Nelson,
Thanks for responding.
On 4/3/2010 3:27 AM, Nelson B Bolyard wrote:
On 2010-04-02 11:07 PST, G. Richard Bellamy wrote:
I have some questions about signtool. Once again, these are probably
n00b questions, so I apologize if they’ve been covered elsewhere… any
guidance on relevant links would be much appreciated (e.g. a link to a
clearinghouse for doco on NSS and FIPS – I’ve found the FC_* doco on
mozilla.org, as well I’ve found
http://books.mozdev.org/html/mozilla-chp-12.html for some guidance on
how certutil and signtool interact).
Be aware that numerous problems were found with that chapter 12, and its
author eventually repudiated it. See his statement at http://certs.mozdev.org/
Yeah, I saw that after sending my post. I also saw his work-in-progress,
but it appears that hasn't been touched in some time. Is there some doco
that's more recent that cover similar use-cases?
About signtool:
· It seems to rely heavily on the signature verification used by JAR.
It was created specifically for the purpose of signing JAR files.
Later, Mozilla evolved JAR files into XPI files, and signtool was
extended to sign XPI files also.
Understood.
If I set my secmod database to FIPS mode, am I guaranteed that
signatures are verified in FIPS mode?
The signatures that YOU verify with that DB will be in FIPS mode, yes.
I should have been more clear, I was asking if signtool, certutil, etc,
could run in FIPS mode. From what I can tell, it does not, but I'm not
convinced of my own analysis, hence my question. For instance in
certutil.c, line 2609 says /* XXX temporary hack for fips - must log in
to get priv key */, but none of the code actually executes
FC_Initialize. From my reading, that's the only way to enable FIPS - is
this correct?
A follow-up question is - what is the consequence of setting secmod.db
to fips mode? How do other tools that use secmod interact when in fips mode?
· Are there plans to support external timestamps, a la the M$
signtool.exe /t switch?
There are no plans to enhance signtool any further. The Firefox browser
developers have no further interest in it.
So what tool does the FF dev community recommend for signing JARs and XPIs?
· Are there plans to support other formats than JAR and XPI?
Among NSS's many command line tools there are tools to generate CMS
signatures on arbitrary files. CMS signatures are the kinds of
signatures used in S/MIME email. It is possible to create a crude
SMIME email program with cmsutil.
I've looked at cmsutil. I'm mostly interested in object signing... I'll
look into it further and see if it's sufficient for my uses, or as a
jumping-off place for my own dev.
Namely, my interest is whether or not this tool is expected to support
other code-signing use cases (e.g. signing Windows dll/lib files, etc)?
Each OS vendor supplies tools for producing file signatures that will
be recognized and accepted by their own OS. Since Red Hat is making NSS
be its standard core crypto library, it's possible that they will devise
a signing tool for use with their Linux offerings. but it's doubtful that
the NSS team will devise tools to sign programs for windows.
I suspected as much.
Is there somewhere I can find information (aside from reviewing the
source tree) for the nss/cmd utilities?
Have you read the pages found at
http://www.mozilla.org/projects/security/pki/nss/tools/ ??
Yes, I've read that page. What I was hoping for was some visibility into
answers to things like the questions I've posed above. As well:
1. Roadmaps (e.g. plans for man pages?)
2. Interoperability
3. Possible consolidation
4. nss/cmd/XXXX specific documentation (e.g. cmsutil is a part of smime,
but there's no doco for smime that I can find, aside from the usage/help)
Thanks again for your response. Hopefully these questions aren't stoopid.
-rb
--
dev-tech-crypto mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-tech-crypto
