Hello Nelson,
thank you for so detailed answer. Please see my comments/answers below.
I have a keys database file (key3.db) and need to export a private key
from it, but can not do this.
What version of the NSS utilities are you using? version 3.??.??
I believe I use version 3.11, however I'm not sure about release number.
<0> AAA-update-key
<1> BBB-update-key
<2> CCC-update-key
It that literally what you see? Or do you see output with some long
strings of hexadecimal characters, e.g.
<0> 0549d7e3a1b3c5d7f89 [...]
??
Yes, I see symbolic names, no any hexadecimal digits (keyIDs, right?).
In other words I have a database with private keys but without
certificates (the database was created by McCoy tool).
So, there is an application that uses NSS, named McCoy, that leaves
users with DBs in a state where they cannot do what they want.
Seems like this is an issue to raise with the McCoy developers.
The NSS team really cannot support every application that uses NSS.
McCoy is an application (actually, a Firefox extension) that allows
manage secure updates to add-ons authors, i.e. sign XPI files and sign
update.rdf. It is (officially) recommended by Mozilla to sign Firefox or
Thunderbird extensions.
https://developer.mozilla.org/En/McCoy
To export key I tried to use pk12util.
Why do you want to export it?
Is there some other tool into which you want to import it?
Do you merely wish to make a backup?
We have a legacy system (Firefox extensions which has been developed for
a pretty long time) where extensions are signed with McCoy. The problem
is that McCoy is GUI application, which requires user interaction,
whereas we want to setup build server where and sign extensions without
user interaction.
We would prefer to find (or create) some command line utility which can
be called from the build. At this moment we consider using XPISigner -
pure Java utility which require private key in PKCS#12 form.
There is a lot copies of our FF extensions are installed and we would
prefer to reuse existing keys than change key and force user perform
double extension update.
So probably the right answer here is to export key to use it with
another tool.
Your answers to these questions may lead to suggestions of alternative
solutions.
In the command line I have to specify certificate
name (-n option), but I don't have any.
Yes, NSS is intended for use in PKI applications, where use of public
and private keys is done in accordance with normal PKI procedures.
Someone has chosen to implement a non-PKI application, using "bare"
keys without certs, and has not made the application sufficiently
complete. Now, the incomplete nature of that application is becoming
an NSS problem. :( :( :(
Yes, basically I understand PKI nature and was also surprised about
storing private key without certificate. And I don't say that it is an
NSS problem. From the other hand, I believe that McCoy uses NSS API, so
there is a possibility to store keys without certificates in the keys
database.
We created a small utility (using NSS API) which can restore the key.
However, it seems that in the runtime we don't have a key itself, we
have only a handle to it (SECKEYPrivateKeyStr.pkcs11ID), the key itself
is hidden in the NSS engine and we don't see a way how to serialize it
into PKCS#12 keystore.
So probably the next question here is what we can do with this object?
Generate public key and certificate?
http://www.mozilla.org/projects/security/pki/nss/ref/nssfunctions.html#pkcs12
Is that all available documentation on NSS functions?
find user certs from nickname failed: security library: bad database.
Right.
pk12util is intended to export a cert and its associated private key
together in a secure manner. You don't have the primary one of those
ingredients.
So the question is: is there any way to export private keys from such
database (probably smbd had similar problem with McCoy)?
Bare private keys by themselves?
NSS utility programs are intended to NOT do that.
The idea is to NOT make it easy for the user to ruin his own security.
NSS utilities are intended to support PKI. In non-PKI crypto applications,
it is the application developer's duty to provide the necessary
functionality to be used with his application.
NSS has an outstanding Request For Enhancement (RFE) asking that certutil
have the ability to generate a Certificate Signing Request (CSR) from any
private key, including "orphan" keys (those that are not associated with
any certificates). This is bug
https://bugzilla.mozilla.org/show_bug.cgi?id=430198
That's probably thing we are trying to do now. However, at this moment
our function doesn't work as find-key-by-CKA_ID, we just take private
keys by their index in the database (0, 1, 2). Roughly speaking, from
the certutil output I'm not sure they have keyIDs at all.
--
Best regards,
Andriy.
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
