Re: multiple pkcs 12 files vs. firefox software pkcs 11 module...
NSS_Initialize will not add a new database, but there is a call that will.:https://developer.mozilla.org/en/NSS_PKCS11_Functions#SECMOD_OpenUserDB When you are through you can get rid of close the database with:https://developer.mozilla.org/en/NSS_PKCS11_Functions#SECMOD_CloseUserDB Can I use these calls in a firefox extension? Thanks, Dan ___ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: multiple pkcs 12 files vs. firefox software pkcs 11 module...
On Oct 28, 5:10 pm, Nelson B Bolyard [EMAIL PROTECTED] wrote: [EMAIL PROTECTED] wrote, On 2008-10-28 13:29: From what I have read, the internal pkcs 11 data store is protected by 1 master password. Is there a way to store my keys in the firefox pkcs 11 data store with their own password [...]? No, at the present time, there is not. Could I get around this problem by creating a new pkcs 11 data store for my extension? (with code reuse from certutil.c) Or will calling NSS_Initialize from within the extension cause problems with the rest of Firefox... Dan ___ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
storing custom public key / private key pair securely in Firefox
Hi, I have a crypto library which I connect to a Firefox extension using Xpcom. The library generates custom size public and private key pairs which I would like to store securely in Firefox. How would this be done? Thanks, Dan ___ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
libpkix quality (was: libpkix (was Re: NSS 3.12 codesize hit))
On Aug 9, 10:48 pm, L. David Baron [EMAIL PROTECTED] wrote: On Sunday 2007-07-22 04:40 -0400, Mike Connor wrote: On 22-Jul-07, at 2:59 AM, Robert Sayre wrote: That doesn't sound reasonable. We are going to accept a very large body of code with known quality control problems. If you have evidence that libpkix has known quality control problems, For what it's worth, I do. I just got trace-malloc working on Windows, so I was looking at the list of what we leak when starting and shutting down Firefox. (It's hard to do that on Linux because GNOME and GTK don't bother freeing things on shutdown.) Currently, all we do with libpkix when starting and shutting down the browser is initialize it. That is, we call PKIX_Initialize:http://bonsai.mozilla.org/cvsblame.cgi?file=/mozilla/security/nss/lib... This creates 7 hash tables and a lock. NSS doesn't currently call PKIX_Shutdown. But if we had it wouldn't have helped us free the memory allocated when creating these 7 hash tables and a lock. Why not? PKIX has its own object system. Every object has, among other things, a reference count, a hash code, and a lock used to protect the reference count and the hash code:http://bonsai.mozilla.org/cvsblame.cgi?file=/mozilla/security/nss/lib... (I'd note that using atomic operations for reference counts avoids the rather significant size overhead of the lock. And I'm skeptical that the average mutex needs to be put in a hash table.) So, for example, this lock that we create is created in PKIX_PL_MonitorLock_Create:http://bonsai.mozilla.org/cvsblame.cgi?file=/mozilla/security/nss/lib... which in turn calls PKIX_PL_Object_Alloc:http://bonsai.mozilla.org/cvsblame.cgi?file=/mozilla/security/nss/lib... which makes sure to allocate the object header (above) in addition to the (one word) PKIX_PL_MonitorLockStruct. So this lock object is an 8 word struct that owns a PRLock (to protect its reference count and hash code) and a PRMonitor (for the locking exposed to the caller), which are not themselves small or simple objects (a PRLock is 132 bytes on Windows; a PRMonitor is three allocations, a 132 byte PRLock, a 132 byte PRCondVar, and a 12 byte PRMonitor). (PKIX_PL_Mutex_Create gives you something similar, except with two PRLocks instead of a PRMonitor and a PRLock.) The hash tables, in turn, have their own PRLock to protect their reference count (like all objects) and a table lock to protect the table (an object created by PKIX_PL_Mutex_Create, which in turn has two PRLocks, one to protect its reference count and one to expose to the caller). When we initialize libpkix, we tell it to use arenas for allocation, by passing PR_TRUE as the second parameter to PKIX_Initialize:http://bonsai.mozilla.org/cvsblame.cgi?file=/mozilla/security/nss/lib... This means, through a bit of indirection, that the PKIX reference counting functions are no-ops:http://bonsai.mozilla.org/cvsblame.cgi?file=/mozilla/security/nss/lib... This means that we'll never free all the locks that we allocate, something that I imagine could be a significant memory leak if we did more than create 7 hash tables and a lock. (For just that, it's 3312 bytes of leaked lock structures, excluding the 1 PKIX_PL_MonitorLockStruct, 7 PKIX_PL_MutexStructs, and their header (320 bytes) that were allocated in the arena.) It also means that we'll never return any of these arena-allocated objects to a freelist to be reallocated. Not that we would return them to a freelist if we removed the reference counting, anyway:http://bonsai.mozilla.org/cvsblame.cgi?file=/mozilla/security/nss/lib... ( And while I'm in that file, I'd note that if we're using arenas, then its version of memcpy returns an *allocation error*:http://bonsai.mozilla.org/cvsblame.cgi?file=/mozilla/security/nss/lib... . Not that memcpy actually allocates any memory.) -David -- L. David Baronhttp://dbaron.org/ Mozilla Corporation http://www.mozilla.com/ application_pgp-signature_part 1KDownload This message posted by dbaron seems to have been lost in the thread. I'm raising it to its own new thread header position. I didn't see it in David's post, but he mentioned to me that the arena- based allocation of objects with non-LIFO allocation patterns, without a freelist to recycle arena-allocated objects who die in non-LIFO order, seems to be a problem too. That is, without LIFO allocation order, this code will bloat its arenas with uncollected garbage, potentially badly. From what I can see and what David demonstrates, libpkix has wrong- headedly cloned Java's object model into C, in the most inefficient, not-seen-in-a-JVM-since-1995, unjustified for C code, and manifestly bloaty and leaky manner possible. This is not code I want in Firefox 3. Something fairly radical needs to be done to fix this problem. Nothing, certainly not EV cert promises, justifies this quality
Signtool error message No more entries...
Hi I'm trying to sign Firefox plugin with a certificate. Cert is located in .pfx file. I successfully created local db and added my cert into it. certutil -L -d . shows the following: PvkTmp:99ace907-0a0c-4066-bd60-751431d09f92 u,u,u. When I try to sign my dir with signtool -d . -k PvkTmp:99ace907-0a0c-4066-bd60-751431d09f92 - p passw signed/ , I get the following: using certificate directory: . Generating signed//META-INF/manifest.mf file.. -- install.rdf -- Plugins/NPSoda.dll Generating zigbert.sf file.. signtool: the cert PvkTmp:99ace907-0a0c-4066-bd60-751431d09f92 does not exist in the database: No more entries in the directory. the tree signed/ was NOT SUCCESSFULLY SIGNED. But i can see this cert in db using certutil (and actually see this guid inside cert8.db file). The same thing happens when i try to inject my cert into Firefox built- in db. At the same time with manually generated fake cert i signed plugin with no problem. Thanks for any suggestions. ___ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Cryptographic provider list does not show up in Firefox
Hi, all gurus on board, I guess this must be the right group for my question. I am working on a web-based certification authority application, from where users can apply for X.509 digital certificates. On the certificate application web form, I have a dropdown list of cryptographic providers. This list shows up fine in Internet Explorer 6 on Windows XP Pro SP2, as shown by the screen snapshot below. http://farm1.static.flickr.com/188/428327747_1b0906e0c7.jpg?v=0 But the same list does not show up in Firefox 2.0. The function which gets this list of cryptographic providers is written in VBSCRIPT as shown below. I understand that Firefox does not support VBSCRIPT. So, should I write this function in JavaScript? I am not sure how to do this, though. Any hint would be highly appreciated. OBJECT classid=clsid:127698e4-e730-4e5c- a2b1-21490a70c8a1 CODEBASE=/xenroll.dll id=encoder /OBJECT SCRIPT LANGUAGE=VBSCRIPT !-- Function GetProviderList() Dim CspList, cspIndex, ProviderName On Error Resume Next count = 0 base = 0 enhanced = 0 CspList = ProviderName = For ProvType = 0 to 13 cspIndex = 0 encoder.ProviderType = ProvType ProviderName = encoder.enumProviders(cspIndex,0) while ProviderName Set oOption = document.createElement(OPTION) oOption.text = ProviderName oOption.value = ProvType Document.CertReqForm.CspProvider.add(oOption) if ProviderName = Microsoft Base Cryptographic Provider v1.0 Then base = count end if if ProviderName = Microsoft Enhanced Cryptographic Provider v1.0 Then enhanced = count end if cspIndex = cspIndex +1 ProviderName = ProviderName = encoder.enumProviders(cspIndex,0) count = count + 1 wend Next Document.CertReqForm.CspProvider.selectedIndex = base if enhanced then Document.CertReqForm.CspProvider.selectedIndex = enhanced end if End Function -- /SCRIPT ___ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: Help on building NSPR, NSS on Windows
do u have MS VisualStudio? If not, there is a personal edition for free from Microsot site. Google for it. BTW, I have not resolved my issues yet. NSPR library is fine because every compile is wrapped by cygwin_wrapper that handles the unix-style path before passing it to cl.exe. This is not done for NSS lib and I am not good at gmake to be able to change gmake rules. Please let me know if you get pass this problem. Wei Frank Lee wrote: Hi, while trying to build NSS using instructions from [EMAIL PROTECTED]'s thread below on Help on building NSPR, NSS on Windows, dated Monday, 16 October, 2006 3:16 AM, I encountered this problem. Below is the build error. ... ... creating pr/tests/dll/Makefile creating pr/src/threads/combined/Makefile cd ../../nsprpub/WIN954.0_OPT.OBJ ; make make[1]: Entering directory `/cygdrive/c/Frank_Lee/Eclipse/Academy workspace/NSS SignTools/mozilla/nsprpub/WIN954.0_OPT.OBJ' cd config; make -j1 export make[2]: Entering directory `/cygdrive/c/Frank_Lee/Eclipse/Academy workspace/NSS SignTools/mozilla/nsprpub/WIN954.0_OPT.OBJ/config' sh ../../build/cygwin-wrapper cl -Fonow.obj -c -W3 -nologo -GF -Gy -MD -O2 -UDEBUG -U_DEBUG -UWINNT -DNDEBUG=1 -DXP_PC=1 -DWIN32=1 DWIN95=1 -D_PR_GLOBAL_THREADS_ONLY=1 -D_X86_=1 -DFORCE_PR_LOG /cygdrive/c/Frank_Lee/Eclipse/Academy workspace/NSS SignTools/mozilla/nsprpub/config/now.c ../../build/cygwin-wrapper: line 75: exec: cl: not found make[2]: *** [now.obj] Error 127 make[2]: Leaving directory `/cygdrive/c/Frank_Lee/Eclipse/Academy workspace/NSS SignTools/mozilla/nsprpub/WIN954.0_OPT.OBJ/config' make[1]: *** [export] Error 2 make[1]: Leaving directory `/cygdrive/c/Frank_Lee/Eclipse/Academy workspace/NSS SignTools/mozilla/nsprpub/WIN954.0_OPT.OBJ' make: *** [build_nspr] Error 2 What is this CL anyway? Pardon me, cos I'm a Win-java person, so all this build stuff is quite alien to me. Anyway, all this work I'm trying to do comes from trying to enable my .jsp page to AJAX to a localhost server. Here's my train of actions so far: Ajax to localhost? = Need signed scripts. Signed scripts? = Need SignTool Need SignTool? install cygwin + Build NSS + install moztools' nsinstall. == What further actions I need to do?? If there's any simpler solution to getting my .jsp page to be able to AJAX to my local server, please advise. I'm quite confounded by all this signed script paradigms. Thanks~! Frank Lee ___ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Cert signing API
Hi, I noticed that the certhigh/ and certdb/ provide some certificate related APIs. But there is not API in signing a certificate. In the cmd/certutil.c, it has a few functions that sign certificates and certificate request. Shall we provide some cert signing API from the NSS library itself? Wei ___ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: Help on building NSPR, NSS on Windows
Julien Pierre wrote: Frank, Frank Lee wrote: sh ../../build/cygwin-wrapper cl -Fonow.obj -c -W3 -nologo -GF -Gy -MD -O2 -UDEBUG -U_DEBUG -UWINNT -DNDEBUG=1 -DXP_PC=1 -DWIN32=1 -DWIN95=1 -D_PR_GLOBAL_THREADS_ONLY=1 -D_X86_=1 -DFORCE_PR_LOG /cygdrive/c/Frank_Lee/Eclipse/Academy_workspace/NSS_SignTools/mozilla/nsprpub/config/now.c make[2]: *** [now.obj] Error 53 make[2]: Leaving directory `/cygdrive/c/Frank_Lee/Eclipse/Academy_workspace/NSS_SignTools/mozilla/nsprpub/WIN954.0_OPT.OBJ/config' make[1]: *** [export] Error 2 make[1]: Leaving directory `/cygdrive/c/Frank_Lee/Eclipse/Academy_workspace/NSS_SignTools/mozilla/nsprpub/WIN954.0_OPT.OBJ' make: *** [build_nspr] Error 2 /build is this a problem with the cl.exe file? I'm using Microsoft Visual C++ 2005 Express Edition, and haven't downloaded Windows® Server 2003 SP1 Platform SDK or the Windows® Server 2003 R2 Platform SDK yet. Are the platform SDKs necessary for building NSS? It seems more and more stuff are needed to be installed... Are you using cygwin's make program ? Please do a which make to verify. If not, you need to do so. I have the same issue. make does not exist under cygwin. I used gmake from moztools. ___ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: Help on building NSPR, NSS on Windows
Nelson B wrote: Frank Lee wrote: Found Cl to be from Microsoft Visual Studio 8 Right. It's Microsoft's version of cc, the c compiler. cl -Fonow.obj -c -W3 -nologo -GF -Gy -MD -O2 -UDEBUG -U_DEBUG -UWINNT -DNDEBUG=1 -DXP_PC=1 -DWIN32=1 -DWIN95=1 -D_PR_GLOBAL_THREADS_ONLY=1 -D_X86_=1 -DFORCE_PR_LOG /cygdrive/c/Frank_Lee/Eclipse/Academy_workspace/NSS_SignTools/mozilla/nsprpub/config/now.c make[2]: *** [now.obj] Error 53 is this a problem with the cl.exe file? No, it's a problem with your cygwin installation, and/or environment. Microsoft's cl program doesn't know about cygwin's expletive /cygdrive hack. You need to configure cygwin to NOT use /cygdrive but instead use windows compatible path names. How do I do this? Thanks, Wei -- Nelson B ___ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: Help on building NSPR, NSS on Windows
Thanks! It turns out that the file configure has \r\n line terminators. I changed it and a few other script files. It now gets passed that but got an error for link link -nologo .. link: invalid option -- n Try `link --help' for more information. $ which link /usr/bin/link $ echo $PATH /usr/local/bin:/usr/bin:/bin:/usr/X11R6/bin:/cygdrive/c/Program Files/Microsoft SDK/bin:/cygdrive/c/Program Files/Microsoft Visual Studio 8/Common7/IDE:/cygdriv e/c/Program Files/Microsoft Visual Studio 8/VC/BIN:/cygdrive/c/Program Files/Mic rosoft Visual Studio 8/Common7/Tools:/cygdrive/c/Program Files/Microsoft Visual Studio 8/SDK/v2.0/bin is the path wrong? Thanks, Wei Wan-Teh Chang wrote: [EMAIL PROTECTED] wrote: I downloaded NSPR 4.6.1 and NSS 3.11 from CVS. But build on Windows failed. I have cygwin, VC++ 2005 personal edition, and moztools installed. OS is Windows XP It failed on nspr configure. Do I need autoconf on my Windows? You don't need autoconf. autoconf is only necessary if you modify mozilla/nsprpub/configure.in and need to regenerate mozilla/nsprpub/configure. When you build NSPR, you only run mozilla/nsprpub/configure, which is just a shell script. I don't know what's wrong with your setup. You need to add C:\cygwin\bin (or the directory you installed Cygwin in) to your PATH environment variable. You should also add the moztools's bin directory to your PATH. I believe the only thing we need from moztools is nsinstall.exe. By the way, you should check out NSPR 4.6.3 and NSS 3.11.3 from CVS. The CVS tags are NSPR_4_6_3_RTM and NSS_3_11_3_RTM. Wan-Teh ___ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: Help on building NSPR, NSS on Windows
Figure that out but still encountered an error due to cygwin's style for file path. gmake[2]: Entering directory `C:/mozilla/mozilla/security/dbm/src' cl /cygdrive/c/mozilla/mozilla/security/dbm/src/../../../dbm/src/h_bigkey.c cl : Command line warning D9002 : ignoring unknown option '/cygdrive/c/mozilla/m ozilla/security/dbm/src/../../../dbm/src/h_bigkey.c' cl : Command line error D8003 : missing source filename VC++ is dumb and treat the path as an option. Wei [EMAIL PROTECTED] wrote: Thanks! It turns out that the file configure has \r\n line terminators. I changed it and a few other script files. It now gets passed that but got an error for link link -nologo .. link: invalid option -- n Try `link --help' for more information. $ which link /usr/bin/link $ echo $PATH /usr/local/bin:/usr/bin:/bin:/usr/X11R6/bin:/cygdrive/c/Program Files/Microsoft SDK/bin:/cygdrive/c/Program Files/Microsoft Visual Studio 8/Common7/IDE:/cygdriv e/c/Program Files/Microsoft Visual Studio 8/VC/BIN:/cygdrive/c/Program Files/Mic rosoft Visual Studio 8/Common7/Tools:/cygdrive/c/Program Files/Microsoft Visual Studio 8/SDK/v2.0/bin is the path wrong? Thanks, Wei Wan-Teh Chang wrote: [EMAIL PROTECTED] wrote: I downloaded NSPR 4.6.1 and NSS 3.11 from CVS. But build on Windows failed. I have cygwin, VC++ 2005 personal edition, and moztools installed. OS is Windows XP It failed on nspr configure. Do I need autoconf on my Windows? You don't need autoconf. autoconf is only necessary if you modify mozilla/nsprpub/configure.in and need to regenerate mozilla/nsprpub/configure. When you build NSPR, you only run mozilla/nsprpub/configure, which is just a shell script. I don't know what's wrong with your setup. You need to add C:\cygwin\bin (or the directory you installed Cygwin in) to your PATH environment variable. You should also add the moztools's bin directory to your PATH. I believe the only thing we need from moztools is nsinstall.exe. By the way, you should check out NSPR 4.6.3 and NSS 3.11.3 from CVS. The CVS tags are NSPR_4_6_3_RTM and NSS_3_11_3_RTM. Wan-Teh ___ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Help on building NSPR, NSS on Windows
I downloaded NSPR 4.6.1 and NSS 3.11 from CVS. But build on Windows failed. I have cygwin, VC++ 2005 personal edition, and moztools installed. OS is Windows XP It failed on nspr configure. Do I need autoconf on my Windows? : command not found: : command not found: : command not found6: : command not found00: : command not found07: '/configure: line 110: syntax error near unexpected token `do '/configure: line 110: `do Would appreciate any help. Thanks, Wei ___ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: AES in CFB128 mode?
Wan-Teh Chang wrote: [EMAIL PROTECTED] wrote: Wan-Teh Chang wrote: Why would you like to use the CFB mode? Because that's what the current (non-NSS) code does. I'd rather just port, not change, the code. Is the CFB mode used in your implementation of some standard? Just curious. No, it is not a standard. ___ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: AES in CFB128 mode?
[EMAIL PROTECTED] wrote: Wan-Teh Chang wrote: [EMAIL PROTECTED] wrote: Wan-Teh Chang wrote: Why would you like to use the CFB mode? Because that's what the current (non-NSS) code does. I'd rather just port, not change, the code. Is the CFB mode used in your implementation of some standard? Just curious. No, it is not a standard. But it is used by SNMP http://www.rfc-archive.org/getrfc.php?rfc=3826 ___ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: AES in CFB128 mode?
Wan-Teh Chang wrote: [EMAIL PROTECTED] wrote: Is it possible to use AES in CFB128 mode using NSS? If yes, how? :) (if no, why not? :) ) No, CFB128 mode is not implemented. You can only use AES in ECB or CBC mode. Nobody asked for CFB mode support before. Why would you like to use the CFB mode? Because that's what the current (non-NSS) code does. I'd rather just port, not change, the code. ... Allan ___ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
AES in CFB128 mode?
Is it possible to use AES in CFB128 mode using NSS? If yes, how? :) (if no, why not? :) ) ___ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Building (running) NSS cmd tools?
I've followed the build instructions on checkout and building NSS (after giving up on getting it to build the cmd utils inside my main mozilla tree). It also compiles fine, but I cannot seem to actually run the cmd utils. I've included the MS redist files, and try to run rsaperf from the lib directory: [EMAIL PROTECTED] /cygdrive/c/nss/mozilla/dist/WINNT5.1_DBG.OBJ/lib $ ../bin/rsaperf.exe Which only results in: The application failed to initialize properly (0xc022). Click on OK to terminate the application. My env. is (cygwin) Windows XP, and I'm usually a Linux guy, so it might be quite simple :) ___ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: Trunk: Please watch out for regressions with secure sites
Is the error message (Dearpark and secureads.ft.com can not communicate securily because they have no common encryption algorithms?) generated from http://news.ft.com/cms/s/257d272e-c665-11da-99fa-779e2340.html anything to do with this? ___ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Selection of a certificate.
Hello, (I think that...)I see that mozilla in automatic mode, return certificate that server request. Is a good choice for easy use of user certificates. But if server is not very clean in use of datum of certificate can be a compromise of privacy.I think that could be a good choice that mozilla only automatic select user certificate without ask for a list of servers selected by user.For the rest of servers the user should be asked before send user certificate. Prueba el Nuevo Correo Terra; Seguro, Rpido, Fiable. ___ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto