Tomorrow I will check in a large patch to NSS that extends the ECC
implementation from NSS 3.8. The new features of this code include:
* support for optimized curve-specific implementations
* optimized integer and floating point code for commonly-used named
curves
* supported for creating,
Simone wrote:
Nelson wrote:
I'd guess that NSS has not been initialized properly, or that no PKCS 11
modules have been loaded that implement the requested algorithms, causing
the Best Slot lists for those mechanisms to be empty.
In effect my list seems to be emptyfirst of all I call
Christoph Brueckner wrote:
Ok. But why does softoken and builtin module only export the
C_GetFunctionList function? I thought softoken and builtin are
real PKCS#11 Modules. Why don't they export functions like
C_Initialize,
and all the other PKCS#11 functions directly? Instead softoken
exports
Gerd Schering wrote:
Hi,
I apologize if my questions have already been answered, but I didn't
find anything in the docs, faqs and archives.
1) I have three different certs from two distinct CAs. If I dump
cert7.db with
./certutil -L -d $HOME/.mozilla/gerd4000/nzt72va1.slt
only two show up:
POC wrote:
I want to be able to load trusted root CA certs and valid (but not
trusted) intermediate CA certs. NSS requires an unbroken CA chain up
to a root in order to validate a cert, and some SSL apps don't always
send a CA chain along with their end user cert. I therefore pre-load
some of
Winston O'Brien wrote:
Nelson;
I was hoping this wasn't the answer. This says that Moz is a closed
product that doesn't interact with other products even when using RFC
standard protocols and algorithms.
I have started to try the certutil and cmsutil tools. Unfortunately,
I run FreeBSD
POC wrote:
Hello,
The addbuiltin cmd creates a certdata.txt, which is then used to build
the nssckbi lib. A couple of things about that:
1. The new certdata.txt does not get processed properly by
certdata.perl (when doing the gmake generate in
mozilla\security\nss\lib\ckfw\builtins); but got it
Actually, why do you want to create a builtin CA with valid CA trust?
The purpose of the builtin module is to supply trusted roots, which is
probably why valid CA trust was overlooked - we only use the trusted CA bit.
-Ian
Ian McGreer wrote:
POC wrote:
Hello,
The addbuiltin cmd creates
certutil is available as a binary at
ftp.mozilla.org/pub/security/nss/releases. It is available outside of
the U.S. provided you are not in an export-controlled state or on the
watch list, see
http://www.mozilla.org/projects/security/pki/src/download.html
Regarding the discussion in the
raffe wrote:
-Problem:I still get the certificate of the first smart card. I suppose
NSS is caching certificate list because of performance ? Any way to get
right cert? i.e accessing the new smart card ??
It is true that NSS caches certificates, but if the cache is not
displaying the correct
NSS is using an as-yet-undocumented extension to CK_C_INITIALIZE_ARGS.
The additional parameter is a string containing softoken-specific
configuration stuff.
First, look at how NSS defines CK_C_INITIALIZE_ARGS:
http://lxr.mozilla.org/security/source/security/nss/lib/softoken/pkcs11t.h#1039
The
rg wrote:
Possible scenario:
- Available certificates are shown to user (I get a list of them via NSS
PK11_ListCerts)
-User selects a cert in smart card and signs with it. Everything ok so far
-User removes smart card from reader and replaces it with a different card
- Available
Loren wrote:
I don't know that commenting out the assert is a good idea. Your
probably getting a bogus error as a result.
Have you tried using the cert to sign something? That is, skip trying
to list it, and just go ahead and use it and see what happens.
-Ian
Yes I did, and failed :(
Loren wrote:
lorenhome:~/nss/nss-3.6/bin$ ./signtool -d . -l
using certificate directory: .
Object signing certificates
---
Test User One
Issued by: Test Root CA - Test Company (Test Root CA)
Expires: Tue Oct 28, 2003
Assertion failure: 0, at
Loren wrote:
Nelson B. Bolyard [EMAIL PROTECTED] wrote in message
news:[EMAIL PROTECTED]...
You said your cert shows up when you list certs using the -L option.
Do they show up when you list certs using the -l option, which lists certs
that are allowed to sign objects?
OK, we are
You are looking at the implementation of C_CreateObject in the fortezza
module. NSS's softoken prefixes the Cryptoki API functions with NS, so
you should look for the implementation of NSC_CreateObject.
-Ian
On Mon, 30 Sep 2002 09:57:52 -0400, pingzhenyu wrote:
hi:
Why the
On Sat, 28 Sep 2002 19:37:47 -0400, Jingyu Liu wrote:
Hi all,
I tried to use CERT_CreateCertificate(...) to create a certificate, but
I got
a link error which says this function is not in nss3.lib. What happens
to this
function? If I want to create a certificate what API I should use?
Hi Ian,
Thanks for the reply. Here's the contents of the one of the dirs I'm testing
on:
# pwd
/opt/netscape/nes/3.63/alias
#
-rw-r--r-- 1 root other236 Sep 27 2000 ServerCertInfo.txt
-rw-r--r-- 1 root netscape 0 Jan 31 2000 cert.log
-rw--- 1
Edward Quick wrote:
Hi,
After a long morning compiling NSS I finally managed it only to find
that things didn't quite work the way I expected:
I thought that if I cd'd into the certificate directory
/opt/netscape/nes/4.1/alias and did
certutil -L -d .
it would list the info of keys
Eric Murphy wrote:
See http://bugzilla.mozilla.org/show_bug.cgi?id=123296
Thanks,
Eric
I have commented on the bug. You gave an incorrect database password.
Naturally, we should fix signtool not to hang when it is provided with
an incorrect password (I wonder how this was never noticed
Stuart Davidson wrote:
Trying to change passwords on UNIX accounts stored in Win2K Active
Directory... we have extracted the Solaris 2.6 passwd binary and replaced
2.8 binary. However, still get the following error:
# passwd dav
Permission denied
The following is logged in
Mike McIntosh wrote:
Hi,
I am trying to use nss to provide SSL support for our server application but
I am falling at first hurdle
I used the certutil tool to add a certificate (verisign test certificate) to
database and this was successful
I have used the sample code
bonny joy wrote:
hi friends
I need to know what what is the purpose of peer certificates what do we
mean by that
If i get a certificate from a webserverwhat trust i should give for
that is the trust is peer
These are the trust options given by the code
pValid peer
P
, since it is writeable.
If you want a root that is trusted by default for any application that
uses NSS, that is a much larger statement.
-Ian
Ian McGreer [EMAIL PROTECTED] wrote in message
news:[EMAIL PROTECTED];
Kenneth R. Robinette wrote:
Yea, but that function also calls
Kenneth R. Robinette wrote:
Yea, but that function also calls CERT_DecodeDERCertificate, along with a
whole bunch of other functions. I thought the problem was with
CERT_DecodeDERCertificate, as was pointed out in a previous reply as
follows:
It is perfectly okay for an exported NSS
Kenneth R. Robinette wrote:
If implementing the above function is a problem with the new NSS, I would
recommend a new function exported in the nss3.dll named
PK11_ImportDERCertForKeyToSlot with the same parameters as the current
PK11_ImportCertForKeytoSlot, except replacing the cert parm with
Kenneth R. Robinette wrote:
Wan-Teh
After reading your note and thinking about it, I went back and compiled our
application using only dll linkage. All went well except for one function,
CERT_DecodeDERCertificate(). This is a rather common function required by
many things, including the
I believe this is
http://bugzilla.mozilla.org/show_bug.cgi?id=102543
I would recommend trying NSS 3.3.2 and seeing if it works. Let us know
if it does and we'll mark the bug as a dup.
-Ian
Daniel Lanovaz wrote:
I'm having trouble using cmsutil to decode enveloped
messages with 1
Eric Murphy wrote:
Is there a way to set the expiration date for signtool? Right now it is
only 4 months from the time of creation.
Also, what does the -z option mean? The certificate never expires?
I'm trying to avoid actually paying for a certificate... and just have
users install a
I would like to have a tool that would enable me to view a certificate
request in human readable format - parsed and commented, that is. There
may be such a thing, but I didn't see it in the documentation for the
nss tools. Again, for the most part this would simply be a way to
Andrew Huntwork wrote:
I'm having problems creating a certificate signed by a self-signed
certificate using certutil. Here's how the self signed cert is generated:
rm -f server_db/*
certutil -N -d server_db
certutil -S -d server_db/ -x -n cacert -t TCP,TCP,TCP -s CN=Andrew
Huntwork,
Steven,
Unfortunately, certutil will not work in the manner you are attempting.
Historically, NSS had separate utilities for doing key generation
and certificate generation. You had to generate the keys, and then
reference them by the first few bytes of the modulus when creating the
Steven T. Hatton wrote:
There seems to be a descrepency between the versions of certutil in the
meaning of the -k option of -R. The documentation indicates that switch
preceeds the key short name. OTOH the -H option on the certutil from
the NSS 3.3.1 indicates the -k distinguishes
Finn Fonnaas wrote:
Hi,
I've used Signtool 1.3 under win95 to create an object signing
certificate.
Communicator reports the Certificate as verified.
Signtool -l tells it good for signing objects, but
signtool -Z reports: Certificate extension not found
What is wrong???
Could you
Patrick wrote:
Hello,
Are the NSS binaries/source code available via FTP/HTTP download? Using
CVS can be problematic with my company's firewall...
-- Patrick
http://www.mozilla.org/projects/security/pki/nss/release_notes_33.html#distribution
-Ian
certutil -K does not work. This is a bug fixed on the tip, but not it
any release up to NSS 3.3.
Any idea when this fix will be released?
The next release is 3.4, and we have just started work on it. So, short
of building from source, it will build a while. What information do you
need
Binary distributions of NSS 3.3 (including modutil) are available at
ftp.mozilla.org/pub/security/nss/releases/NSS_3_3_RTM.
Frank Taylor wrote:
I am trying to set up an internal CA to mint certificates for a
Netscape Directory Server environment. I am trying to avoid using
Netscape's Admin Console in this process, so I want to use the NSS
toolkit. I am new to this software so please excuse me if these
questions
See the signtool documentation at:
http://www.mozilla.org/projects/security/pki/nss/tools/
-Ian
There is a bug in certutil, the fingerprint it displays is garbage for
certs living on a token (as the builtin certs do). As for the value PSM
shows, that matches with what 4.7x shows for the certs I looked at. I
don't know how IE computes their thumbprint, but I would be suprised
to learn
Jeffrey-
You are correct, all of those functions are internal-only (they are not
available using NSS shared libraries). The functions you named are part
of NSS's S/MIME v2 library, that is being displaced by the new S/MIME v3
library. As you discovered, the v3 library contains the NSS_CMS*
Colin Blake wrote:
Ian McGreer wrote:
what makes you say that? I connect to https://www.verisign.com and it
reports that I am using RC4 128 bits.
How do you know what level of security is being used? Page Info - Security
doesn't show anything for me.
M0.9 on both RH7 and OpenVMS
Ken Mandelberg wrote:
In article [EMAIL PROTECTED], Ian McGreer [EMAIL PROTECTED]
writes:
Ken Mandelberg wrote:
The default build for PSM2 seems to do 56 bits. How do I get 128 bits?
what makes you say that? I connect to https://www.verisign.com and it
reports that I am using RC4 128
Ken Mandelberg wrote:
The default build for PSM2 seems to do 56 bits. How do I get 128 bits?
what makes you say that? I connect to https://www.verisign.com and it
reports that I am using RC4 128 bits.
-Ian
It looks like you need to update your NSS tree. Try:
cvs co -rNSS_CLIENT_TAG mozilla/security/nss mozilla/security/coreconf
-Ian
I have used
MOZILLA_0_8_20010215_RELEASE rest of src
I believe there are some changes to netwerk after that date that PSM relies on. You
are going to have to pull from the trunk (or whatever branch client.mk pulls by
default).
-Ian
I saw this once, and (how embarassing for me) fixed the symptom by
changing all "ssl.lib" references in ssl/src/makefile.win to
"ssl3.lib". However, that does not fix the problem.
Anyone know how to fix the problem?
[EMAIL PROTECTED] wrote:
Thank you very much, Ian! I have correctly get the cert.
To the certutil, I am not clear about the management process of cert and
private keys. When was the private key created? whether do the cert contain
the private key? We must create private key by "certutil
PSM uses the PKCS#11 interface (via NSS). What you would need to write
is a PKCS#11 module that provides access to your cert (presumably, you
would do that anyway once you moved to smart cards).
See NSS documentation at
http://www.mozilla.org/projects/security/pki/nss/index.html.
Anyone know
Jorge Rey Martínez-Sapiña wrote:
I'd developed a signed applet.. I'd made and Certificate using
signtool. Now I want to use that certificate in other Netscape. How can
I export my own certificate and import in other computer.
Thank's very much. Jorge
If you simply want to
50 matches
Mail list logo