Patrick wrote:
Hello,
Is there a way to use an OCSP responder with NSS so that NSS uses it
when checking a certificate? I believe NSS would if the certificate had
the OCSP info in it but I'm talking about configuring NSS to use a
custom or local OCSP server...
Yes. There are three
as valid.
Case 3 is the hardest to solve, but I'm not sure it's the most important.
-- Patrick
Bob Relyea wrote:
Patrick wrote:
Hello,
Is there a way to use an OCSP responder with NSS so that NSS uses it
when checking a certificate? I believe NSS would if the certificate had
Patrick wrote:
Hello,
From looking at the code (nss\lib\certhigh\certvfy.c) it looks like NSS
when checking a cert does the CRL check this way:
1. look up the CRL based on CA name
2. verify the CRL signature
3. Verify the date validity of the CRL
4. check if cert is in CRL
The
tak wrote:
Thank you. I understood it.
I'm plan to develop application which has function of digital
signature and encrypt.
I'm looking for sample source code for develop the application.
I found out following URL.
http://lxr.mozilla.org/mozilla/source/security/nss/cmd/
Are there
pfnus wrote:
Hello everybody,
When Communicator (4.77) called my pkcs11 module during
C_VerifyRecover,
after i have decrypted the signature, i found that the padding is
wrong,(not compliant with PKCS1 format). The first and second byte is
'0', and the third byte is '1', followed by
m_jesu wrote:
Hi.
Thanks for the information.
I've tried to adapt the files pk12util.c and pk12util.h to windows
enviroment, and it compiles ok but when I try to link it isn't work. I
think that I haven't got all the libraries (lib and dll).
I've got installed in my system NSPR
John Gardiner Myers wrote:
When NSS_Initialize() fails, how can the caller obtain an error code or
message corresponding to the particular failure so that it can make a
useful report to the user?
PORT_GetError() is supposed to return an NSS Error explaining why
Initialized failed. It's
Carman, George wrote:
[EMAIL PROTECTED]">
We tried using pk12util in nss 3.1.1 as follows:The database in writable directory:./alias-cert.db./alias-key.db./pk12util -o outfile.p12 -d . -n nickname -P aliasThis just gives the usage help message. Any suggestions on how to use the tool?
I use the following to make the root CA keypair and certificate (step
1 from above):
% certutil -N -d credstore/proj/env
% certutil -S -n proj env Root Cert -s CN=LDAPRootCA, OU=proj env,
O=My Org, C=GB -t CT,CT,CT -x -m 1234 -v 60 -f password-file -d
credstore/proj/env -z random.data
Priit Randla wrote:
Also, what should i do to avoid Mozilla ( and Netscape ) asking pins
for private keys which are associated
with certificates unsuitable for TLS ( nonRepudiation, authenticate
once per priv-key operation)?
Oops, I forget the 2nd half of your question.
Currently
. If you want to use a test
sight (to http://testca.netscape.com )
bob
Ferenc Kubinszky wrote:
Yes, of course.
Mozillas said it is not a verified/entrusted CA.
Why can't I add my own CA to the CA list ?
Kubi
On Wed, 8 May 2002, Bob Relyea wrote:
Did you go to mail Account setting folder
The modification appears in the file 'pk11cert.c' between the version 1.82
and 1.83. The author of this modification is Bob Relyea.
Maybe Bob will add some comments here.
Nelson is correct in his analysis. The only thing I can think of that
may be going on is for some reason your token
Jean-Marc Desperrier wrote:
I'm currently trying to work with NSS for Mac OS 9/X in the old shared
lib format .shlb (not mach-o dynamic library .dylib ).
It seems there has never been a binary distribution available in that
format.
Release 3.4 claimed Mac OS 9 and Metrowerks CodeWarrior Pro 5
Flash wrote:
2. What is (are) the email address(es) in the cert?
3. If the email address is in the cert subject name, what is the name
of the attribute in which it appears?
4. Is the email address is in the SubjectAltName extension?
5. Does the email address in the cert exactly match the email
Wong Timothy wrote:
All:
I am trying to implement cryptoki functions and had a few
questions.
1) When a user successfully log's in, he opens a session. How do I
know if a session is RO or R/W?
Actually the session is penned before he logs in. Cryptoki requires a
session ID on login.
Once
Philippe Camacho wrote:
Hello,
I try to use SGN_Digest with the algorithm
SEC_OID_PKCS1_RSA_ENCRYPTION but it fails: The error code given by
PR_GetError is -8186 (Bad algorithm). I tried other algorithms but it
still failed...
Which algorithm I am supposed to use?
Easy thing to confuse
[EMAIL PROTECTED] wrote:
Hi, Now I have met a problem that I don't known how to read
Certificates from Mozilla's certificate database. Those Certs have
installed by PKCS#11 with a hardware-token or software-token and
web-installed way.Anyway, I want to get all user's certificate out
from Mozilla
Wong Timothy wrote:
All:
When creating a cert object, one of the parameters in the template I
have to pass in is CKA_VALUE.
According to the PKCS11 specs, CKA_VALUE is the BER-encoding of the
certificate.
1)What is BER-encoding of the certificate? (I am new to the security
arena...so I am
[EMAIL PROTECTED] wrote:
Hello,
Is it possible to use new versions of mozilla/firefox with the windows
cryptoapi? My company uses a proprietary product for certificate
management, preventing me to import them into firefox. I can only
access the certificates through the cryptoapi :( and hope to be
Petar Popara wrote:
I'm looking in base64.h file and I have a doubt. Other crypto libraries
( like OpenSSL ) usually have decode() ( or encode() ) func which allows
data to be added by calling this func several times and adding small peaces
of data and at the finish() should be called to
[EMAIL PROTECTED] wrote:
After installing CMS, the CA signing key is stored in key3.db file.
Do you know any tool to extract that key and store it in a file (in encrypted
format)?
Thanks a lot,
Gary
___
mozilla-crypto mailing list
Gervase Markham wrote:
Ian G wrote:
Good, I'm glad you understand what is meant by
branding. By forcing VeriSign to brand themselves
like Virgin, they are laid bare to their trusting public.
Who knows, maybe they will surprise us all.
You expect Verisign to start taking out brand-building ads
John Simeone wrote:
Thanks to Nelson for the prompt reply Re: Bad database message with
NSS 3.9.2.
I executed as per his directions a cert request and got a req file
out. When I went to self-sign it (using the -x option)so as to use it
as the Certificate Authority for subsequent certs, I got
Nelson B wrote:
Ian G wrote:
Where are these 'Grant' dialogs?
They were part of the browser when the Java engine was part of
the browser, as in Netscape 4.x. They were used when a java
applet requested extra privilege. Netscape had defined some
certificate extensions that were used by one or
Ian G wrote:
Bob Relyea wrote:
yes it does. If you can't trust you've made a connection to the site
you thought you made a connection to, you have no security. Saying
you do is like saying I'm secure because I have an RF shielded cable
running from my computer.
Hmm... people trust
smith wrote:
can nss generate no CKA_EXTRACTABLE attribute rsa key,if could how to do ?
NSS does not specifically set CKA_EXTRACTABLE at all. Instead it let's
the token decide whether or not to make the key extractable.
smime.p7s
Description: S/MIME Cryptographic Signature
Bertold wrote:
Hi,
I am trying to use password based encryption, and got a code working.
My problem is that if I feed the same parameters (password, salt,
iteration count) into an equivalent code written in Java (and using Sun
JRE 1.4.2), then the result of the encryption will be different.
I
Antonio Andrés Espallardo wrote:
Hi. I've modified my C_DecryptUpdate method, and now it's returning
the correct length, but I'm having a problem with the last block
caused by PADDING I think. This is what I obtain when I try to decrypt
a mail mesagge using 3DES mechanism:
And the last
Nelson B wrote:
Bob Relyea wrote:
Antonio Andrés Espallardo wrote:
Now I don't know what happens but Netscape don't finalize the
decrypt operation correctly calling C_DecryptFinal, but he close the
session. The message is showed decrypted in the mail manager, but
Netscape hasn't finalized
[EMAIL PROTECTED] wrote:
Hello,
I've just started using NSS. Could someone please explain to me the
purpose/reason behind using arenas for memory allocation rather than
straight heap allocation using PR_MALLOC and PR_FREE?
In a nutshell, arenas allow us to build tree linked data structures,
NSS provides a call to set the password callback. Applications are
responsible for deciding how to get the password. Usually applications
will prompt the user at startup for the password, then remember that
password for later restarts (in something less than persistant memory;).
There are
will wrote:
I was trying to load a PKCS #11 provider using modutil. It loads
successfully but when i try to read the detail of the provider by doing
modutil -list my provider
I saw one of the following...
Type: Software
Version Number: 0.0
Firmware Version: 0.0
Status: DISABLED (could not
robd wrote:
What version of PKCS #11 is this header file from?
It appears that it is 2.20 but I have found differences between what's
in the Firefox 1.0.2 NSS 3.9 source and what is posted on the RSA
Labs site.
It's not a full 2.20. Only those mechanisms that were missing for HMAC
were added.
Ian Grigg wrote:
I was thinking through possible attack scenarios against this proposed
UI and came up with a dangerous one:
You are filling out a form in a page served by a site certified by
Verisign. You hit the submit button. Your HTTPS connection has timed
out, so the browser initiates a new
Hashim Saleem wrote:
Hi,
Well, according to my RD, NSS only supports to decode (i.e. to print them
in readable format not the hex dump) the following extensions for the
following cryptographics objects.
Certificate
--
BasicConstraint.
Certificate Policies.
AuthKeyID.
KeyUsage.
Kyle Hamilton wrote:
Okay...?
If this is the case, is there a compiler from ASN.1-language to NSS
ASN.1-template-structure available?
(It would be nice if extension owners could load the templates
somewhere which could then be used by other applications for display
purposes. Probably not going to
Ian G wrote:
On Monday 09 May 2005 20:30, [EMAIL PROTECTED] wrote:
Hi, Frank, et. al.
COMODO has been offering FREE fully signed certs:
http://www.instantssl.com/ssl-certificate-products/free-ssl-certificate.htm
l?currency=USDregion=North%20Americacountry=US (since 2002:
Ram A Moskovitz wrote:
This works:
certutil -M -d ./ -n a cert in cert8.db -t w,w,w
Ths fails as designed (as the cert is not in the cert8.db file):
certutil -M -d ./ -n a cert in P11 module and not in cert8.db -t w,w,w
This fails but I was hoping it would work:
certutil -M -d ./ -h all -n a cert
Petar Popara wrote:
I have found this example of PK11_PubEncryptRaw usage:
http://www.mozilla.org/projects/security/pki/nss/sample-code/sample4.html
but it doesn't do any padding, because input length is equal to public key
length. Any examples of PKCS#1 padding?
Julien can evaluate your steps for you, but if you want an example of
how to do this, you can examine the CRL manager code in mozilla.
Checkout a mozilla release or fetch the tarball and look at
mozilla/security/manager/ssl/src/nsCRLManager.cpp
bob
E Perlade wrote:
Hi
I was looking for a
Petar Popara wrote:
Bob,
Allow me few questions about DSA algorithm.
1. Is any key size supported (from 512 up to 2048 or 4096)?
All defined DSA sizes are support (as of when we wrote the code). That
is from 512 to 1024, steps of 64. In practice everyone just used 1024
bits. This means
Petar Popara wrote:
Seems that libnspr4.dll in WinNT version of nspr4.dll. Does that mean that I
have to supply my plugin in two versions: for Win95/98 (linked with
nspr4.dll) and for WinNT/2000 (linked with libnspr4.dll)? I don't like this
solution. :(
The difference between these 2
Manoj Srivastava wrote:
When the master password timeout option is set to Every time it is needed,
the keygen tag in the HTML page used for generating private key fails to
work properly. This page has code to invoke our ActiveX component for
signing the certificate request. Our component uses
alex21 wrote:
I'm verifying certificates in the chain. I found that I cannot reinitilize
NSS after calling CERT_VerifyCertificate, because at some point it
increments Pk11 slot reference counter. Here's the sequence:
PK11SlotInfo *slot = PK11_GetInternalKeySlot(); // just for tracking
Petar Popara wrote:
I need to download CRL from HTTP address. I was thinking since NSS
support SSL, it might support HTTP as well? Which NSS function(s) I should
use?
I have found this:
http://lxr.mozilla.org/mozilla/source/security/nss/cmd/SSLsample/client.c
but it seems it
pmgk wrote:
Hi,
I installed a custom NSS Security Device using the Device Manager console.
Is there a script that I can run to :
- install directly this new Security Device into the Firefox browser
when I plug-in my NSS secure device into an USB port?
- uninstall the
John H. wrote:
It never works on this site, but are the certs what is wrong?
I mean, I am prompted for my card's pin, which I input, and then
get that error.
You're prompted for the pin so that we can read the certs of the card
(not all cards present all the certs
until the card itself is
The problem is in the softokn3.dll module. This PKCS #11 module
requires extra parameters which are not part of the PKCS #11 spec
(they've been proposed, but it's been several years and haven't yet been
accepted -- mostly do to inertia).
Anyway softokn3.dll requires these parameters in order
Alexander Miro wrote:
Hi everyone,
Does anyone knows how to read/write digital certificates
in Mozilla's client certificate database (cert8.db) using the
Mozilla's API ?
from chrome, html, or XPCOM?
From html there are mime-types that you can specify as certificates to
load into the
Tim Wong wrote:
I'm trying to create a function list to be able to be returned in
C_GetFunctionList. The code looks something like the following:
CK_FUNCTION_LIST FunctionList = {
{2,0},
C_Initialize , C_Finalize, C_GetInfo,
...
Jo Grant wrote:
I'm using JSS 3.4 (with NSS 3.10) in a Java application. The Java app
cannot see token events (such as smart card insertions and removals)
unless I exit the app and restart. The public JSS methods
PK11Module.getTokens() and CryptoManager.getModules() return JSS's
snapshot of
robd wrote:
The problem is occurring in sec_pkcs12_validate_cert_nickname()
I will enter a bug for this if one doesn't already exist but I am
having problems accessing https://bugzilla.mozilla.org/
When you enter the bug, it would be helpful you out can include a PKCS
#12 file which
I'm making the following 2 assumptions from your description:
1) You are able to get to DoD sites on linux with your CAC card. ---
and --
2) You are able to get to DoD and navy.mil on Windows with your CAC
cards.
If this is the case, then it might a problem with some missing
[EMAIL PROTECTED] wrote:
The problem I have encountered has been in trying to get Thunderbird to
encrypt. From what I can make out everything is moving along happily
until NSS calls C_FindObjectsInit with a CKA_CLASS value of
CKO_NETSCAPE_SMIME. Another attribute in the search template is
Daniel Etzold wrote:
Hi,
I'm developing a security module for Mozilla which communicates with a
basic card which I want to use as a container for keys and
certificates. I am able to load the module and to login into the
token. Now, I want to import a certificate and want to store it on the
jpujol wrote:
Does somebody knows why I can define and log into my Aladdin eToken
device from Firefox (1.5 beta2) but not from Thunderbird (1.5 beta2 as
well) ? Loading the device is OK, but then, login is impossible ...
What do you see, and what did you expect to see?
Mozilla clients only
[EMAIL PROTECTED] wrote:
Hello all,
I am looking into possible ways to interface NSS and OpenSSL, so that
NSS forms a layer over OpenSSL. In this newsgroup, I read that
somebody has actually written code that does this. Does anybody have
any information about existing implementations or
itspki wrote:
I load my PKCS#11 module to mozilla, and print log to my log file. i
can't find C_Opensession() being called, and mozilla execute
C_SetAttributeValue() to do something, then error occured.
Can you tell me Why?
This doesn't sound right. NSS does at least one C_OpenSession when the
Wan-Teh Chang wrote:
itspki wrote:
Hi all:
I load my pkcs#11 modules to mozilla explore and it is worked. I log
all the calling process, I found when i login my token in the
security device manager, the function C_FindObjectsInit called, and
the CKA_CLASS is 0xce534353, ulCount is 1.
I'm
itspki wrote:
Wan-Teh Chang wrote:
itspki wrote:
Hi bob:
The list is new log file content, you can see NSS call C_Initialize
on time, and load my pkcs#11 library twice(DLL_PROCESS_ATTACH and
DLL_THREAD_ATTACH), and the problem still exist - login failed.
That doesn't mean your PKCS #11
Peter Djalaliev wrote:
Hello,
Does NSS have an option to do an upcall to the Mozilla application -
e.g. Firefox? For example, if during the TLS handshake we want to
query the user for something, what would be the ebst way to do this?
Firefox has control over all the UI. NSS does indeed make
itspki wrote:
Hi all:
When use pkcs#11 API do cryptographic, there some mechanisms require
parameters, such as CK_RC2_PARAMS, which indicates the effective
number of bits in the RC2 search space.
My question is: is the parameters must be set? it's can't be NULL? RC2
algorithm has the default
Vivek wrote:
Hi,
I have a PKCS11 (v 2.1) library ,.. Using this library via Mozilla I am
trying to import a certificate on to the smart card. The process fails
because this library does not support generation of RSA public keys on
the token..
On looking at the failure point I see that much
Eugene Maltsev wrote:
Hello.
I have an application which uses mozilla 1.7.12 for displaying web pages.
And it doesn't work with https protocol.
PSM is turned on the only thing that happens is gpf
First there is a call to PK11_GetInternalSlot(); which calls
SECMOD_GetInternalModule and it
Gary van der Merwe wrote:
Hi
I'm building a client/server app for playing bridge online.
The client we be written in xul - loaded in the browser through http
(not chrome).
I am looking for a way to encrypt the user's password on the client.
What you are trying to do is build a secure
Emilio Perez wrote:
Hello.
Is there any way to create a new Software security device besides the
one that is bundled with Mozilla/Firefox?
The Software security device is basically a PKCS #11 module. You can
load additional pkcs #11 modules to support external hardware or your
own idea of
[EMAIL PROTECTED] wrote:
I then configured my courier-imap daemon to use this cert. *BEFORE* I
imported my new CA cert into Thunderbird, I tried to fetch my mail.
T-Bird, of course, complained about a cert that it couldn't verify.
When I click on Examine Certificate... the dialog box tells me
67 matches
Mail list logo