Re: libnsssysinit

On 12/08/2014 08:59 AM, David Woodhouse wrote: I still maintain that the path to sanity involves killing /etc/pki/nssdb entirely, and then you can look at applying *correct* fixes to whatever's still not behaving correctly. The whole point of /etc/pki/nssdb is so you have one place to install

Re: Accessing Firefox keystore

On 01/09/2015 08:03 AM, Opa114 wrote: i do. but i want to parse the cert8.db or maybe access this fle in an easier way with JAVA. i have to read the file and maybe i have to remove and/or add new certificate to it. While there is some documentation on the format of cert8.db, If you are

Re: Using JSS SSLSocket and and SSLServerSocket TLS 1.1 and 1.2

On 01/13/2015 09:18 AM, Christina Fu wrote: jss-4.2.6-35 can be found on koji for various supported fedora platforms. For rhel it's the same version number. Christina Are there any outside available builds, like windows? bob On 01/13/2015 09:09 AM, Robert Relyea wrote: Christina, which

Re: Using JSS SSLSocket and and SSLServerSocket TLS 1.1 and 1.2

Christina, which version of JSS has TLS 1.1 and 1.2 support enabled? Bob On 01/12/2015 02:10 PM, deepr...@gmail.com wrote: Folks, Sorry for the totally newbie question but I've hunted high and low. I am supporting some Java code that uses JSS4, NSS to provide SSL Server side services. In

Re: Accessing Firefox keystore

On 12/11/2014 12:33 AM, helpcrypto helpcrypto wrote: Hi again, sorry for delay. Yes, you can (SHOULD) use SunPKCS#11 to access directly the libraries/modules. You can do it two ways: - attack libraries directly - parse (legacy) secmod.db on Firefox profile to list modules/libraries.

Re: Key zeroization in NSS DB

On 03/25/2015 04:30 AM, Jan Otte wrote: Hi, When finding out how to do key zeroization in NSS DB I stumbled upon https://bugzilla.mozilla.org/show_bug.cgi?id=347450 The last comment states that key zeroization is not needed for FIPS, which is in contrast with the initial description. What is

Re: NSS support for RFC7512 PKCS#11 URIs

On 05/03/2015 02:17 AM, David Woodhouse wrote: On Sat, 2015-05-02 at 18:33 -0700, Jan Pechanec wrote: On Fri, 1 May 2015, David Woodhouse wrote: On Fri, 2015-05-01 at 11:35 +0100, Alan Braggins wrote: On 30/04/15 17:56, David Woodhouse wrote: Has anyone looked at implementing RFC7512

Re: Problems with FF and internal certificates

On 05/04/2015 10:09 AM, Brian Smith wrote: On Fri, May 1, 2015 at 9:11 AM, Tanvi Vyas tv...@mozilla.com wrote: On Apr 27, 2015, at 2:03 PM, Michael Peterson michaelpeterson...@gmail.com wrote: Now, in the album I posted above (https://imgur.com/a/dmMdG), the last two screenshots show a

Re: target parameter to PK11_Derive

On 05/05/2015 08:42 AM, Andrew Cagney wrote: Hi, I'm cleaning up some code (it has a long history) that, among other things, computes IKE's PRF (hmac) and PRF+ (key derivation function). The computation involves the use of PK11_Derive to perform lots of concatenation, padding, xoring, and

Re: target parameter to PK11_Derive

On 05/07/2015 11:49 AM, Andrew Cagney wrote: [inline] On 5 May 2015 at 13:18, Robert Relyea rrel...@redhat.com wrote: The target Mechanism is the operation you are going to use the target key for, It shouldn't match the mechanism used to derive the key. It is basically used to set

Re: PK11SymKey in FIPS mode from nothing

On 05/12/2015 08:58 AM, Andrew Cagney wrote: Hi, I'm looking to clean up some test code (IKEv2, NISTs CAVP tests), so that they work in FIPS mode (what ever that means). So CAVS tests require hooking outside the FIPS mode boundary because CAVS tests access CSPs which aren't allowed outside

Re: NSS set extractable = no

On 05/18/2015 03:04 PM, Arthur Ramsey wrote: I have a requirement to disable key export on a key stored in a NSS DB in FIPS mode. I read through the documentation and found mention of the ability to do this, but not how. Where can I find information on how to disable key export? I will be

Re: placing NSS in fips mode using modutil is forgotten ?

On 06/10/2015 06:15 AM, Paul Wouters wrote: Hi, I'm trying to do various FIPS tests for libreswan. Our testing system using KVM is a little tricky to selectively boot with fips=1, so I did some scripting to get everything into faked FIPS mode. It basically comes down to first running a script

Re: PK11SymKey in FIPS mode from nothing

On 05/12/2015 10:44 AM, Paul Wouters wrote: On Tue, 12 May 2015, Robert Relyea wrote: So, in FIPS mode, in a standalone test program, what is the correct way to turn g^ir into PK11SymKey. PK11SymKey *sym_key = PK11_ImportSymKey(slot, CKM_DH_PKCS_DERIVE, PK11_OriginUnwrap

Re: pk12util: Wrong certificate names in database

On 07/27/2015 12:54 AM, Trick, Daniel wrote: Thank you a lot for clarification, Kaspar! So, by design of NSS, all certificates with the same DN will end up with the same nickname. And the very first certificate with a specific DN will set the nickname for all other certificates (with that

Re: Add New OID to NSS

On 11/04/2015 11:21 AM, JBarry wrote: Hi Bob, Thank you for the helpful reply. I have looked at the files you have mentioned and am a little confused about something. For example (secoid.c lines 34-35): /* USGov algorithm OID space: { 2 16 840 1 101 } */ #define USGOV 0x60,

Re: Add New OID to NSS

On 11/04/2015 08:57 AM, JBarry wrote: Hello, I'll apologize in advance if this question has already been asked/answered (I did look and found nothing that helped me out) or if the question seems trivial. I am a college intern currently working with NSS for the first time, so please forgive me

Re: Can sign but cannot encrypt email using a valid S/MIME certificate

On 09/04/2015 05:06 AM, Thibault Derrien wrote: Dear all, I have obtained numerical certificates of national certification authority in Czech Republic (ICA). 1/ I have imported the certificate into Mozilla Thunderbird > Account Settings > Security > Digital Signing. - It shows Software

Re: Prevent "proxyfying" PKCS#11

On 09/25/2015 01:36 AM, helpcrypto helpcrypto wrote: Hi all I hope you can find a solution for my problem, cause I can't. (And perhaps it's impossible) Based on my knowledge of PKCS#11 standard, the spec is exposed to a MITM attack that steals the PIN when an application invokes C_Login

Re: Prevent "proxyfying" PKCS#11

On 09/25/2015 09:13 AM, Erwann Abalea wrote: Le vendredi 25 septembre 2015 14:39:04 UTC+2, helpcrypto helpcrypto a écrit : On Fri, Sep 25, 2015 at 11:52 AM, Erwann Abalea wrote: [...] Although it won't solve my problem, this will make possible to kill signature applets

Re: AES-256 vs. AES-128

On 11/30/2015 12:07 PM, Julien Vehent wrote: On 2015-11-30 12:47, Robert Relyea wrote: I've always found the 128 bit prioritized over 256 a silly recommendation, I support reordering. Can you expand on why you think it is silly? The argument went that 128 bit was 'sufficient

Re: Algorithms supported in NSS 3.17, FIPS mode

On 12/14/2015 05:04 PM, Paul Wouters wrote: Don't know about DRBG, but everything else you asked for is supported. Sent from my iPhone On Dec 14, 2015, at 18:03, jonetsu wrote: Hello, I am trying to get a list of the algorithms and ciphers supported by NSS 3.17 in

Re: AES-256 vs. AES-128

On 11/25/2015 02:01 PM, April King wrote: My colleague Julien Vehent and I are in the process of updating the Mozilla Server Side TLS documentation: https://wiki.mozilla.org/Security/Server_Side_TLS One of the topics of conversation was whether or not the Modern TLS configuration should

Re: Replacement for PK11_GetLowLevelKeyIDForCert etc

On 06/24/2016 06:29 PM, Andrew Cagney wrote: Hi, according to the NSS documentation, the functions for getting CKAIDs are deprecated vis: /** * New functions which are already deprecated

Re: Using NSS in FIPS mode

On 01/21/2016 07:33 AM, jonetsu wrote: Hello, Please let me know if this is not the right place to ask about the following... This is the right place. I am new to NSS and would like to use it in FIPS mode. I do know about OpenSSL and GnuTLS, both of them having explicit calls to enabled

Re: Using NSS in FIPS mode

On 01/22/2016 06:42 AM, jonetsu wrote: Robert Relyea wrote: The call PK11_IsFIPS() returns true if softoken is in FIPS mode. The dance to programatically is to call SECMOD_DeleteInternalModule(), which toggles the module between FIPS and non-FIPS modes. Thanks. I will try it. When

Re: server-side OCSP stapling

On 03/01/2016 02:19 PM, Martin Thomson wrote: AIUI, support for stapling in NSS is pretty primitive. You are expected to make the OCSP query yourself and use the API to configure the server. IIRC the API to fetch the ocsp response is mostly application code. NSS has a simple http request

Re: NSS_NoDB_Init(".") and FIPS mode

On 03/18/2016 09:14 AM, Andrew Cagney wrote: Is it possible to put NSS (softtoken) in FIPS mode (PK11_IsFIPS()) without a "modutil -fips true" database? By FIPS mode I guess I really mean confirm that NSS has performed some sort of FIPS self-check. An earlier thread mentioned some way of

Re: RFC7512 PKCS#11 URI support

On 04/04/2016 03:19 PM, Ryan Sleevi wrote: On Mon, Apr 4, 2016 at 12:39 PM, David Woodhouse wrote: We usually reserve the term "breaks the API" for when something *used* to work, and now doesn't. Not when a previously-failing call now actually does something useful. No,

Re: RFC7512 PKCS#11 URI support

On 04/07/2016 03:49 PM, David Woodhouse wrote: On Thu, 2016-04-07 at 05:01 -0700, Julien Pierre wrote: The problem really stems from the design of NSS, specifically the CERTCertificate*, which maps to a unique DER encoded cert, but not to a single PKCS#11 object in a single token. Since the

Re: Programmatically smartcard/token access with NSS

On 03/17/2016 06:17 AM, Túlio Gomes wrote: Hello, i need to access a smartcard for signing documents with the private key stored inside it. The idea is to create a c++ component that will be used with a pnacl module inside chrome's browser. So i decided to use NSS, but i'm confused about what

Re: NSS_NoDB_Init(".") and FIPS mode

On 03/18/2016 01:55 PM, Wan-Teh Chang wrote: On Fri, Mar 18, 2016 at 10:49 AM, Robert Relyea <rrel...@redhat.com> wrote: Yes, SECMOD_DeleteInternalModule() is a toggle which switches NSS between FIPS and non-FIPS. If you don't have a database open, or the database is open readOnly, the

Re: [ANNOUNCE] NSS 3.24 Release

On 05/22/2016 04:26 PM, Paul Wouters wrote: On Sun, 22 May 2016, Kai Engert wrote: Subject: [ANNOUNCE] NSS 3.24 Release * NSS softoken has been updated with the latest NIST guidance (as of 2015) What does this relate to? Do you have the specific FIPS publication? Is this perhaps the GCM

Re: Should PK11_Derive() save the failure status?

On 02/22/2017 10:44 AM, Andrew Cagney wrote: Hi, I've got a PK11_Derive() call failing (presumably something silly on my part), but frustratingly, PORT_GetError() just returns 0. It seems that all variants of PK11_Derive() don't call: PORT_SetError(PK11_MapError(crv)); with the error

Re: JSS/NSS locks my smart card after 1 bad pin entry

On 10/07/2016 06:56 PM, Ernie Kovak wrote: Hello - We're using JSS4 and NSS 3.24 with an OpenSC module to interact with a DoD CAC. CACs will lock after 3 consecutive bad PIN entries. We're finding that if the user enters a bad PIN even once, that hard limit is exceeded and the card is

Re: NSS db nicknames with NSS_InitContext()

On 10/18/2016 11:16 AM, Rob Crittenden wrote: It looks like when multiple NSS databases are initialized using NSS_InitContext() the nicknames can take multiple forms depending on order of initialization. Using the multinit program and three NSS certificate databases with identical nicknames I

Re: NSS_Context and FIPS

On 10/21/2016 07:04 AM, Rob Crittenden wrote: I'm trying to figure out how to dynamically enable FIPS support for NSS Contexts. I started with multinit.c and initialize FIPS right after calling NSS_InitContext() using this: So you can't change the state of an already open database. NSS will

Re: Fwd: debug PKCS11

On 11/18/2016 12:49 AM, Alexei Mayanov wrote: Hello! I'm developing PKCS11 library for my device. This library is based on pkcs11-proxy (https://github.com/SUNET/pkcs11-proxy). It work good with different apps but with Firefox I can't login with client certificate on to the test site. Firefox

Re: NSS open multiple NSS-Databses at once?

On 01/10/2017 10:18 AM, Opa114 wrote: thanks, but these facts i know. I don't want top let multiple applications open one Database, i want to open multiple different Mozilla databases, in the old standard format, with one (my) application. I tried to use the NSS_Init functions. These works

Re: NSS open multiple NSS-Databses at once?

On 01/10/2017 02:07 PM, Opa114 wrote: Am Dienstag, 10. Januar 2017 22:24:10 UTC+1 schrieb Robert Relyea: On 01/10/2017 10:18 AM, Opa114 wrote: thanks, but these facts i know. I don't want top let multiple applications open one Database, i want to open multiple different Mozilla databases

Re: NSS open multiple NSS-Databses at once?

On 01/08/2017 05:34 AM, Opa114 wrote: Hi there, i have to use NSS in one of my applications and therefor i have to open multiple databases (for example Firefox and Thunderbird) at once to read and write into these. How can i do this programatically in C++? Some exmaple Code would be very

Re: Are NSS bug fix releases still FIPS 140-2 certified?

On 04/10/2017 02:58 PM, Ernie Kovak wrote: Kyle Hamilton is right. The authoritative document is the NSS module's security policy, which is linked from their validation certificate (see above). That policy specifies how the module can be used in order to be FIPS 140-2 compliant. According to

Re: How to get a list of SubjectAltNames of a cert in NSS

On 03/03/2017 09:42 AM, Paul Wouters wrote: On Fri, 3 Mar 2017, Robert Relyea wrote: [offlist] redirected back to the list, since the item I was concerned about is not a concern. Thanks for the info. I looked at it and have two questions and one concern (which is why this is offlist

Re: How to get a list of SubjectAltNames of a cert in NSS

On 03/03/2017 02:48 PM, Robert Relyea wrote: On 03/03/2017 09:42 AM, Paul Wouters wrote: On Fri, 3 Mar 2017, Robert Relyea wrote: [offlist] redirected back to the list, since the item I was concerned about is not a concern. Thanks for the info. I looked at it and have two questions

Re: Linker error from tstclnt

On 11/22/2017 07:24 AM, Kai Engert wrote: On 10.11.2017 10:16, muni.pra...@gmail.com wrote: USE_STATIC_RTL=1 I haven't seen this symbol before, maybe it's no longer supported. Does it work if you don't define it? The symbol means build the test binaries with static libraries. That hasn't

Is there some problem with treeherder?

I've been trying to get an nss-try builds with nss-tools for a couple of days now, but it looks like both nss-try and nss are not properly running any tests. Is there an outage, or do we need someone to kick the try servers? bob -- dev-tech-crypto mailing list

Re: [ANNOUNCE] NSS 3.44 Release

On 05/17/2019 08:54 AM, JC Jones wrote: On Thursday, May 16, 2019 at 9:28:39 AM UTC-7, Paul Wouters wrote: Wait, what? They need work to make them simpler and better support cross compiling for sure, but getting rid of them would really hamper our use of NSS on different platforms. How would

NSS ESR release date.

Red Hat Planning would like to know the estimate for when the NSS targetted for ESR will be released. We are working on the theory it will be end of May (balancing time for PKCS #11 3.0 changes versus when ESR needs a new NSS). Planning wants me to confirm that with mozilla, particularly JC.

Re: [key4.db] IV size for aes256-CBC

On 03/27/2020 12:21 PM, Louis Abraham wrote: Hi Matthew, Awesome, thanks and sorry for contacting the wrong list! Since then, I found the answer to the 14 bytes question: https://hg.mozilla.org/projects/nss/rev/fc636973ad06392d11597620b602779b4af312f6#l6.49 Basically the DER encoding is used

Re: [key4.db] IV size for aes256-CBC

On 04/22/2020 01:21 AM, laurent.cl...@gmail.com wrote: On Monday, March 30, 2020 at 6:28:55 PM UTC+2, Robert Relyea wrote: On 03/27/2020 12:21 PM, Louis Abraham wrote: Hi Matthew, Awesome, thanks and sorry for contacting the wrong list! Since then, I found the answer to the 14 bytes question

Crypto team minutes 202-05-12

Date: 2020-05-12 Chair: Ivan Minutes: Bob Participants: Alex, Standa, Jakub, Bob, Daiki, Toshi, Simo, Tomas, Sahana, Hubert, Ondrej, Ivan, Lucie Excused: Nikos Chair and minutes keeper update etherpad, after the meeting the minutes keeper sends minutes and prepares etherpad for next week -

Re: Crypto team minutes 202-05-12

Please ignore this, it went to the wrong list. -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto

No Post Quantum this week.

Bob has a dental appointment and will be out. See you in 2 weeks. bob -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto

Re: No Post Quantum this week.

On 9/14/20 10:19 AM, Robert Relyea wrote: Bob has a dental appointment and will be out. See you in 2 weeks. bob Went to the wrong list. You can ignore this. bob -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto

Re: Default Password callback

On 10/1/20 5:37 AM, Daniel Gustafsson wrote: I'm implementing support for NSS into a codebase which already has OpenSSL support, and when looking at the passphrase callbacks I ran into a question. Is my understanding correctl that there is no default password callback like how OpenSSL has a

Re: Regarding SQLite in NSS 3.44.4

On 8/7/20 1:27 AM, Rahul S wrote: Hi Team, Hope all are doing good! I would like to get some clarification about the SQLite version in NSS 3.44.4. From release notes of NSS 3.46, i see that the "Bug 1550636 - Upgrade SQLite in NSS to a

Re: [ANNOUNCE] NSS 3.53 release

On 6/1/20 5:18 PM, JC Jones wrote: The NSS team released Network Security Services (NSS) 3.53 on 29 May 2020. NSS 3.53 will be a long-term support release, supporting Firefox 78 ESR. Looks like we updated certdata.txt without updating the version number in nssckbi.h. This caused some

Re: [ANNOUNCE] NSS 3.53 release

be the best place to put it? nss/automation? bob On Thu, Jun 11, 2020 at 3:52 AM Robert Relyea wrote: On 6/1/20 5:18 PM, JC Jones wrote: The NSS team released Network Security Services (NSS) 3.53 on 29 May 2020. NSS 3.53 will be a long-term support release, supporting Firefox 78 ESR. Looks like

<    1   2   3   4   5