Re: Cross-Compilation of NSS for MIPS platform fails.
Hi, On Tue, Mar 15, 2016 at 10:13 PM,wrote: > Hi, > I have been trying to cross compile NSS 3.21 for MIPS-Linux platform, but am > facing a lot of build issues. First I built nspr with mipsel toolchain and it > compiled without any errors. > While compiling NSS , I am getting the following error : > > {standard input}: Assembler messages: > {standard input}:79: Error: unrecognized opcode `bswap $2' > make[3]: *** > [mipsel-linux3.13_x86_glibc_PTH_DBG.OBJ/mipsel-linux_SINGLE_SHLIB/sha_fast.o] > Error 1 > > Hence, I would like to know whether cross-compilation of NSS is supported > for MIPS. If so, kindly give the links of the documentation. Yes, cross-compilation of NSS is supported for Linux MIPS. The procedure is tedious, requiring setting several makefile variables to appropriate values, and is not documented on the NSS website. The best source of information is the build scripts for the NSS packages in Linux distributions such as Debian, Fedora, and Gentoo, and a makefile in Firefox. Here is the Firefox makefile that compiles NSS. Search for "CROSS_COMPILE" in that makefile, and you will see which NSS makefile variables need to be set: http://mxr.mozilla.org/mozilla-central/source/config/external/nss/Makefile.in#187 It may be worthwhile to cross-compile Firefox for MIPS and inspect the build log file for the command line. I think that would be easier than trying to parse that makefile. > Also, after some modifications, I was able to build NSS, but while running I > am getting errors related to database. Error log is as follows : > > Error initializing NSS without a persistent database: NSS error code: -5925 > > So, how shall I proceed to rectify this error? Error code -5925 is PR_CALL_ONCE_ERROR: http://mxr.mozilla.org/nspr/source/pr/include/prerr.h That narrows down the failure to a small number of locations: http://mxr.mozilla.org/nss/search?string=PR_CallOnce Look at the PR_CallOnce calls in lib/freebl, especially lib/freebl/loader.c. I suspect the dlopen() call of libfreebl3.so failed because it could not find libfreebl3.so. I suggest you investigate in that direction. By the way, are you using a MIPS development board such as Creator Ci20 that I can easily buy to reproduce your problem? Wan-Teh Chang -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
RFC7512 PKCS#11 URI support
As Varun ramps up for the potential GSoC project on implementing URI support, I'd really like to get some consensus on the implementation details — there is at least one choice which needs to be made, which will affect his development from day one. As discussed in https://bugzilla.mozilla.org/1162897 that is the question of whether to use an external library (libp11-kit) for parsing and handling the URIs, or whether to reinvent the wheel. I think we should use libp11-kit. Both for the reasons that Ryan mentions in Comment #1 of the above bug, and also because p11-kit gives us other things that we'll need in future as we improve system integration (specifically, co-ordinating the use of the same PKCS#11 provider modules from multiple places within the same process). But for now, all we need is the URI parsing. P11-kit is a BSD-licensed project, which builds on OSX and Windows: https://p11-glue.freedesktop.org/ It is a fundamental part of all the major Linux desktop distributions, and thus fairly much ubiquitous there. For fun I tried removing it recently on OpenSuSE, Fedora and Ubuntu — in all cases it basically wanted to remove most of the distro. Running 'dnf remove p11-kit' won't even play any more on Fedora. It just tells me that would require removing systemd and dnf itself, and tells me 'no'. So my proposal that on platforms where p11-kit exists, NSS should just link to it. But also, to avoid having to build and ship a separate library on platforms which didn't already have it, I think we should *import* the URI handling code from libp11-kit. That is mostly isolated to one file, of 1305 lines which compiles to roughly 10KiB of code under Linux/x86_64. Does that seem like the correct approach? The other open question, although it doesn't block the work at the start of the project, is whether we should be extending PK11_FindCertFromNickname() to accept RFC7512 URIs or whether we should *only* accept URIs in a new function. I understand Ryan's reticence (again, in comment #1) about retroactively starting to accept URIs. But as noted in my response there, I'm not sure it's really that dangerous — I can't see a situation in which a valid PKCS#11 URI is passed into that function and getting the corresponding object (instead of a failure) is a *bad* thing. On the contrary, it's a *good* thing in most cases. Because it means that NSS-using applications which take a certificate identity on the command line or in a config file, suddenly Just Work when they're provided with a PKCS#11 URI instead. And if we force them to update to a new API to do that, we get to do a bombing run on all those applications to change them. -- dwmw2 smime.p7s Description: S/MIME cryptographic signature -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Programmatically acess smartcard with NSS
Hello, i need to access a smartcard for signing documents with the private key stored inside it. The idea is to create a c++ component that will be used with a pnacl module inside chrome's browser. So i decided to use NSS, but i'm confused about what steps i need to do for load the smartcard, access the private key, sign and verify the document. I read almost all the existing documentation and didn find any sample to do that. Here's my code: int main(int argc, char** argv) { SECMODModule *module; SECStatus rv; static char moduleName[] = "library=libwdpkcs_icp.so name=Token-libwdpkcs_icp"; module = SECMOD_LoadUserModule(moduleName, NULL, PR_TRUE); if(!module) { fprintf(stderr, "fail to load module"); exit(1); } PK11SlotInfo* slot = PK11_GetInternalSlot(); //didnt work. Returns nothing (0x0); /* * Ok, i load the module. What's next? I need to create a DB or i can access the token directly? If so, how can i do this? * Probably the next step is to get the slot info. But how? */ SECMOD_DestroyModule(module); } Can anyone give me some help? Thanks in advance. ps: sorry for my english -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: RFC7512 PKCS#11 URI support
On 03/17/2016 10:52 AM, Ryan Sleevi wrote: On a technical front, Chrome and Firefox, as browsers, have been removing support for the notion of generic URIs, and investing in aligning on the URL spec - that is, making a conscious decision NOT to use URIs as URIs. Could you clarify this statement? > NOT to use URIs as URIs Is this a typo? -- John -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: Cross-Compilation of NSS for MIPS platform fails.
On 18 March 2016 at 07:40,wrote: > Hi, >I went through the Firefox makefile and observed that I had set the > flags which are listed there. So, I believe that might not be the problem. > Yet, I shall build Firefox and see the build logs for better understanding > as you had suggested. > Initially, the libfreebl3.so was not building for MIPS platform, so I > included a few lines of code to eliminate the following error : > {standard input}: Assembler messages: > {standard input}:79: Error: unrecognized opcode `bswap $2' > > While there, hack the make file and add a printenv command. From memory, not all the make variables are passed explicitly, some get tunnelled via the environment. > Then libfreebl3.so got built and was being loaded. > > The next issue which I faced at run time was in pkc11load.c .Here, > C_Initialize() call returns CKR_CRYPTOKI_NOT_INITIALIZED due to which > "CKR_GENERAL_ERROR" flag is being raised. > So, can you give any pointers on how I should debug further? > -- > dev-tech-crypto mailing list > dev-tech-crypto@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-tech-crypto > -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: Cross-Compilation of NSS for MIPS platform fails.
Hi, I went through the Firefox makefile and observed that I had set the flags which are listed there. So, I believe that might not be the problem. Yet, I shall build Firefox and see the build logs for better understanding as you had suggested. Initially, the libfreebl3.so was not building for MIPS platform, so I included a few lines of code to eliminate the following error : {standard input}: Assembler messages: {standard input}:79: Error: unrecognized opcode `bswap $2' Then libfreebl3.so got built and was being loaded. The next issue which I faced at run time was in pkc11load.c .Here, C_Initialize() call returns CKR_CRYPTOKI_NOT_INITIALIZED due to which "CKR_GENERAL_ERROR" flag is being raised. So, can you give any pointers on how I should debug further? -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Programmatically access smartcard with NSS
Hello, i need to access a smartcard for signing documents with the private key stored inside it. The idea is to create a c++ component that will be used with a pnacl module inside chrome's browser. So i decided to use NSS, but i'm confused about what steps i need to do for load the smartcard, access the private key, sign and verify the document. I read almost all the existing documentation and didn find any sample to do that. So, here's my code: int main(int argc, char** argv) { SECMODModule *module; SECStatus rv; static char moduleName[] = "library=libwdpkcs_icp.so name=Token-libwdpkcs_icp"; module = SECMOD_LoadUserModule(moduleName, NULL, PR_TRUE); if(!module) { fprintf(stderr, "fail to load module"); exit(1); } PK11SlotInfo* slot = PK11_GetInternalSlot(); //didnt work. Returns nothing (0x0); /* * Ok, i load the module. What's next? I need to create a DB or i can access the token directly? If so, how can i do this? * Probably the next step is to get the slot info. But how? */ SECMOD_DestroyModule(module); } Can anyone give me some help? Thanks in advance. ps: sorry for my english -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: Programmatically acess smartcard with NSS
Em quinta-feira, 17 de março de 2016 14:16:30 UTC-3, Túlio Gomes escreveu: > Hello, i need to access a smartcard for signing documents with the private > key stored inside it. > The idea is to create a c++ component that will be used with a pnacl module > inside chrome's browser. > > So i decided to use NSS, but i'm confused about what steps i need to do for > load the smartcard, access the private key, sign and verify the document. > > I read almost all the existing documentation and didn find any sample to do > that. > > Here's my code: > > int main(int argc, char** argv) { > SECMODModule *module; > SECStatus rv; > static char moduleName[] = "library=libwdpkcs_icp.so > name=Token-libwdpkcs_icp"; > > module = SECMOD_LoadUserModule(moduleName, NULL, PR_TRUE); > > if(!module) { > fprintf(stderr, "fail to load module"); > exit(1); > } > > PK11SlotInfo* slot = PK11_GetInternalSlot(); //didnt work. Returns > nothing (0x0); > > /* > * Ok, i load the module. What's next? I need to create a DB or i can > access the token directly? If so, how can i do this? > * Probably the next step is to get the slot info. But how? > */ > > SECMOD_DestroyModule(module); > } > > Can anyone give me some help? > Thanks in advance. > ps: sorry for my english Em quinta-feira, 17 de março de 2016 14:16:30 UTC-3, Túlio Gomes escreveu: > Hello, i need to access a smartcard for signing documents with the private > key stored inside it. > The idea is to create a c++ component that will be used with a pnacl module > inside chrome's browser. > > So i decided to use NSS, but i'm confused about what steps i need to do for > load the smartcard, access the private key, sign and verify the document. > > I read almost all the existing documentation and didn find any sample to do > that. > > Here's my code: > > int main(int argc, char** argv) { > SECMODModule *module; > SECStatus rv; > static char moduleName[] = "library=libwdpkcs_icp.so > name=Token-libwdpkcs_icp"; > > module = SECMOD_LoadUserModule(moduleName, NULL, PR_TRUE); > > if(!module) { > fprintf(stderr, "fail to load module"); > exit(1); > } > > PK11SlotInfo* slot = PK11_GetInternalSlot(); //didnt work. Returns > nothing (0x0); > > /* > * Ok, i load the module. What's next? I need to create a DB or i can > access the token directly? If so, how can i do this? > * Probably the next step is to get the slot info. But how? > */ > > SECMOD_DestroyModule(module); > } > > Can anyone give me some help? > Thanks in advance. > ps: sorry for my english Em quinta-feira, 17 de março de 2016 14:16:30 UTC-3, Túlio Gomes escreveu: > Hello, i need to access a smartcard for signing documents with the private > key stored inside it. > The idea is to create a c++ component that will be used with a pnacl module > inside chrome's browser. > > So i decided to use NSS, but i'm confused about what steps i need to do for > load the smartcard, access the private key, sign and verify the document. > > I read almost all the existing documentation and didn find any sample to do > that. > > Here's my code: > > int main(int argc, char** argv) { > SECMODModule *module; > SECStatus rv; > static char moduleName[] = "library=libwdpkcs_icp.so > name=Token-libwdpkcs_icp"; > > module = SECMOD_LoadUserModule(moduleName, NULL, PR_TRUE); > > if(!module) { > fprintf(stderr, "fail to load module"); > exit(1); > } > > PK11SlotInfo* slot = PK11_GetInternalSlot(); //didnt work. Returns > nothing (0x0); > > /* > * Ok, i load the module. What's next? I need to create a DB or i can > access the token directly? If so, how can i do this? > * Probably the next step is to get the slot info. But how? > */ > > SECMOD_DestroyModule(module); > } > > Can anyone give me some help? > Thanks in advance. > ps: sorry for my english I just had some progress but now i'm stuck in how i can prompt the user for password. Can anyone help? -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: computing hmac (RFC 2104) when the key isn't secure
On 12 March 2016 at 20:11, Andrew Cagneywrote: > On 11 March 2016 at 13:23, Andrew Cagney wrote: > > Given a clear-text key and clear-text data (lots of it), I'm trying to > > compute a clear-text RFC 2104 HMAC aka IPSEC prf() > > > > If the key was all FIPS secure in a PK11SymKey then I believe I could > > follow sample3 and kick things off with: > > > > context = PK11_CreateContextBySymKey(CKM_MD5_HMAC, CKA_SIGN, key, > > ); > > > > Alas, it isn't :-( Short of implementing the RFC 2104 calculation, or > > fudging up some secret key material, is there a way to do this? > > Reading the, er, documentation in /usr/include/nss3, I found which seems to work for this specific case. (It doesn't work in general though, as it lacks HMAC_Update(key) and key = HMAC_Finish()). Andrew > To make my question more concrete. Contrast how OpenSSL vs NSS need > to be initialized: > > const char hmackey[33] = "."; > #if defined(WITH_OPENSSL) > HMAC_Init(, hmackey, sizeof(hmackey)-1, EVP_sha256()); > #elif defined(WITH_NSS) > PK11Context *c = NULL; > { > PK11SymKey *key = nss_hmackey(); > if (key == NULL) { > goto end; > } > SECItem noParams = { .data = 0, .len = 0, }; > c = PK11_CreateContextBySymKey(CKM_SHA256_HMAC, CKA_SIGN, >key, ); > if (c == NULL) { > debug_log("PK11_CreateContextBySymKey() failed"); > goto end; > } > } > PK11_DigestBegin(c); > #endif > > where nss_hmackey() uses "magic" to convert the string into a PK11SymKey. > > > > BTW, it's probably worth pointing out that for libreswan I had similar > > problems but needed to keep the resulting HMAC secure. For instance, > > given a clear-text key and secure data, compute a secure hmac > > (SKEYSEED = prf(Ni | Nr, g^ir)). > > > > Andrew > -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: Programmatically smartcard/token access with NSS
On 03/17/2016 06:17 AM, Túlio Gomes wrote: Hello, i need to access a smartcard for signing documents with the private key stored inside it. The idea is to create a c++ component that will be used with a pnacl module inside chrome's browser. So i decided to use NSS, but i'm confused about what steps i need to do for load the smartcard, access the private key, sign and verify the document. I read almost all the existing documentation and didn find any sample to do that. So, here's my code: int main(int argc, char** argv) { SECMODModule *module; SECStatus rv; static char moduleName[] = "library=libwdpkcs_icp.so name=Token-libwdpkcs_icp"; module = SECMOD_LoadUserModule(moduleName, NULL, PR_TRUE); if(!module) { fprintf(stderr, "fail to load module"); exit(1); } PK11SlotInfo* slot = PK11_GetInternalSlot(); //didnt work. Returns nothing (0x0); You need to initialize NSS itself first. /* * Ok, i load the module. What's next? I need to create a DB or i can access the token directly? If so, how can i do this? * Probably the next step is to get the slot info. But how? */ Once you do this, the token certs are available with any db certs that you may already have. Typically in NSS you look up the certs you are interested in. 'User' certs are certs with private keys associated with them. Once you select a cert, you can lookup the key. The you can use that key to sign, decrypt or unwrap. If the cert and key you select are in the token, NSS will use it. You can find an example for decrypting here: https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/nss_sample_code/NSS_Sample_Code_sample4 In this example, the cert is found with: cert = PK11_FindCertFromNickname("TestCA", NULL); You can find the cert using on a smartcard with "tokename:certname" as the nickname. If you create a database: mkdir ./certs certutil -N -d ./certs use modutil to add your smart card modutil -add Token-libwdpkcs_icp -lib libwdpkcs_icp.so -dbdir ./certs You can then list all the certs on your smart card with certutil -L -h all -d ./certs (you'll be prompted for the pin for your smartcard). You can also use PK11_ListCertsInSlot() to find all the certs on your smart card. You can use PK11_FindSlotByName() or PK11_FindSlotsByNames to find the slot for your smart card. /usr/include/nss3/pk11pub.h has a list of most of the functions that deal with smart cards. **NOTE*** In the example, you'll need to fix the password function to actually prompt for the password. If you don't, you can lock your token if it has a fixed numbers of retries. bob https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/nss_sample_code/NSS_Sample_Code_sample4 SECMOD_DestroyModule(module); } Can anyone give me some help? Thanks in advance. ps: sorry for my english smime.p7s Description: S/MIME Cryptographic Signature -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Programmatically smartcard/token access with NSS
Hello, i need to access a smartcard for signing documents with the private key stored inside it. The idea is to create a c++ component that will be used with a pnacl module inside chrome's browser. So i decided to use NSS, but i'm confused about what steps i need to do for load the smartcard, access the private key, sign and verify the document. I read almost all the existing documentation and didn find any sample to do that. So, here's my code: int main(int argc, char** argv) { SECMODModule *module; SECStatus rv; static char moduleName[] = "library=libwdpkcs_icp.so name=Token-libwdpkcs_icp"; module = SECMOD_LoadUserModule(moduleName, NULL, PR_TRUE); if(!module) { fprintf(stderr, "fail to load module"); exit(1); } PK11SlotInfo* slot = PK11_GetInternalSlot(); //didnt work. Returns nothing (0x0); /* * Ok, i load the module. What's next? I need to create a DB or i can access the token directly? If so, how can i do this? * Probably the next step is to get the slot info. But how? */ SECMOD_DestroyModule(module); } Can anyone give me some help? Thanks in advance. ps: sorry for my english -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: RFC7512 PKCS#11 URI support
On Thursday, March 17, 2016, John Denniswrote: > On 03/17/2016 10:52 AM, Ryan Sleevi wrote: > >> On a technical front, Chrome and Firefox, as browsers, have been >> removing support for the notion of generic URIs, and investing in >> aligning on the URL spec - that is, making a conscious decision NOT >> to use URIs as URIs. >> > > Could you clarify this statement? > > > NOT to use URIs as URIs > > Is this a typo? > > -- > John > No, it is not a typo. Firefox, Chrome, and other browsers have been focused on https://url.spec.whatwg.org as the IETF spec is inadequate and overbroad and does not reflect the real world. There's more to that story, but that's the simple answer. -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: RFC7512 PKCS#11 URI support
On Thursday, March 17, 2016, David Woodhousewrote: > > It is a fundamental part of all the major Linux desktop distributions, > and thus fairly much ubiquitous there. This is a loaded statement, but I still believe this is overstated. But I don't want to get into a "whose distro is better" pissing match. > For fun I tried removing it > recently on OpenSuSE, Fedora and Ubuntu — in all cases it basically > wanted to remove most of the distro. Running 'dnf remove p11-kit' won't > even play any more on Fedora. It just tells me that would require > removing systemd and dnf itself, and tells me 'no'. > > So my proposal that on platforms where p11-kit exists, NSS should just > link to it. But also, to avoid having to build and ship a separate > library on platforms which didn't already have it, I think we should > *import* the URI handling code from libp11-kit. That is mostly isolated > to one file, of 1305 lines which compiles to roughly 10KiB of code > under Linux/x86_64. > > Does that seem like the correct approach? I disagree that this seems like a wise or balanced tradeoff to fork this file. The lessons of SQLite show this just increases maintenance costs and leads to divergence. I respond to this more below. > The other open question, although it doesn't block the work at the > start of the project, is whether we should be extending > PK11_FindCertFromNickname() to accept RFC7512 URIs or whether we should > *only* accept URIs in a new function. I am still strongly opposed to introducing this behaviour to the existing functions. The nickname functions already have significant magic attached to them, both in parsing from NSS APIs and in providing to NSS APIs (filtering or setting the token via parsing or adding to the token name, respectively). This would definitely break Chrome's use of the API, and for that, I think it should be an unacceptable change as it is not backwards compatible. On the topic itself, of support PKCS#11 URIs, I remain opposed, and I would appreciate Richard's take on it. For Chrome, such a feature would have been useless for our Windows and Mac ports, and *is* useless for our iOS and ChromeOS ports. Further, we would not expose this functionality for our Linux port even if it existed, due to cross-platform considerations. On a technical front, Chrome and Firefox, as browsers, have been removing support for the notion of generic URIs, and investing in aligning on the URL spec - that is, making a conscious decision NOT to use URIs as URIs. Anne on the Mozilla side has been working that effort, and can probably speak more to that effort. I would much rather that if this is introduced, it is done so behind a compile time flag, and it's interactions with NSS as a whole kept as a minimum. I understand and appreciate why Fedora/RHEL distros are interested in this, but I don't believe it's something that Chrome would want, and I don't believe it's likely something Firefox would want to ship when it packages NSS, especially on non-Linux platforms. -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto