When building with both "NSS_ENABLE_ECC" and "NSS_ECC_MORE_THAN_SUITE_B"
enabled, the build fails because of lib/freebl/ecl/ecl-curve.h:
#ifdef NSS_ECC_MORE_THAN_SUITE_B
#error This source file is for Basic ECC only .
#endif
I guess this is the extent softoken can be used? Then the certificate
operations in "Extended ECC" mode require a third-party module? Sorry, I
was confused because I thought both modes were essentially the same, only
that "Basic ECC" only supported the three curves NISTP256, NISTP384, and
NISTP521
On Fri, Jan 15, 2010 at 4:21 PM, Kai Chan <[email protected]> wrote:
> Hi,
>
> I take it "Extended ECC" is the additional option of
> "NSS_ECC_MORE_THAN_SUITE_B"? I tried NSS 3.12.5 with NSPR 8.2 with only
> that option and "NSS_ENABLE_ECC", so it's using softoken. Unfortunately,
> still getting the same error. Here's the command again in case I made a
> mistake:
>
>
> certutil -R -s "CN=ectest, O=ectest, L=ectest, ST=ectest, C=US" -p
> "123-456-7890" -o ectest.req -d . -k ec -q nistp256 -Z SHA256
>
> Thanks,
> Kai
>
>
> On Fri, Jan 15, 2010 at 2:30 PM, Wan-Teh Chang <[email protected]> wrote:
>
>> Kai,
>>
>> In NSS builds marked as "Basic ECC", ECC may be
>> used only for TLS/SSL. So it's possible that certutil cannot
>> generate CSRs when the "Basic ECC" version of NSS
>> is used.
>>
>> In NSS builds marked as "Extended ECC", certutil
>> should be able to generate CSRs. If not, it's a bug.
>>
>> You can read this wiki page for a recommended way
>> to use a third-party ECC library with NSS:
>> http://pki.fedoraproject.org/wiki/ECC_Capable_NSS
>>
>> Wan-Teh
>> --
>> dev-tech-crypto mailing list
>> [email protected]
>> https://lists.mozilla.org/listinfo/dev-tech-crypto
>>
>
>
--
dev-tech-crypto mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-tech-crypto
