Re: Is there a tool in NSS to validate a website certificate set?

2016-02-12 Thread Kai Engert 
On Tue, 2016-02-09 at 22:51 +1000, Jonathan Wilson wrote:
> OpenSSL has a s_client command that allows you to pull the certificates a 
> web page sends and verify the chain of trust against whatever root CA store 
> OpenSSL is using. Is there a way to do something similar for NSS? i.e. pull 
> the certificates a web page sends and validate them against the current set 
> of Mozilla root certificates?
> 
> And if there is, where do I get it from and how do I compile it? (if its 
> one of the standard utilities in NSS, how do I compile those?)

If you use a Linux distribution, you can probably get a package that already
contains the tools. On fedora it's nss-tools

We have test utilities, that are primarily used as part of the NSS test suite,
and which (at least on Fedora) are shipped in a separate "unsupported-tools"
directory, but they can do what you want.

On Fedora, you can execute 
  /usr/lib64/nss/unsupported-tools/vfyserv www.yourhost

which will attempt to validate the server's cert against the CA trust list that
comes with NSS (from the libnssckbi.so module).

This doesn't show the full chain on the terminal, but there's an option -c that
will dump all certs sent by the server into files.

I also like tstclnt, which has recently been enhanced to print information about
the server chain:

/usr/lib64/nss/unsupported-tools/tstclnt -C -D -b -h www.yourhost -p 443

You can use -C up to three times, to get more details about the certs.

If your platform doesn't offer you the NSS tools pre-packaged, then tollow the
standard NSS build instructions:
https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_Sources_Building_Testing

Kai

-- 
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto

Re: Verifying a signature using NSS

2016-02-12 Thread Wan-Teh Chang 
On Wed, Feb 10, 2016 at 11:50 PM, WebDoctor  wrote:
> Hi,
>
> I'm working in a Firefox extension that will use some cryptographic 
> operations.
>
> The problem I found is that when I sign data using the private key in the 
> server-side, I couldn't find any appropriate function in NSS to do public key 
> signature validation.
>
> I tried to use PK11_Verify, but this function is not listed as public 
> function in nss3.dll, so I got the error "Couldn't find function PK11_Verify 
> to declare".
>
> What can I do to verify a signature using NSS?

You can use PK11_Verify (declared in "pk11pub.h") or the VFY_xxx
functions declared in "cryptohi.h" to verify a signature.

NSS Technical Note 5 has sample code for PK11_Verify:

https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/nss_tech_notes/nss_tech_note5

You can also look at how it is used in ssl3con.c:

http://mxr.mozilla.org/nss/ident?i=PK11_Verify

PK11_Verify is a public function exported from nss3.dll. We should
find out why you couldn't use it.

Wan-Teh
-- 
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto

Verifying a signature using NSS

2016-02-12 Thread WebDoctor 
Hi,

I'm working in a Firefox extension that will use some cryptographic operations.

The problem I found is that when I sign data using the private key in the 
server-side, I couldn't find any appropriate function in NSS to do public key 
signature validation. 

I tried to use PK11_Verify, but this function is not listed as public function 
in nss3.dll, so I got the error "Couldn't find function PK11_Verify to declare".

What can I do to verify a signature using NSS?


Thank you for any help that you can give me. 

Ph.D in computer security

-- 
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto