Is there a pk1util that would allow for PKCS#1 management? I think that would be more useful than requiring a self-signed public key wrapper for pk12util.
-Kyle H On Thu, Apr 23, 2009 at 1:45 PM, Nelson B Bolyard <nel...@bolyard.me> wrote: > Andriy Zakharchuk wrote, On 2009-04-23 12:07: >> Hello all, >> >> I have a keys database file (key3.db) and need to export a private key >> from it, but can not do this. > > What version of the NSS utilities are you using? version 3.??.?? > >> certutil.exe -L -d . >> >> gives empty output (empty line) and >> >> certutil.exe -K -d . >> >> gives following output >> >> <0> AAA-update-key >> <1> BBB-update-key >> <2> CCC-update-key > > It that literally what you see? Or do you see output with some long > strings of hexadecimal characters, e.g. > <0> 0549d7e3a1b3c5d7f89 [...] > > ?? > >> In other words I have a database with private keys but without >> certificates (the database was created by McCoy tool). > > So, there is an application that uses NSS, named McCoy, that leaves > users with DBs in a state where they cannot do what they want. > Seems like this is an issue to raise with the McCoy developers. > The NSS team really cannot support every application that uses NSS. > >> To export key I tried to use pk12util. > > Why do you want to export it? > Is there some other tool into which you want to import it? > Do you merely wish to make a backup? > > Your answers to these questions may lead to suggestions of alternative > solutions. > >> In the command line I have to specify certificate >> name (-n option), but I don't have any. > > Yes, NSS is intended for use in PKI applications, where use of public > and private keys is done in accordance with normal PKI procedures. > Someone has chosen to implement a non-PKI application, using "bare" > keys without certs, and has not made the application sufficiently > complete. Now, the incomplete nature of that application is becoming > an NSS problem. :( :( :( > >> find user certs from nickname failed: security library: bad database. > > Right. > pk12util is intended to export a cert and its associated private key > together in a secure manner. You don't have the primary one of those > ingredients. > >> So the question is: is there any way to export private keys from such >> database (probably smbd had similar problem with McCoy)? > > Bare private keys by themselves? > NSS utility programs are intended to NOT do that. > The idea is to NOT make it easy for the user to ruin his own security. > > NSS utilities are intended to support PKI. In non-PKI crypto applications, > it is the application developer's duty to provide the necessary > functionality to be used with his application. > > NSS has an outstanding Request For Enhancement (RFE) asking that certutil > have the ability to generate a Certificate Signing Request (CSR) from any > private key, including "orphan" keys (those that are not associated with > any certificates). This is bug > https://bugzilla.mozilla.org/show_bug.cgi?id=430198 > > If that feature was implemented, you could use it to create a self signed > cert, and with that, you could then use pk12util to export the cert and key. > > Perhaps you would like to implement that RFE. The only changes required > are (or, should be) in the utility program source code itself, and not in > NSS's crypto libraries. > -- > dev-tech-crypto mailing list > dev-tech-crypto@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-tech-crypto > -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto