2010/1/18 Kai Chan <[email protected]>: > When building with both "NSS_ENABLE_ECC" and "NSS_ECC_MORE_THAN_SUITE_B" > enabled, the build fails because of lib/freebl/ecl/ecl-curve.h: > #ifdef NSS_ECC_MORE_THAN_SUITE_B > #error This source file is for Basic ECC only . > #endif > > I guess this is the extent softoken can be used? Then the certificate > operations in "Extended ECC" mode require a third-party module? Sorry, I > was confused because I thought both modes were essentially the same, only > that "Basic ECC" only supported the three curves NISTP256, NISTP384, and > NISTP521
The number of curves supported is not the only difference between "Basic ECC" and "Extended ECC". The other difference is that in "Basic ECC", ECC can only be used for SSL/TLS, so certutil cannot generate CSRs. I just verified it. The SEC_DerSignData call made by certutil ultimately fails here with the SEC_ERROR_INVALID_ALGORITHM error: http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/security/nss/lib/cryptohi/secsign.c&rev=1.21&mark=62,92-97#61 hence the certutil: signing of data failed: security library: invalid algorithm error message you reported. With the nss-3.12.5-with-nspr-4.8.2.tar.gz tarball that you downloaded from Mozilla, you have to build "Extended ECC" using the complicated procedure described in http://pki.fedoraproject.org/wiki/ECC_Capable_NSS, and you have to use a third-party ECC module. Wan-Teh -- dev-tech-crypto mailing list [email protected] https://lists.mozilla.org/listinfo/dev-tech-crypto
