Hello Nelson,

thank you for so detailed answer. Please see my comments/answers below.

I have a keys database file (key3.db) and need to export a private key from it, but can not do this.

What version of the NSS utilities are you using?  version 3.??.??
I believe I use version 3.11, however I'm not sure about release number.

<0> AAA-update-key
<1> BBB-update-key
<2> CCC-update-key

It that literally what you see?  Or do you see output with some long
strings of hexadecimal characters, e.g.
  <0> 0549d7e3a1b3c5d7f89 [...]

Yes, I see symbolic names, no any hexadecimal digits (keyIDs, right?).

In other words I have a database with private keys but without certificates (the database was created by McCoy tool).

So, there is an application that uses NSS, named McCoy, that leaves
users with DBs in a state where they cannot do what they want.
Seems like this is an issue to raise with the McCoy developers.
The NSS team really cannot support every application that uses NSS.

McCoy is an application (actually, a Firefox extension) that allows manage secure updates to add-ons authors, i.e. sign XPI files and sign update.rdf. It is (officially) recommended by Mozilla to sign Firefox or Thunderbird extensions.


To export key I tried to use pk12util.

Why do you want to export it?
Is there some other tool into which you want to import it?
Do you merely wish to make a backup?

We have a legacy system (Firefox extensions which has been developed for a pretty long time) where extensions are signed with McCoy. The problem is that McCoy is GUI application, which requires user interaction, whereas we want to setup build server where and sign extensions without user interaction.

We would prefer to find (or create) some command line utility which can be called from the build. At this moment we consider using XPISigner - pure Java utility which require private key in PKCS#12 form.

There is a lot copies of our FF extensions are installed and we would prefer to reuse existing keys than change key and force user perform double extension update.

So probably the right answer here is to export key to use it with another tool.

Your answers to these questions may lead to suggestions of alternative

In the command line I have to specify certificate name (-n option), but I don't have any.

Yes, NSS is intended for use in PKI applications, where use of public
and private keys is done in accordance with normal PKI procedures.
Someone has chosen to implement a non-PKI application, using "bare"
keys without certs, and has not made the application sufficiently
complete.  Now, the incomplete nature of that application is becoming
an NSS problem.  :( :( :(

Yes, basically I understand PKI nature and was also surprised about storing private key without certificate. And I don't say that it is an NSS problem. From the other hand, I believe that McCoy uses NSS API, so there is a possibility to store keys without certificates in the keys database.

We created a small utility (using NSS API) which can restore the key. However, it seems that in the runtime we don't have a key itself, we have only a handle to it (SECKEYPrivateKeyStr.pkcs11ID), the key itself is hidden in the NSS engine and we don't see a way how to serialize it into PKCS#12 keystore.

So probably the next question here is what we can do with this object? Generate public key and certificate?


Is that all available documentation on NSS functions?

find user certs from nickname failed: security library: bad database.

pk12util is intended to export a cert and its associated private key
together in a secure manner.  You don't have the primary one of those

So the question is: is there any way to export private keys from such database (probably smbd had similar problem with McCoy)?

Bare private keys by themselves?
NSS utility programs are intended to NOT do that.
The idea is to NOT make it easy for the user to ruin his own security.

NSS utilities are intended to support PKI.  In non-PKI crypto applications,
it is the application developer's duty to provide the necessary
functionality to be used with his application.

NSS has an outstanding Request For Enhancement (RFE) asking that certutil
have the ability to generate a Certificate Signing Request (CSR) from any
private key, including "orphan" keys (those that are not associated with
any certificates).  This is bug

That's probably thing we are trying to do now. However, at this moment our function doesn't work as find-key-by-CKA_ID, we just take private keys by their index in the database (0, 1, 2). Roughly speaking, from the certutil output I'm not sure they have keyIDs at all.

Best regards,
dev-tech-crypto mailing list

Reply via email to