On Wed, 2016-11-02 at 16:57 -0700, Opa114 wrote: > Is it possible to access (read & write) the NSS (shared) Database > (cert8.db & cert9.db) with OpenSSL? I mainly use OpenSSL, but now i > need access to the NSS Databases and i don't want to use both > libraries - NSS and OpenSSL - at the same time. > > So is it possible and if yes how?
You can use keys from the NSS database, fairly easily... $ cat ~/.config/pkcs11/modules/nss.module # Load the NSS libsoftokn.so.3 PKCS#11 library as a module. Note that we pass # some custom non-standard initialization arguments, as NSS expects. module: /lib64/libsoftokn3.so x-init-reserved: configdir='sql:/home/dwmw2/.pki/nssdb' certPrefix='' keyPrefix='' secmod='secmod.db' $ p11tool --list-token-urls | grep NSS pkcs11:model=NSS%203;manufacturer=Mozilla%20Foundation;serial=0000000000000000;token=NSS%20Generic%20Crypto%20Services pkcs11:model=NSS%203;manufacturer=Mozilla%20Foundation;serial=0000000000000000;token=NSS%20Certificate%20DB $ openssl pkeyutl -sign -engine pkcs11 -keyform engine -inkey 'pkcs11:token=NSS%20Certificate%20DB;object=dwmw2%40infradead.org%27s%20StartCom%20Ltd.%20ID' -in foo -out bar engine "pkcs11" set. Missing CKA_ALWAYS_AUTHENTICATE attribute That's on a modern Linux system; in some legacy cases you might need to mess with the OpenSSL PKCS#11 engine quite a lot to tell it which module to load — and if you do load libsoftokn.so directly instead of through p11-kit, I'm not sure the OpenSSL engine will let you set the standard-violating pReserved field in the module init args. Burt basically, yes. You can do that much at least from OpenSSL. You can read certificates too, but via a special engine command so it doesn't work for example on the 'openssl s_client -cert ...' command line. If you want to *write*, as you said, then you're going to need to use libp11 rather than the engine: https://github.com/OpenSC/libp11/ -- dwmw2
smime.p7s
Description: S/MIME cryptographic signature
-- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
