[ANNOUNCE] NSS 3.22 Release

2016-02-03 Thread Kai Engert 
The NSS team has released Network Security Services (NSS) 3.22,
which is a minor release.

New functionality:
* RSA-PSS signatures are now supported (bug 1215295)
* Pseudorandom functions based on hashes other than SHA-1 are now supported
* Enforce an External Policy on NSS from a config file (bug 1009429)

New Functions:
* PK11_SignWithMechanism - an extended version PK11_Sign()
* PK11_VerifyWithMechanism - an extended version of PK11_Verify()
* SSL_PeerSignedCertTimestamps - Get signed_certificate_timestamp 
  TLS extension data
* SSL_SetSignedCertTimestamps - Set signed_certificate_timestamp
  TLS extension data

New Types:
* ssl_signed_cert_timestamp_xtn is added to SSLExtensionType
* Constants for several object IDs are added to SECOidTag

New Macros:
* SSL_ENABLE_SIGNED_CERT_TIMESTAMPS
* NSS_USE_ALG_IN_SSL
* NSS_USE_POLICY_IN_SSL
* NSS_RSA_MIN_KEY_SIZE
* NSS_DH_MIN_KEY_SIZE
* NSS_DSA_MIN_KEY_SIZE
* NSS_TLS_VERSION_MIN_POLICY
* NSS_TLS_VERSION_MAX_POLICY
* NSS_DTLS_VERSION_MIN_POLICY
* NSS_DTLS_VERSION_MAX_POLICY
* CKP_PKCS5_PBKD2_HMAC_SHA224
* CKP_PKCS5_PBKD2_HMAC_SHA256
* CKP_PKCS5_PBKD2_HMAC_SHA384
* CKP_PKCS5_PBKD2_HMAC_SHA512
* CKP_PKCS5_PBKD2_HMAC_GOSTR3411 - (not supported)
* CKP_PKCS5_PBKD2_HMAC_SHA512_224 - (not supported)
* CKP_PKCS5_PBKD2_HMAC_SHA512_256 - (not supported)

Notable Changes:
* NSS C++ tests are built by default, requiring a C++11 compiler. 
  Set the NSS_DISABLE_GTESTS variable to 1 to disable building these tests.

The full release notes are available at
https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.22_release_notes

The HG tag is NSS_3_22_RTM. NSS 3.22 requires NSPR 4.11 or newer.

NSS 3.22 source distributions are available for secure HTTPS download:
https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_22_RTM/src/

A complete list of all bugs resolved in this release can be obtained at
https://bugzilla.mozilla.org/buglist.cgi?resolution=FIXED=Components_format=advanced_milestone=3.22=NSS

-- 
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto

Re: [ANNOUNCE] NSS 3.22 Release

2016-02-03 Thread Tim Taubert 
Kai Engert wrote:
> The NSS team has released Network Security Services (NSS) 3.22,
> which is a minor release.
> 
> New functionality:
> * RSA-PSS signatures are now supported (bug 1215295)
> * Pseudorandom functions based on hashes other than SHA-1 are now supported

To clarify: Our PBKDF2 implementation supports HMAC/SHA-2 PRFs now.

- Tim


> * Enforce an External Policy on NSS from a config file (bug 1009429)
> 
> New Functions:
> * PK11_SignWithMechanism - an extended version PK11_Sign()
> * PK11_VerifyWithMechanism - an extended version of PK11_Verify()
> * SSL_PeerSignedCertTimestamps - Get signed_certificate_timestamp 
>   TLS extension data
> * SSL_SetSignedCertTimestamps - Set signed_certificate_timestamp
>   TLS extension data
> 
> New Types:
> * ssl_signed_cert_timestamp_xtn is added to SSLExtensionType
> * Constants for several object IDs are added to SECOidTag
> 
> New Macros:
> * SSL_ENABLE_SIGNED_CERT_TIMESTAMPS
> * NSS_USE_ALG_IN_SSL
> * NSS_USE_POLICY_IN_SSL
> * NSS_RSA_MIN_KEY_SIZE
> * NSS_DH_MIN_KEY_SIZE
> * NSS_DSA_MIN_KEY_SIZE
> * NSS_TLS_VERSION_MIN_POLICY
> * NSS_TLS_VERSION_MAX_POLICY
> * NSS_DTLS_VERSION_MIN_POLICY
> * NSS_DTLS_VERSION_MAX_POLICY
> * CKP_PKCS5_PBKD2_HMAC_SHA224
> * CKP_PKCS5_PBKD2_HMAC_SHA256
> * CKP_PKCS5_PBKD2_HMAC_SHA384
> * CKP_PKCS5_PBKD2_HMAC_SHA512
> * CKP_PKCS5_PBKD2_HMAC_GOSTR3411 - (not supported)
> * CKP_PKCS5_PBKD2_HMAC_SHA512_224 - (not supported)
> * CKP_PKCS5_PBKD2_HMAC_SHA512_256 - (not supported)
> 
> Notable Changes:
> * NSS C++ tests are built by default, requiring a C++11 compiler. 
>   Set the NSS_DISABLE_GTESTS variable to 1 to disable building these tests.
> 
> The full release notes are available at
> https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.22_release_notes
> 
> The HG tag is NSS_3_22_RTM. NSS 3.22 requires NSPR 4.11 or newer.
> 
> NSS 3.22 source distributions are available for secure HTTPS download:
> https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_22_RTM/src/
> 
> A complete list of all bugs resolved in this release can be obtained at
> https://bugzilla.mozilla.org/buglist.cgi?resolution=FIXED=Components_format=advanced_milestone=3.22=NSS
> 
-- 
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto

[NSS] X509 Certificate Chain Verification Example

2016-02-03 Thread Nicholas Mainardi 
Hello,

I'm comparing different libraries to verify X509 certificate chains. I had
some issues to find how to use NSS to perform this task. At the end, I
managed to get a working code with one certificate chain. You can find the
code in this question

I asked on stack overflow. I would like to know if the code I wrote is the
correct way to verify a certificate chain using NSS, and if there are other
parameters to customize the verify algorithm which can be set (i.e. a flag
to enable policy check etc.). If the code is correct, I suggest it could be
added to NSS examples on the documentation.

Thank You,

Nicholas
-- 
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto