Re: Cross-Compilation of NSS for MIPS platform fails.

[Wan-Teh Chang]

Hi,

On Tue, Mar 15, 2016 at 10:13 PM,   wrote:
> Hi,
>  I have been trying to cross compile NSS 3.21 for MIPS-Linux platform, but am 
> facing a lot of build issues. First I built nspr with mipsel toolchain and it 
> compiled without any errors.
>  While compiling NSS , I am getting the following error :
>
> {standard input}: Assembler messages:
> {standard input}:79: Error: unrecognized opcode `bswap $2'
> make[3]: *** 
> [mipsel-linux3.13_x86_glibc_PTH_DBG.OBJ/mipsel-linux_SINGLE_SHLIB/sha_fast.o] 
> Error 1
>
>  Hence, I would like to know whether cross-compilation of NSS is supported 
> for MIPS. If so, kindly give the links of the documentation.

Yes, cross-compilation of NSS is supported for Linux MIPS. The
procedure is tedious, requiring setting several makefile variables to
appropriate values, and is not documented on the NSS website.

The best source of information is the build scripts for the NSS
packages in Linux distributions such as Debian, Fedora, and Gentoo,
and a makefile in Firefox.

Here is the Firefox makefile that compiles NSS. Search for
"CROSS_COMPILE" in that makefile, and you will see which NSS makefile
variables need to be set:

http://mxr.mozilla.org/mozilla-central/source/config/external/nss/Makefile.in#187

It may be worthwhile to cross-compile Firefox for MIPS and inspect the
build log file for the command line. I think that would be easier than
trying to parse that makefile.

>  Also, after some modifications, I was able to build NSS, but while running I 
> am getting errors related to database. Error log is as follows :
>
>  Error initializing NSS without a persistent database: NSS error code: -5925
>
>  So, how shall I proceed to rectify this error?

Error code -5925 is PR_CALL_ONCE_ERROR:

http://mxr.mozilla.org/nspr/source/pr/include/prerr.h

That narrows down the failure to a small number of locations:
http://mxr.mozilla.org/nss/search?string=PR_CallOnce

Look at the PR_CallOnce calls in lib/freebl, especially
lib/freebl/loader.c. I suspect the dlopen() call of libfreebl3.so
failed because it could not find libfreebl3.so. I suggest you
investigate in that direction.

By the way, are you using a MIPS development board such as Creator
Ci20 that I can easily buy to reproduce your problem?

Wan-Teh Chang
-- 
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto

RFC7512 PKCS#11 URI support

[David Woodhouse]

As Varun ramps up for the potential GSoC project on implementing URI
support, I'd really like to get some consensus on the implementation
details — there is at least one choice which needs to be made, which
will affect his development from day one.

As discussed in https://bugzilla.mozilla.org/1162897 that is the
question of whether to use an external library (libp11-kit) for parsing
and handling the URIs, or whether to reinvent the wheel.

I think we should use libp11-kit. Both for the reasons that Ryan
mentions in Comment #1 of the above bug, and also because p11-kit gives
us other things that we'll need in future as we improve system
integration (specifically, co-ordinating the use of the same PKCS#11
provider modules from multiple places within the same process).

But for now, all we need is the URI parsing.

P11-kit is a BSD-licensed project, which builds on OSX and Windows:
https://p11-glue.freedesktop.org/

It is a fundamental part of all the major Linux desktop distributions,
and thus fairly much ubiquitous there. For fun I tried removing it
recently on OpenSuSE, Fedora and Ubuntu — in all cases it basically
wanted to remove most of the distro. Running 'dnf remove p11-kit' won't
even play any more on Fedora. It just tells me that would require
removing systemd and dnf itself, and tells me 'no'.

So my proposal that on platforms where p11-kit exists, NSS should just
link to it. But also, to avoid having to build and ship a separate
library on platforms which didn't already have it, I think we should
*import* the URI handling code from libp11-kit. That is mostly isolated
to one file, of 1305 lines which compiles to roughly 10KiB of code
under Linux/x86_64.

Does that seem like the correct approach?


The other open question, although it doesn't block the work at the
start of the project, is whether we should be extending
PK11_FindCertFromNickname() to accept RFC7512 URIs or whether we should
*only* accept URIs in a new function.

I understand Ryan's reticence (again, in comment #1) about
retroactively starting to accept URIs. But as noted in my response
there, I'm not sure it's really that dangerous — I can't see a
situation in which a valid PKCS#11 URI is passed into that function and
getting the corresponding object (instead of a failure) is a *bad*
thing.

On the contrary, it's a *good* thing in most cases. Because it means
that NSS-using applications which take a certificate identity on the
command line or in a config file, suddenly Just Work when they're
provided with a PKCS#11 URI instead. And if we force them to update to
a new API to do that, we get to do a bombing run on all those
applications to change them.

-- 
dwmw2



smime.p7s
Description: S/MIME cryptographic signature
-- 
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto

Programmatically acess smartcard with NSS

[Túlio Gomes]

Hello, i need to access a smartcard for signing documents with the private key 
stored inside it.
The idea is to create a c++ component that will be used with a pnacl module 
inside chrome's browser.

So i decided to use NSS, but i'm confused about what steps i need to do for 
load the smartcard, access the private key, sign and verify the document.

I read almost all the existing documentation and didn find any sample to do 
that.

Here's my code:

int main(int argc, char** argv) {
SECMODModule *module;
SECStatus rv;
static char moduleName[] = "library=libwdpkcs_icp.so 
name=Token-libwdpkcs_icp";

module = SECMOD_LoadUserModule(moduleName, NULL, PR_TRUE);

if(!module) {
fprintf(stderr, "fail to load module");
exit(1);
}

PK11SlotInfo* slot = PK11_GetInternalSlot(); //didnt work. Returns 
nothing (0x0);

/*
*  Ok, i load the module. What's next? I need to create a DB or i can 
access the token directly? If so, how can i do this?
*  Probably the next step is to get the slot info. But how?
*/

SECMOD_DestroyModule(module);
}

Can anyone give me some help? 
Thanks in advance.
ps: sorry for my english
-- 
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto

Re: RFC7512 PKCS#11 URI support

[John Dennis]

On 03/17/2016 10:52 AM, Ryan Sleevi wrote:

On a technical front, Chrome and Firefox, as browsers, have been
removing support for the notion of generic URIs, and investing in
aligning on the URL spec - that is, making a conscious decision NOT
to use URIs as URIs.


Could you clarify this statement?

> NOT to use URIs as URIs

Is this a typo?

--
John
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto

Re: Cross-Compilation of NSS for MIPS platform fails.

[Andrew Cagney]

On 18 March 2016 at 07:40,  wrote:

> Hi,
>I went through the Firefox makefile and observed that I had set the
> flags which are listed there. So, I believe that might not be the problem.
> Yet, I shall build Firefox and see the build logs for better understanding
> as you had suggested.
> Initially, the libfreebl3.so was not building for MIPS platform, so I
> included a few lines of code to eliminate the following error :
> {standard input}: Assembler messages:
> {standard input}:79: Error: unrecognized opcode `bswap $2'
>
>

While there, hack the make file and add a printenv command.  From memory,
not all the make variables are passed explicitly, some get tunnelled via
the environment.



> Then libfreebl3.so got built and was being loaded.
>
>  The next issue which I faced at run time was in pkc11load.c .Here,
> C_Initialize() call returns CKR_CRYPTOKI_NOT_INITIALIZED due to which
> "CKR_GENERAL_ERROR" flag is being raised.
>   So, can you give any pointers on how I should debug further?
> --
> dev-tech-crypto mailing list
> dev-tech-crypto@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-tech-crypto
>
-- 
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto

Re: Cross-Compilation of NSS for MIPS platform fails.

[ramyasivanesan36]

Hi,
   I went through the Firefox makefile and observed that I had set the flags 
which are listed there. So, I believe that might not be the problem. Yet, I 
shall build Firefox and see the build logs for better understanding as you had 
suggested.
Initially, the libfreebl3.so was not building for MIPS platform, so I included 
a few lines of code to eliminate the following error :
{standard input}: Assembler messages: 
{standard input}:79: Error: unrecognized opcode `bswap $2' 

Then libfreebl3.so got built and was being loaded.

 The next issue which I faced at run time was in pkc11load.c .Here, 
C_Initialize() call returns CKR_CRYPTOKI_NOT_INITIALIZED due to which 
"CKR_GENERAL_ERROR" flag is being raised. 
  So, can you give any pointers on how I should debug further?
-- 
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto

Programmatically access smartcard with NSS

[Túlio Gomes]

Hello, i need to access a smartcard for signing documents with the private key 
stored inside it.
The idea is to create a c++ component that will be used with a pnacl module 
inside chrome's browser.

So i decided to use NSS, but i'm confused about what steps i need to do for 
load the smartcard, access the private key, sign and verify the document.

I read almost all the existing documentation and didn find any sample to do 
that.

So, here's my code:

int main(int argc, char** argv) {
SECMODModule *module;
SECStatus rv;
static char moduleName[] = "library=libwdpkcs_icp.so 
name=Token-libwdpkcs_icp";

module = SECMOD_LoadUserModule(moduleName, NULL, PR_TRUE);

if(!module) {
fprintf(stderr, "fail to load module");
exit(1);
}

PK11SlotInfo* slot = PK11_GetInternalSlot(); //didnt work. Returns 
nothing (0x0);

/*
*  Ok, i load the module. What's next? I need to create a DB or i can 
access the token directly? If so, how can i do this?
*  Probably the next step is to get the slot info. But how?
*/

SECMOD_DestroyModule(module);
}

Can anyone give me some help? 
Thanks in advance.
ps: sorry for my english
-- 
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto

Re: Programmatically acess smartcard with NSS

[Túlio Gomes]

Em quinta-feira, 17 de março de 2016 14:16:30 UTC-3, Túlio Gomes  escreveu:
> Hello, i need to access a smartcard for signing documents with the private 
> key stored inside it.
> The idea is to create a c++ component that will be used with a pnacl module 
> inside chrome's browser.
> 
> So i decided to use NSS, but i'm confused about what steps i need to do for 
> load the smartcard, access the private key, sign and verify the document.
> 
> I read almost all the existing documentation and didn find any sample to do 
> that.
> 
> Here's my code:
> 
> int main(int argc, char** argv) {
>   SECMODModule *module;
>   SECStatus rv;
>   static char moduleName[] = "library=libwdpkcs_icp.so 
> name=Token-libwdpkcs_icp";
>   
>   module = SECMOD_LoadUserModule(moduleName, NULL, PR_TRUE);
> 
>   if(!module) {
>   fprintf(stderr, "fail to load module");
>   exit(1);
>   }
> 
>   PK11SlotInfo* slot = PK11_GetInternalSlot(); //didnt work. Returns 
> nothing (0x0);
> 
>   /*
>   *  Ok, i load the module. What's next? I need to create a DB or i can 
> access the token directly? If so, how can i do this?
>   *  Probably the next step is to get the slot info. But how?
>   */
> 
>   SECMOD_DestroyModule(module);
> }
> 
> Can anyone give me some help? 
> Thanks in advance.
> ps: sorry for my english



Em quinta-feira, 17 de março de 2016 14:16:30 UTC-3, Túlio Gomes  escreveu:
> Hello, i need to access a smartcard for signing documents with the private 
> key stored inside it.
> The idea is to create a c++ component that will be used with a pnacl module 
> inside chrome's browser.
> 
> So i decided to use NSS, but i'm confused about what steps i need to do for 
> load the smartcard, access the private key, sign and verify the document.
> 
> I read almost all the existing documentation and didn find any sample to do 
> that.
> 
> Here's my code:
> 
> int main(int argc, char** argv) {
>   SECMODModule *module;
>   SECStatus rv;
>   static char moduleName[] = "library=libwdpkcs_icp.so 
> name=Token-libwdpkcs_icp";
>   
>   module = SECMOD_LoadUserModule(moduleName, NULL, PR_TRUE);
> 
>   if(!module) {
>   fprintf(stderr, "fail to load module");
>   exit(1);
>   }
> 
>   PK11SlotInfo* slot = PK11_GetInternalSlot(); //didnt work. Returns 
> nothing (0x0);
> 
>   /*
>   *  Ok, i load the module. What's next? I need to create a DB or i can 
> access the token directly? If so, how can i do this?
>   *  Probably the next step is to get the slot info. But how?
>   */
> 
>   SECMOD_DestroyModule(module);
> }
> 
> Can anyone give me some help? 
> Thanks in advance.
> ps: sorry for my english



Em quinta-feira, 17 de março de 2016 14:16:30 UTC-3, Túlio Gomes  escreveu:
> Hello, i need to access a smartcard for signing documents with the private 
> key stored inside it.
> The idea is to create a c++ component that will be used with a pnacl module 
> inside chrome's browser.
> 
> So i decided to use NSS, but i'm confused about what steps i need to do for 
> load the smartcard, access the private key, sign and verify the document.
> 
> I read almost all the existing documentation and didn find any sample to do 
> that.
> 
> Here's my code:
> 
> int main(int argc, char** argv) {
>   SECMODModule *module;
>   SECStatus rv;
>   static char moduleName[] = "library=libwdpkcs_icp.so 
> name=Token-libwdpkcs_icp";
>   
>   module = SECMOD_LoadUserModule(moduleName, NULL, PR_TRUE);
> 
>   if(!module) {
>   fprintf(stderr, "fail to load module");
>   exit(1);
>   }
> 
>   PK11SlotInfo* slot = PK11_GetInternalSlot(); //didnt work. Returns 
> nothing (0x0);
> 
>   /*
>   *  Ok, i load the module. What's next? I need to create a DB or i can 
> access the token directly? If so, how can i do this?
>   *  Probably the next step is to get the slot info. But how?
>   */
> 
>   SECMOD_DestroyModule(module);
> }
> 
> Can anyone give me some help? 
> Thanks in advance.
> ps: sorry for my english

I just had some progress but now i'm stuck in how i can prompt the user for 
password. Can anyone help?
-- 
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto

Re: computing hmac (RFC 2104) when the key isn't secure

[Andrew Cagney]

On 12 March 2016 at 20:11, Andrew Cagney  wrote:

> On 11 March 2016 at 13:23, Andrew Cagney  wrote:
> > Given a clear-text key and clear-text data (lots of it), I'm trying to
> > compute a clear-text RFC 2104 HMAC aka IPSEC prf()
> >
> > If the key was all FIPS secure in a PK11SymKey then I believe I could
> > follow sample3 and kick things off with:
> >
> > context = PK11_CreateContextBySymKey(CKM_MD5_HMAC, CKA_SIGN, key,
> > );
> >
> > Alas, it isn't :-(  Short of implementing the RFC 2104 calculation, or
> > fudging up some secret key material, is there a way to do this?
>
>
Reading the, er, documentation in /usr/include/nss3, I found 
which seems to work for this specific case.

(It doesn't work in general though, as it lacks HMAC_Update(key) and key =
HMAC_Finish()).

Andrew



> To make my question more concrete.  Contrast how OpenSSL vs NSS need
> to be initialized:
>
> const char hmackey[33] = ".";
> #if defined(WITH_OPENSSL)
> HMAC_Init(, hmackey, sizeof(hmackey)-1, EVP_sha256());
> #elif defined(WITH_NSS)
> PK11Context *c = NULL;
> {
> PK11SymKey *key = nss_hmackey();
> if (key == NULL) {
> goto end;
> }
> SECItem noParams = { .data = 0, .len = 0, };
> c = PK11_CreateContextBySymKey(CKM_SHA256_HMAC, CKA_SIGN,
>key, );
> if (c == NULL) {
> debug_log("PK11_CreateContextBySymKey() failed");
> goto end;
> }
> }
> PK11_DigestBegin(c);
> #endif
>
> where nss_hmackey() uses "magic" to convert the string into a PK11SymKey.
>
>
> > BTW, it's probably worth pointing out that for libreswan I had similar
> > problems but needed to keep the resulting HMAC secure.  For instance,
> > given a clear-text key and secure data, compute a secure hmac
> > (SKEYSEED = prf(Ni | Nr, g^ir)).
> >
> > Andrew
>
-- 
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto

Re: Programmatically smartcard/token access with NSS

[Robert Relyea]

On 03/17/2016 06:17 AM, Túlio Gomes wrote:

Hello, i need to access a smartcard for signing documents with the private key 
stored inside it.
The idea is to create a c++ component that will be used with a pnacl module 
inside chrome's browser.

So i decided to use NSS, but i'm confused about what steps i need to do for 
load the smartcard, access the private key, sign and verify the document.

I read almost all the existing documentation and didn find any sample to do 
that.

So, here's my code:

int main(int argc, char** argv) {
SECMODModule *module;
SECStatus rv;
static char moduleName[] = "library=libwdpkcs_icp.so 
name=Token-libwdpkcs_icp";

module = SECMOD_LoadUserModule(moduleName, NULL, PR_TRUE);

if(!module) {
fprintf(stderr, "fail to load module");
exit(1);
}

PK11SlotInfo* slot = PK11_GetInternalSlot(); //didnt work. Returns 
nothing (0x0);

You need to initialize NSS itself first.


/*
*  Ok, i load the module. What's next? I need to create a DB or i can 
access the token directly? If so, how can i do this?
*  Probably the next step is to get the slot info. But how?
*/


Once you do this, the token certs are available with any db certs that 
you may already have. Typically in NSS you look up the certs you are 
interested in. 'User' certs are certs with private keys associated with 
them. Once you select a cert, you can lookup the key. The you can use 
that key to sign, decrypt or unwrap. If the cert and key you select are 
in the token, NSS will use it.


You can find an example for decrypting here:
https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/nss_sample_code/NSS_Sample_Code_sample4

In this example, the cert is found with:
  cert = PK11_FindCertFromNickname("TestCA", NULL);

You can find the cert using on a smartcard with "tokename:certname" as 
the nickname.

If you create a database:
   mkdir ./certs
   certutil -N -d ./certs
use modutil to add your smart card
   modutil -add Token-libwdpkcs_icp -lib libwdpkcs_icp.so -dbdir ./certs
You can then list all the certs on your smart card with
certutil -L -h all -d ./certs
 (you'll be prompted for the pin for your smartcard).

You can also use
 PK11_ListCertsInSlot() to find all the certs on your smart card.
You can use PK11_FindSlotByName() or PK11_FindSlotsByNames to find 
the slot for your smart card.


/usr/include/nss3/pk11pub.h has a list of most of the functions that 
deal with smart cards.



**NOTE*** In the example, you'll need to fix the password function to 
actually prompt for the password. If you don't, you can lock your token 
if it has a fixed numbers of retries.


bob

https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/nss_sample_code/NSS_Sample_Code_sample4

SECMOD_DestroyModule(module);
}

Can anyone give me some help?
Thanks in advance.
ps: sorry for my english





smime.p7s
Description: S/MIME Cryptographic Signature
-- 
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto

Programmatically smartcard/token access with NSS

[Túlio Gomes]

Hello, i need to access a smartcard for signing documents with the private key 
stored inside it.
The idea is to create a c++ component that will be used with a pnacl module 
inside chrome's browser.

So i decided to use NSS, but i'm confused about what steps i need to do for 
load the smartcard, access the private key, sign and verify the document.

I read almost all the existing documentation and didn find any sample to do 
that.

So, here's my code:

int main(int argc, char** argv) {
SECMODModule *module;
SECStatus rv;
static char moduleName[] = "library=libwdpkcs_icp.so 
name=Token-libwdpkcs_icp";

module = SECMOD_LoadUserModule(moduleName, NULL, PR_TRUE);

if(!module) {
fprintf(stderr, "fail to load module");
exit(1);
}

PK11SlotInfo* slot = PK11_GetInternalSlot(); //didnt work. Returns 
nothing (0x0);

/*
*  Ok, i load the module. What's next? I need to create a DB or i can 
access the token directly? If so, how can i do this?
*  Probably the next step is to get the slot info. But how?
*/

SECMOD_DestroyModule(module);
}

Can anyone give me some help? 
Thanks in advance.
ps: sorry for my english
-- 
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto

Re: RFC7512 PKCS#11 URI support

[Ryan Sleevi]

On Thursday, March 17, 2016, John Dennis  wrote:

> On 03/17/2016 10:52 AM, Ryan Sleevi wrote:
>
>> On a technical front, Chrome and Firefox, as browsers, have been
>> removing support for the notion of generic URIs, and investing in
>> aligning on the URL spec - that is, making a conscious decision NOT
>> to use URIs as URIs.
>>
>
> Could you clarify this statement?
>
> > NOT to use URIs as URIs
>
> Is this a typo?
>
> --
> John
>

No, it is not a typo.

Firefox, Chrome, and other browsers have been focused on
https://url.spec.whatwg.org as the IETF spec is inadequate and overbroad
and does not reflect the real world.

There's more to that story, but that's the simple answer.
-- 
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto

Re: RFC7512 PKCS#11 URI support

[Ryan Sleevi]

On Thursday, March 17, 2016, David Woodhouse  wrote:

>
> It is a fundamental part of all the major Linux desktop distributions,
> and thus fairly much ubiquitous there.


This is a loaded statement, but I still believe this is overstated. But I
don't want to get into a "whose distro is better" pissing match.


> For fun I tried removing it
> recently on OpenSuSE, Fedora and Ubuntu — in all cases it basically
> wanted to remove most of the distro. Running 'dnf remove p11-kit' won't
> even play any more on Fedora. It just tells me that would require
> removing systemd and dnf itself, and tells me 'no'.
>
> So my proposal that on platforms where p11-kit exists, NSS should just
> link to it. But also, to avoid having to build and ship a separate
> library on platforms which didn't already have it, I think we should
> *import* the URI handling code from libp11-kit. That is mostly isolated
> to one file, of 1305 lines which compiles to roughly 10KiB of code
> under Linux/x86_64.
>
> Does that seem like the correct approach?


I disagree that this seems like a wise or balanced tradeoff to fork this
file. The lessons of SQLite show this just increases maintenance costs and
leads to divergence. I respond to this more below.


> The other open question, although it doesn't block the work at the
> start of the project, is whether we should be extending
> PK11_FindCertFromNickname() to accept RFC7512 URIs or whether we should
> *only* accept URIs in a new function.


I am still strongly opposed to introducing this behaviour to the existing
functions. The nickname functions already have significant magic attached
to them, both in parsing from NSS APIs and in providing to NSS APIs
(filtering or setting the token via parsing or adding to the token name,
respectively). This would definitely break Chrome's use of the API, and for
that, I think it should be an unacceptable change as it is not backwards
compatible.

On the topic itself, of support PKCS#11 URIs, I remain opposed, and I would
appreciate Richard's take on it. For Chrome, such a feature would have been
useless for our Windows and Mac ports, and *is* useless for our iOS and
ChromeOS ports. Further, we would not expose this functionality for our
Linux port even if it existed, due to cross-platform considerations. On a
technical front, Chrome and Firefox, as browsers, have been removing
support for the notion of generic URIs, and investing in aligning on the
URL spec - that is, making a conscious decision NOT to use URIs as URIs.
Anne on the Mozilla side has been working that effort, and can probably
speak more to that effort.

I would much rather that if this is introduced, it is done so behind a
compile time flag, and it's interactions with NSS as a whole kept as a
minimum. I understand and appreciate why Fedora/RHEL distros are interested
in this, but I don't believe it's something that Chrome would want, and I
don't believe it's likely something Firefox would want to ship when it
packages NSS, especially on non-Linux platforms.
-- 
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto