Nelson B Bolyard wrote:
Actually, under certain conditons (well the most likely conditions), NSS "lightly" encrypts the certs. (DES-40 or something).David Stutzman wrote, (quoting me) On 2008-06-09 04:46 PDT:In NSS version 3.10 and later versions, pk12util has a third command option, in addition to -i (import) and -o (export) there is -l (that's ell, as in list). You can use it to list the contents of your PKCS#12 file. It won't show you the actual values of encrypted keys orI might be misunderstanding what you're saying here, but I have PKCS#12 files where everything is stored in the encrypted SafeContents andencrypted certs, but it will at least list the keys, and the certs, and it will show the values (contents) of unencrypted certs, if any.What tool produced those PKCS#12 files with certs in encrypted bags? My (possibly mistaken) recollection is that NSS does not encrypt certs when it makes PKCS#12 files.
The conditions NSS does not encrypt the certificates is if you are running in FIPS mode.
This was historical baggage, which IIRC, was done under the following logic. 1) It's probably best to encrypt the certs just for paranoia.2) Export (at the time) would allow us to encrypt the private keys strongly, but not general data (including the certificates), so the certs were encrypted by some Export allowed cipher. 3) Export ciphers are not allowed in FIPS mode, so if you are running in FIPS mode we simply don't encrypt the certs (which is allowed since certificates are not CSPs).
All of this is reconstructed from vague memories of 10 years ago when we started implementing this coupled with recent memories of PKCS #12 code which implements this (in pk12util). NOTE: this is fully under application control so different NSS apps may have different behaviours (It's possible Mozilla is strongly encrypting the certs now, or not encrypting at all -- though I doubt that Mozilla has changed the behavior at all.).
pk12util lists the certificates just fine. In my experience, pk12util is very flexible reading differently structured PKCS#12 files.Yes, NSS will decode/decrypt encrypted certs, whether the files it makes encrypt the certs or not. My statement above qualified pk12util's capabilities too narrowly. _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
