pkcs12 is not working for you I can't say. There were bug fixes along the way, hence why I'm wondering about the version. I do know other projects are using the pkcs12 functionality, that combined with the unit test suggests it works in the cases we know about. If you're still stuck it might come down to sharing your db with me and allowing me to run it under the debugger. However, I'm real busy at the moment and I'm not sure I can take the time out, but if I can I'll try to help. -- John -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: Accessing Firefox keystore
- People (personal without related private key) -- how did you get this? -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: Accessing Firefox keystore
Am Mittwoch, 14. Januar 2015 20:30:41 UTC+1 schrieb Opa114: in the secmod.java it checks the Version of NSS: private void fetchVersions() { supported = nssVersionCheck(nssHandle, 3.7); } But the NSS Version i copied from Mozilla-Folder has verson 3.17.2.0. But this error message seems to be that there are problems with the version. another thing. i treid JSS. Works on first time. is shows me all the certificates including personal, server and other. then i removed a certificate and the count of the certificates was increased. Before delete the count was 186, after delete 187. starnge thing. JSS looks very buggy. then my cert8.db ist crashed and i let Firefox create a new one. then run my code and i get the output of only 30 certficates. But in the certmanager in firefox i see more than 30. so what's happen there? i think JSS ist too buggy :( but it was a little bit easier to use than the NSS stuff. when i could access personal and server and others with NSS it would be nice. and i found out if i remove certificates from the CA list, Firefox will recreate the entry on every startup (if someone is interested in it) -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: best practices - python-nss to serialize PEM
Trying as you suggested today, but ran into some other thing which is puzzling. When I call cert = find_cert_from_nickname(nn, pwd) I successfully pull the server cert. I then call find_key_by_any_cert(cert, certpassword) I get an object back (nss.nss.PrivateKey). So, presumably the PK exists for the cert. However, after calling pkcx12_data = nss.pkcs12_export(nn, pwd) it throws an exception with Private Key could not be located and exported. So confused as why I can get a PrivateKey object, but not export it with the cert. -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: Accessing Firefox keystore
i tried it now with JSS and there i could access the Trusted Root CAs and the own certificates. i could remove them, too. now i have to check if i could read the other certificates like Persons, other and root. and i have to check exactly what certificates i get when i call the getCACerts()-function in difference to the getPermCerts()-function. -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: best practices - python-nss to serialize PEM
On 01/14/2015 09:58 AM, Robert Daniels wrote: Trying as you suggested today, but ran into some other thing which is puzzling. When I call cert = find_cert_from_nickname(nn, pwd) I successfully pull the server cert. I then call find_key_by_any_cert(cert, certpassword) I get an object back (nss.nss.PrivateKey). So, presumably the PK exists for the cert. However, after calling pkcx12_data = nss.pkcs12_export(nn, pwd) it throws an exception with Private Key could not be located and exported. So confused as why I can get a PrivateKey object, but not export it with the cert. Does it work using pk12util? -- John -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: Using JSS SSLSocket and and SSLServerSocket TLS 1.1 and 1.2
jss-4.2.6-35 can be found on koji for various supported fedora platforms. For rhel it's the same version number. Christina On 01/13/2015 09:09 AM, Robert Relyea wrote: Christina, which version of JSS has TLS 1.1 and 1.2 support enabled? Bob On 01/12/2015 02:10 PM, deepr...@gmail.com wrote: Folks, Sorry for the totally newbie question but I've hunted high and low. I am supporting some Java code that uses JSS4, NSS to provide SSL Server side services. In response to Poodle I've been looking this code and was able to Enable TLS explicitly and disable SSL to mitigate that in it's most basic form. However I was hoping to be able to add at least TLS 1.1 if not 1.2 support. I cannot find how this is done or if possible. I've build the latest NSS code base which seemingly supports these protocols, and build JSS around it but can't seem to get a TLS 1.1/1.2 connection. The JSS source code also doesn't show any of the SHA256 ciphers etc that imply TLS 1.2..so I've come the conclusion that I cannot use JSS to execute TLS 1.1/1.2 server side connections. Hopefully I'm wrong, or stupid but not both. Can anyone confirm, deny or otherwise point me in the right direction on this topic. Thank you Colin -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: Using JSS SSLSocket and and SSLServerSocket TLS 1.1 and 1.2
On 01/13/2015 09:28 AM, Robert Relyea wrote: On 01/13/2015 09:18 AM, Christina Fu wrote: jss-4.2.6-35 can be found on koji for various supported fedora platforms. For rhel it's the same version number. Christina Are there any outside available builds, like windows? We hope to get to it, but the trees have diverged a great deal and it's hard to provide an ETA. Any interested developers are encouraged to volunteer. Source for fedora can be retrieved from koji if anyone wishes to take a look. Christina bob On 01/13/2015 09:09 AM, Robert Relyea wrote: Christina, which version of JSS has TLS 1.1 and 1.2 support enabled? Bob On 01/12/2015 02:10 PM, deepr...@gmail.com wrote: Folks, Sorry for the totally newbie question but I've hunted high and low. I am supporting some Java code that uses JSS4, NSS to provide SSL Server side services. In response to Poodle I've been looking this code and was able to Enable TLS explicitly and disable SSL to mitigate that in it's most basic form. However I was hoping to be able to add at least TLS 1.1 if not 1.2 support. I cannot find how this is done or if possible. I've build the latest NSS code base which seemingly supports these protocols, and build JSS around it but can't seem to get a TLS 1.1/1.2 connection. The JSS source code also doesn't show any of the SHA256 ciphers etc that imply TLS 1.2..so I've come the conclusion that I cannot use JSS to execute TLS 1.1/1.2 server side connections. Hopefully I'm wrong, or stupid but not both. Can anyone confirm, deny or otherwise point me in the right direction on this topic. Thank you Colin -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: Accessing Firefox keystore
i played a little bit with my JSS-Code. it shows me all Certificates fromm all Tabs in the Firefox Builtin Certificate-Manager. But JSS seems to be very buggy. First i read out 183 Certificates. After i removed one certificate and i run the list certificates again it shows me 190 certificates. Then it crashed by cert8.db and i let FF create a new own. the run my code and ot output of only 10 certificates, but inside the store are about 180 certificates. very strange thing. -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: Accessing Firefox keystore
Hi Matthias As stated in [1] you should use nssModule=trustanchors I have tried: String config = name = NSS\r\n nssLibraryDirectory = + tmpDirName + \r\n nssSecmodDirectory = + profile.replace(\\, /) + \r\n nssDbMode = readOnly\r\n nssModule = trustanchors\r\n attributes = compatibility\r\n; Or even (as suggested in [2]): String config = name = NSS\r\n library = + tmpDirName + nssckbi.dll\r\n slotListIndex = 0\r\n enabledMechanisms = { KeyStore }\r\n nssUseSecmodTrust = true\r\n; Both with same result: Symbol not found: NSS_VersionCheck Probably Im misisng something (or a library/dependency/something else)...but, IIUC, Java's SunPkcs11 is invoking NSS_VersionCheck which I'm not able to find on any bundled library. Dont know if any of the guru's could give some light on this issue. Added as CC. If its definetively a bug and you are interested in investigating and maybe fixing, I suggest you to: - Ticket a bugzilla (regression [3] ?) about backward compatibility with Java to mess with NSS. I don't expect any success. (if you open it, please, tell us!) - Ticket Oracle to correct the function invocation. I don't expect any success. (If you open a ticket, tell us!) - Have a look on JSS code and check how's done - Look for alternatives, such as JSS and certutil... [1] http://docs.oracle.com/javase/7/docs/technotes/guides/security/p11guide.html#NSS [2] http://www.docjar.com/html/api/sun/security/pkcs11/Secmod.java.html [3] https://hg.mozilla.org/projects/nss/file/fc06a531ea57/security/nss/lib/nss/nss.rc Cya -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto