On 01/22/2010 06:37 AM, manish wrote:
i wanted to know why not we use 4 DES , or 5 DES ,.why onle triple
DES,
is there a problem
For NSS, the answer is simple:
There is no standard for 4 DES or 5 DES, only des and 3 DES (which a
special form of 3 DES that allows for a '2 DES'
On 01/22/2010 11:53 AM, Wan-Teh Chang wrote:
2010/1/22 Robert Relyea rrel...@redhat.com:
On 01/22/2010 06:37 AM, manish wrote:
i wanted to know why not we use 4 DES , or 5 DES ,.why onle triple
DES,
is there a problem
For NSS, the answer is simple:
There is no standard for 4
On 01/14/2010 01:36 PM, Kai Chan wrote:
Hi,
NSS has ECDSA with SHA1 enabled in SEC_DERSignData() in secsign.c (
http://mxr.mozilla.org/security/source/security/nss/lib/cryptohi/secsign.c),
but will ECDSA with SHA256 and higher be supported in the future? Or is
this something as simple as
On 01/12/2010 04:07 AM, trashpants wrote:
im quite literally using the following line to try and import the file
pkcs12.exe -i cert.p12 -v -W Pass
but I get an error:
certutil.exe: function failed: security library: bad database.
You need to specify -d {firefox profile directory}
The
On 01/08/2010 10:08 AM, Klaus Heinrich Kiwi wrote:
Hi,
I've been debugging openCryptoki for compatibility problems with
Mozilla NSS, and I noted that, when creating a certificate using
certutil, Mozilla NSS tries to create a token object with
CKA_CLASS=0xce534353, which is the 'vendor
On 01/06/2010 01:06 PM, gordon gordon wrote:
Hello everyone, I'd like to use tool called pk12utils (I want to
import certificate from console) however when I compile NSS with
mozilla-build I always get debug build so when I copy all the program
to machine without debug libraries I got an error
Thank you for your help, I'll answer directly into your answers, too:
Robert Relyea schrieb:
If I remember well, the PKCS11 specs tell that there's exactly 1
crypto-object per token (soft or hardware).
FALSE- A token can and does regularly have multiple crypto-objects
active at any given
On 2009-11-23 01:15 PST, Maciej Bliziński wrote:
I guess the main need for changes are the nss-config and nss.pc files,
since other software packages require them to build. I've seen that
Linux distributions create those files downstream. Is there any
chance for upstream nss-config
On 11/20/2009 11:17 AM, Nelson B Bolyard wrote:
On 2009-11-19 05:30 PST, David Stutzman wrote:
In comment 11 of 433105, Bob R said: NSS can open more than one
database at once, it might be good to see if you can specify opening
more than one in the secmod.db file. Is it actually
On 11/13/2009 02:20 AM, Konstantin Andreev wrote:
IMO, legacydb can not be considered legacy while it is the
_default_ database for Firefox and Thunderbird.
All the more reason to encourage FF and TB to move away from them;). The
name was chosen quite purposefully.
Too bad, but nobody except
On 11/01/2009 08:28 AM, Marc Kaeser wrote:
Hello Bob,
I've looked a bit further into the code today, and though you already
explained me those things, let me write them again in order to see if
I understood the idea:
I'm presuming you mean the PSM entry point.
1. Starting point:
The
On 11/08/2009 10:32 AM, Marc Kaeser wrote:
Hello Robert,
where can I get in touch with the NSS people you told me about? I want
to try to do those modifications.
I'm one of them:).
Now, in nsSDR, PK11GetInternalKeySlot(); adds a refcount
(PK11ReferenceSlot()) to one of its slots ([0] or
On 10/28/2009 06:23 AM, Konstantin Andreev wrote:
Hello, Robert.
Thank you for your time and explanation.
On Mon, 26 Oct 2009, Robert Relyea wrote:
Given that, I am curious, why this code exists:
lg_GetPublicKey @ softoken/legacydb/lgattr.c
static NSSLOWKEYPublicKey
On 10/28/2009 02:25 AM, Konstantin Andreev wrote:
Hello.
It looks somewhat strange how default (so-called legacydb) database
allows upper layer (softoken) to manipulate key's attributes.
Yes, the mapping between what the database could store and change versus
what the PKCS #11 expected to
On 10/28/2009 03:08 PM, Kroehnert, Andreas wrote:
Hello,
this is in reference to Message ID
-ocdnsshjoq9pnrxnz2dnuvz_t6dn...@mozilla.orgmailto:-ocdnsshjoq9pnrxnz2dnuvz_t6dn...@mozilla.org
on mozilla.dev.tech.crypto.
We have issues to disable a whole adapter or just a single slot using
In summary, we have to be careful about 'doing something because it just
seems right'. We need to truly understand the risks, and what we are
getting for those risks.
Bob, a way to mitigate attacks on OCSP responders (DOS) can be
mitigated to by also supporting CRLs at multiple
On 10/13/2009 02:10 AM, Neil wrote:
This is probably PSM again, but I hope someone here can answer it, or
point me somewhere.
We have a both menuitem and a dialog that logs you out of the SDR, so
that you need to reenter your Master Password to gain access to your
stored certificates and
On 10/14/2009 11:16 AM, Nelson B Bolyard wrote:
By the way, I REALLY REALLY wish that the password manager would use that
when you click the button to reveal the passwords, instead of doing what
it does now, which forces you to re-enter the master password, even if
you've JUST entered it.
On 10/14/2009 02:46 PM, CB wrote:
I'm using WindRiver Linux 2.0 to cross compile nss to a PowerPC. The
3.11.4 build instructions and troubleshooting don't cover something
like this. Can someone point me to documentation that would describe
how to set the compiler, flags, install location,
On 10/13/2009 07:31 AM, Rob Stradling wrote:
Gerv, have you read the current security.OCSP.require in Firefox thread on
mozilla.dev.security?
Daniel Veditz said yesterday...
An alternate approach I'd like to lobby our front-end guys on would be
to put up a scary red bar when we can't
On 10/06/2009 01:14 AM, Konstantin Andreev wrote:
Hello, Robert.
On Mon, 10 Oct 2009, Robert Relyea wrote:
On 10/05/2009 09:27 AM, Konstantin Andreev wrote:
Could you, please, advice, how should I handle CKA_NETSCAPE_DB for
GOST private keys ?
GOST private key? Are you talking about a new
On 10/05/2009 09:27 AM, Konstantin Andreev wrote:
Hello.
In the source code of the softoken library I see various conditional
manipulations with CKA_NETSCAPE_DB attribute of private keys.
Since I am adding a new (GOST) type of private key to NSS, I need to
know how CKA_NETSCAPE_DB should
On 10/05/2009 10:42 AM, Robert Relyea wrote:
On 10/05/2009 09:27 AM, Konstantin Andreev wrote:
Hello.
In the source code of the softoken library I see various conditional
manipulations with CKA_NETSCAPE_DB attribute of private keys.
Since I am adding a new (GOST) type of private key
On 09/25/2009 06:55 PM, Nelson Bolyard wrote:
On 2009-09-25 18:17 , Robert Relyea wrote:
On 09/25/2009 04:39 PM, Kathleen Wilson wrote:
Note that I am operating under the assumption that there is currently
no way in NSS to mark a root certificate as “untrusted”. Please let me
know
On 09/25/2009 11:58 PM, Kyle Hamilton wrote:
2009/9/25 Robert Relyea rrel...@redhat.com:
Because of the way the system works, deleting a cert from builtins would be
equivalent to marking it untrusted. The user could still override our choice
in softoken. Unfortunately the trustorder is set
On 09/25/2009 04:39 PM, Kathleen Wilson wrote:
Note that I am operating under the assumption that there is currently
no way in NSS to mark a root certificate as “untrusted”. Please let me
know if this assumption is incorrect.
There are 3 states we can report about a certificate: trusted,
On 09/15/2009 08:51 AM, Andreev Konstantin wrote:
Hello.
At the moment NSS head supports 6 hash algorithm:
md2,md5,sha{,-256,-384,-512}.
However, their implementations in freebl backend have no consistent
semantics for method
*hash*_End( Context *, unsigned char *digest, unsigned int
On 09/15/2009 07:47 AM, Andreev Konstantin wrote:
Hello.
I am currently in the process of adding support for GOST algorithms
(RFC 4357,4490,4491) into the NSS.
At this moment I implemented GOST hashing and GOST signature
verification algorithms in the NSS. This works throughout the whole
On 08/27/2009 10:47 PM, Medha Kulkarni wrote:
Hello,
We want to develop a CSP using pkcs#11 for smart card. But we do not
have any smart card setup with us. Can we get some sort of smart card
simulator to test out PKCS APIs?
There's a plugin allows you to wrap an existing PKCS #11 driver
On 08/28/2009 09:43 AM, yanlin wrote:
Hi Glen,
Thanks for the reply. Do u have any internal reference that i can use
to create a multi-platform build system? We need build nss and its
tools on pretty much all platforms.
Thx,
Yanlin
I manage to get many of them built for intel using the
On 08/18/2009 02:29 AM, Marc Kaeser wrote:
Thanks for your answer. I'm looking at nsSDR.cpp and I ask to myself:
is the Master Password used as an encryption key, or where does the
key come from? Does mozStorage encrypt the credentials also if the
Master Password isn't set? I hope I'll finde
On 08/11/2009 07:11 AM, Rishi Renjith wrote:
Now in NSS.conf I added the following lines to use the hardware
accelarator
NSSNickname Sun Metaslot:ismc_cert
NSSCertificateDatabase /opt/SMC/Apache2/nssdb
Now everything is working fine, the requests are getting processed
correctly. But the issue
On 06/25/2009 06:25 PM, Sudarshan Gaikaiwari wrote:
Hi
I am trying to configure NSS on a Windows 2003 machine to work as a
JCE provider under Java 6 in the FIPS mode. I am using the
instructions
http://java.sun.com/javase/6/docs/technotes/guides/security/p11guide.html#NSS
However I am unable
Ian G wrote:
Are we going to enforce a 2048-bit root requirement after Dec 31, 2010
(per NIST non-classified recommendation)? If so, we need to get the
Digital Signature Trust Co Global CAs to update.
I would vote against following NIST on this. But it would be a
reasonable thing to send a
---BeginMessage---
NIST - Federal Information Processing Standard (FIP) Publication 186-3
NIST announces the adoption of FIPS 186-3, The Digital Signature Standard (see
the Federal Register Notice). FIPS 186-3 is a revision of FIPS 186-2. The FIPS
specifies three techniques for the generation
Rich Megginson wrote:
I've been looking at the problem of different libraries/different
clients each with their own private key/cert db in a single process
(for example, the Thunderbird ldap/nss_ldap problem). In this case,
the user may want nss_ldap to keep its certs and keys (including ca
Georgi Guninski wrote:
On Wed, May 13, 2009 at 10:42:38AM -0700, Robert Relyea wrote:
So to understand correctly, MD-5 is implemented in a series of
operations module 2^32, so you can treat the whole thing as a GF(2^n)
ring. I believe this is a ring (2 doesn't have a multiplicative
Georgi Guninski wrote:
spent some time on this.
i tried algebraic preimage attack on md5 - working in $GF(2)[x0 .. x_i]$ and
using groebner basis with arguments that avoid crashes.
to my surprise i got unexpected correct *partial* results that pass the
insanity check.
You'll probably have
Nelson B Bolyard wrote:
SHA-1 has taken a significant hit. See
http://eurocrypt2009rump.cr.yp.to/837a0a8086fa6ca714249409ddfae43d.pdf
I can't tell from the paper if this is a reduced round attack or an
attack on full SHA-1.
In any case we really need to have SHA-2 pretty soon (that is in
Nelson B Bolyard wrote:
SHA-1 has taken a significant hit. See
http://eurocrypt2009rump.cr.yp.to/837a0a8086fa6ca714249409ddfae43d.pdf
For reference, if this is a full SHA-1 break, it's the same 'strength'
that MD-5 has been at for the last 4 years.
bob
smime.p7s
Description: S/MIME
some
NSS developers still build with msvc 6.0. I have built with msvc 9.0
recently.
bob
i would like to ask why and how this happened? and for help.
thank you.
2009/3/10 Robert Relyea rrel...@redhat.com mailto:rrel...@redhat.com
Nelson B Bolyard wrote:
marcelino jr esguerra
ksreedha...@gmail.com wrote:
Hello,
Does NSS support Regular 186 RNG also along with General Purpse
RNG?
Pre NSS 3.12.3: NSS supported a general purpose RNG based on FIPS 186.
Post NSS 3.12.3: NSS has replaced it's FIPS 186 implementation with a
NIST SP-800-90 DRBG.
bob
Thanks,
Sreedhar
Ahnjoan Amous wrote:
I'm attempting configuration of mod_nss to use an OCSP responder. My
OCSP responder uses a self signed certificate (call it OCSPcert) to
sign responses, my web server uses a certificate (call it SERVERcert)
signed by a trusted CA (call it CA1cert). I also have a second
Julien R Pierre - Sun Microsystems wrote:
Nelson,
Nelson B Bolyard wrote:
Julien R Pierre - Sun Microsystems wrote, On 2009-01-21 15:03:
I don't like much the way that we implemented SSE2 on Linux - together
in a single freebl shared library with the non-SSE2 version. That
stands in the
In https://bugzilla.mozilla.org/show_bug.cgi?id=472975 georgi said in comment
12:
offtopic question:
afaict when doing a ssl connection, the server *doesn't sign* anything with his
private key (in most cases). though the server needs it for finding the session
secret.
are attacks with
Eddy Nigg wrote:
Ah yes, maybe I should...it's in my nature to work around such
problems too many times. Basically if the CA certificates are imported
into the card, than those CAs take preference by NSS (for whatever
ever reason). Meaning, the builtin CA root isn't visible in the cert
Michael Bell wrote:
Eddy Nigg wrote:
On 01/21/2009 01:07 PM, Michael Bell:
Eddy Nigg wrote:
On 01/21/2009 11:57 AM, Michael Bell:
Which driver are you using on Linux? Is this an Aladdin eToken? Which
library did you choose as the PKCS11 module?
I use a Siemens
Nelson B Bolyard wrote:
Julien R Pierre - Sun Microsystems wrote, On 2009-01-21 15:03:
Even if you end up building NSS with optimizations, they use the regular
multiply instructions, which performs best on AMD chips, but not as well
on Intel CPUs. For Intel, one needs to use the SSE2 and
ps_mitrofa...@mail.ru wrote:
Freebl3.dll works fine )
err. I highly suggest you do not go that route. NSS does not guarrentee
the freebl3 interface as a stable interface. Your app may break when new
versions of NSS are installed.
Let me make this perfectly, crystal-clear. Freebl3.dll is a
Michael Ströder wrote:
Nelson Bolyard wrote:
OCSP stapling allows a TLS server to send a copy of a recent OCSP
response (issued by the issuer of that server's cert) along with the
cert in the TLS handshake, thereby saving the client extra connections
and extra round trips. It reduces load
ps_mitrofa...@mail.ru wrote:
Hi. I've got a problem.
I need to use NSS freebl3.dll ECC-functions (for ECDH).
The first and most obvious question... Why?
freebl3.dll is a private NSS DLL. NSS does not support applications
using it's functions directly, and doing so would be a good way to have
Ben Bucksch wrote:
On 08.01.2009 23:15, Nelson B Bolyard wrote:
I encourage people to read through that bug, especially the early
comments, before contributing here. (The later comments are mostly
me too)
Esp. because the first are from you (and are dissenting, and therefore
important, while
Ben Bucksch wrote:
Advocacy:
One of the core assumptions of the x.509 world is ONE SIGNATURE, and
ONE AUTHORITY.
Thing is: There is no one authority :-). God doesn't issue SSL
certificates. Apart from him, I trust only me and my friends.
That's clearly not the case. You have admitted to
Ben Bucksch wrote:
On 08.01.2009 23:35, Eddy Nigg wrote:
On 01/08/2009 11:44 PM, Ian G:
Well, what Firefox does is cert-exception-click-thru-ordeal; whereas
people are asking for key-continuity-management, with perhaps the
emphasis on the last word.
Well, is it than an endorsement for
the longer a key is used the better the chances of getting
compromised, isn't it?
It doesn't make a difference whether you have one key for two years on a
system or two keys for one year each, one after the other.
The longer a key is on a system, the chances are higher for compromise
I
Eddy Nigg wrote:
On 12/27/2008 12:44 AM, Subrata Mazumdar:
A related question:
Is it possible to configure the NSS Soft-Token associated with the
internal slot like smart-card based token so that the private key key
cannot be exported out of the token?
If not, would it be useful feature to
I've made a proposal on how applications should initialize NSS when
using shared databases on Linux. That draft is located here:
https://wiki.mozilla.org/NSS_Shared_DB_And_LINUX
Comments and edits are welcome.
Thanks,
bob
smime.p7s
Description: S/MIME Cryptographic Signature
Martin Paljak wrote:
Thanks for tips! Could you point me to the line in spec where it says
that slots can only be added. I cant find the place where it forbids
removing.
That's what I get for not checking the spec after the meeting in which
we discussed this. The original agreement was that
sg4all wrote:
Hi,
I'm trying to set up a apache webserver with mod_nss. When available, OCSP
should be used to verify the validity of the certificate. When the OCSP is
unavailable, CRLs are used.
I installed the CRLS, and configured everything. (My nss.conf is
included in
this message).
[EMAIL PROTECTED] wrote:
Initially I posted this on another support forum, but was kindly
requested to post here instead:
For a screendump please refer to: http://www.vandersman.org/certstore.PNG
Interesting. The sequence ?? in the cert isn't valid thai. ? is a vowel
(roughly 'a' as in
Martin Paljak wrote:
Thanks!
I was only trying to figure out if there is any difference in 2.11 vs
2.20 handling.
2.20 allows slots to be added during the lifetime of a cryptoki
application.
Can you also explain how NSS handles the feature or any gotchas in
implementing support for
I'll repeat my answer to your question in the opensc list. We should
probably keep followups in this list since there is more NSS/mozilla
expertise here (which is really where your questionis coming from)...
Akkshayaa Venkatram wrote:
Hello,
From the mozilla tree,
I have a couple of thoughts about some of the worries about shutting
down after a fork().
First, the PKCS #11 spec is silent on this issue particularly, but it is
clear about one thing, you do need to be able to handle C_Initialize
after the fork. The quickest way to get there is to allow
Wolfgang Rosenauer wrote:
Hi,
Hans Petter Jansson schrieb:
This database only fails to migrate if the target database was not
already created by another, successful merge, though.
I think you're saying that the failures only occur if the target (cert9)
DB doesn't already exist
Wan-Teh Chang wrote:
The SECMOD_LoadUserModule and SECMOD_UnloadUserModule functions
were added in https://bugzilla.mozilla.org/show_bug.cgi?id=132461, but no
NSS utilities or test programs use these functions, so the only sample code
for these functions that I can find is PSM.
PSM uses these
Anders Rundgren wrote:
IM[NS]HO, S/MIME encryption using PKI is one of the biggest security
farces ever. Even the use-case is often wrong.
Please start your debate in another thread. S/MIME and PKI are a
supported part on the NSS feature set, and supported in pretty much
every email
Wolfgang Rosenauer wrote:
Nelson B Bolyard schrieb:
Wolfgang Rosenauer wrote, On 2008-11-18 05:38:
Hi,
I'm trying to use Firefox with an sqlite based NSS. So far all the
certificate stuff still works as expected as far as I can see but the
password manager component is broken now:
Anders Rundgren wrote:
Robert,
Pardon me. I did indeed not intended to slam Paul's guide.
I changed the thread but I don't expect a fruitful debate since the difficulties
are mostly unrelated to NSS. I feel sorry for those who feel that S/MIME
encryption needs to become mainstream because
Wolfgang Rosenauer wrote:
Robert Relyea schrieb:
This was a new profile actually. And yes, the database which reveals
this issue isn't complete it seems. I removed it and created a new empty
one using certutil -d sql:. -N and now Firefox works correctly.
What I've used to create the shared
Nelson Bolyard wrote:
Robert Relyea wrote:
Typically
needsUserInit means there isn't a password record in your key database.
Without this you can not store any keys. The difference between 'not
initialized', 'doesn't have a master password', and 'has master a
password' is as follows:
1
Ken wrote:
2008/11/15 Robert Relyea [EMAIL PROTECTED]:
NZzi wrote:
Robert Relyea wrote:
NZzi wrote:
hi all:
I want to use private key to encrypt a message,
and decrypt with public key.
Are you encrypting data or a symmetric Key?
Most of the nss code
Hans Petter Jansson wrote:
This works for some databases, but not others. It doesn't seem to matter
which application created the database (I've tried with databases from
Firefox and Evolution) - e.g. one user's database may fail while another
user's database may migrate properly. When it
NZzi wrote:
Robert Relyea wrote:
NZzi wrote:
hi all:
I want to use private key to encrypt a message,
and decrypt with public key.
Are you encrypting data or a symmetric Key?
Most of the nss code that does these operations does so on actual
symetric keys (which are then used to do
NZzi wrote:
hi all:
I want to use private key to encrypt a message,
and decrypt with public key.
Are you encrypting data or a symmetric Key?
Most of the nss code that does these operations does so on actual
symetric keys (which are then used to do additional
encryption/decryption/macing).
Akkshayaa Venkatram wrote:
Hi
I am developing a Firefox extension that calls PKCS 11 functions like
C_Encrypt, C_Sign, C_Decrypt and others..
We don't expose the direct C_ calls in NSS. NSS typically has the token
open during the entire time, so applications making calls and changing
states
Bernie Sumption wrote:
If we create an error display that says No kidding, this absolutely
is an attack and we're stopping you cold to protect you from it.
it seems unavoidable that users will learn to treat the absence
of such an unbypassable error display as proof to the contrary,
proof that
Ken wrote:
2008/11/5 Robert Relyea [EMAIL PROTECTED]:
NZzi wrote:
hi all:
when i use nss to develop some cipher program(just
for local, not internet), i.e. just perform
miscellaneous cryptographic operations, the only
reference i can use is the example code from MDC.
when i want
Antonio wrote:
Hi all,
Is it possible to create a brand new certificate database at runtime
for read/write purposes, without it being the default database?
Thanks,
Antonio
Yes,
The thread multiple pkcs 12 files vs. firefox software pkcs 11
module... has a link to two functions that allow
, The CERTCertDBHandle is basically an historical dreg in our code.
NSS always has a consoldiated view of all the databases. The only time
they are distinguished is if you specify a particular token
(PK11SlotInfo *). What is it you are trying to actually do?
bob
On Oct 29, 8:46 pm, Robert Relyea [EMAIL
[EMAIL PROTECTED] wrote:
On Oct 28, 5:10 pm, Nelson B Bolyard [EMAIL PROTECTED] wrote:
[EMAIL PROTECTED] wrote, On 2008-10-28 13:29:
From what I have read, the internal pkcs 11 data store is protected by 1
master password. Is there a way to store my keys in the firefox pkcs 11
data
Paul Hoffman wrote:
At 3:25 PM +0200 10/24/08, Ian G wrote:
Robert Relyea wrote:
The problem with this idea is that mozilla probably does not want to be
in the CA business. The overhead of creating a mozilla root key in a
safe and secure manner is quite involved (and more than doing
Julien R Pierre - Sun Microsystems wrote:
How do we revoke Mozilla's root?
By updating mozilla software :)
Certainly not by issuing a CRL. Mozilla doesn't have the keys needed to
issue a CRL to revoke any root. (CRL's must be signed by the issuer, or
by an agent with the appropriate key
Nelson B Bolyard wrote:
b) some unmistakeable blatantly obvious way to show the user that this
site is not using security that's good enough for banking but, well,
is pretty good security theater. Flashing pink chrome?
Empty wallet icon? The whistling sounds associated with falling things?
Nelson B Bolyard wrote:
[EMAIL PROTECTED] wrote, On 2008-10-13 13:52:
I have a crypto library which I connect to a Firefox extension using
Xpcom. The library generates custom size public and private key pairs
which I would like to store securely in Firefox. How would this be
done?
Kyle Hamilton wrote:
On Tue, Oct 7, 2008 at 5:22 PM, Subrata Mazumdar
[EMAIL PROTECTED] wrote:
I guess that the problem is in documentation and the PSM GUI. The PSM
GUI should have clearly stated
the password policy requirement in the password change dialog window.
Also, NSS should have
Subrata Mazumdar wrote:
Nelson,
thanks very much for the clear answer - I did not realize that the
Mozilla NSS does not support PKCS#8.
I also agree with you that PKCS#12 format is the right way to
import/export keys.
The problem is that a large number of OpenSSL based applications still
use
Robert Relyea wrote:
[ output deleted].
Which means that libnssckbi.so is used for obtaing trustanchors and i
dont know why. In configuration I've set that i want only access to
keystore. Any ideas?
Yes, the trust anchors are stored in libnssckbi.so. NSS nssckbi is the
NSS cryptoki Builtin
Francisco Puentes wrote:
Being a beginner with NSS, I need help :-(
I am trying to generate a RSA pair of keys with this code:
NSS_Init(./rsa.db);
NSS_Init requires a pointer to a directory (which should already exist).
You should check the error code coming back for NSS_Init. It's
Graham Leggett wrote:
Hi all,
I am having a dilemma that I am trying to find a solution for.
In the httpd webserver, if the mod_nss module is loaded, the mod_nss
module will try and initialise NSS. If mod_authnz_ldap is loaded into
the same server, and mod_authnz_ldap depends on the Mozilla
Wan-Teh Chang wrote:
On Thu, Sep 11, 2008 at 9:29 AM, Paul Hoffman [EMAIL PROTECTED] wrote:
Greetings again. Are people aware of any IPsec implementations using
NSS's crypto, even as a non-default build option?
No, I don't know of any IPsec implementations using
NSS's crypto. Since
Subrata Mazumdar wrote:
nsCOMPtrnsIPK11Token softToken;
rv = pkcs11Slot-GetToken(getter_AddRefs(softToken));
softToken-Login(PR_FALSE); // prompts for initializing password
. . .
softToken-Reset(); // expected that token/slot password would be in
the uninitialized state
Graham Leggett wrote:
Completeness I guess - xml-security's API allowed you to choose both
CBC and ECB modes, so I was trying to emulate the same thing.
The only mechanism that I cannot find an oid for is CKM_DES3_ECB - do
you know which SEC_OID_* macro I should be using?
The
Nelson B Bolyard wrote:
Graham Leggett wrote, On 2008-09-06 12:51:
I think a big source of confusion is that everything is an OID, or
everything is a mechanism, but not all OID or mechanisms are relevant
for every situation, and this isn't clear from each function call.
I think this
Graham Leggett wrote:
Robert Relyea wrote:
Newer applications should use more standard algorithms such as PKCS#5
v2.0 for key derivation.
I am assuming NSS supports PKCS#5 v2, what functions should I be
looking at to achieve this?
Ah, It's a PBE algorithm. That is a perfectly acceptable
Nelson B Bolyard wrote:
Suresh Kumar J wrote, On 2008-09-02 10:55:
Hi Nelson,
You are correct that Apache Tomcat web-server(v6.0.13) choked with the
full set of cipher suites implemented in the Windows FF3.0.1. When I
disable the following cipher suites via the about:config option, the
web
Graham Leggett wrote:
Hi all,
I am trying to port some symmetrical encryption / decryption code
using OpenSSL's EVP_CipherUpdate function to NSS, and I am running
into trouble trying to find the API documentation for NSS.
So far, the closest to documentation that I have found is a list of
Anders Rundgren wrote:
Eddy Nigg wrote:
The keygen tag is used widely and Mozilla supports smart cards with the
associated PIN excellent.
I'm sure about that! However...
What I was referring to is the inability for an issuer specifying that
generated keys should be PIN-protected
Nelson B Bolyard wrote:
Thorsten Becker wrote:
Nelson Bolyard wrote:
On the other hand, it is possible that the domain validation was performed
but that it was deceived through the use of DNS attacks. In his slides
on the subject of DNS attacks, Dan Kaminsky did say that it was
Wan-Teh Chang wrote:
2008/8/15 Sam Laidler [EMAIL PROTECTED]:
Hello, hope all is well.
I was wondering if I might ask about hashing efficiency. I am reiteratively
hashing values. Basic algorithm is:
digestCntxt = PK11_CreateDigestContext(algorithm);
while (counter
Nelson B Bolyard wrote:
Howard Chu wrote, On 2008-08-11 20:07:
Nelson B Bolyard wrote:
Howard Chu wrote, On 2008-08-10 14:13:
It would make it impossible to use in e.g. OpenLDAP/nss_ldap because
applications would be unable to load their own configuration settings
after
301 - 400 of 458 matches
Mail list logo