Re: Domain Name Mismatch
So easy! Thanks, Nelson. ___ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Domain Name Mismatch
My domain name is hosted at lunarpages.com; when I access my e-mail, Thunderbird presents an error dialog entitled "Security Error: Domain Name Mismatch". The text is: "You have attempted to establish a connection with byandlarge.net. However, the security certificate presented belongs to libra.lunarpages.com. It is possible, though unlikely, that someone may be trying to intercept your communication with this web site. If you suspect the certificate shown does not belong to byandlarge.net, please cancel the connection and notify the site administrator." I think I understand the reason for the message being displayed. I'd like to do something so that it does not come up in future. What can I do? ___ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: My shy certificate
Some more information: I notice that in one scenario, the one where the private key is marked 'not available' in ProtectTools, there appears a button in the Certificate Viewer, labelled 'Install Certificate...'. Naturally, I push the button. I am led through the Certificate Import Wizard, whose introduction says, "This wizard helps you copy certificates, certificate trust lists, and certificate revocation lists from your disk to a certificate store." I click Next I am asked to select a system area for storage of the certificate. I select "Determine automatically based on the type of certificate". The wizard says, "The import was successful" I look around to see what has changed. Nothing. Not a thing. The private keys are still marked as unavailable. ___ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: My shy certificate
Peter Djalaliev wrote: ...It seems that all private keys (thank you for the correction here) generated in the TPM never leave it, unless they are marked as migratable and are migrated to another TPM. The corresponding public keys can be exported In support of your conclusion: the ProtectTools Certificate Viewer can export certificates as files; and, even when it considers the private key to be 'available', it greys out the option of exporting the private key along with the certificate. The TPM is like the Mafia: when you're in, you're in. I think I remember reading that it is possible to transfer a certificate to another TPM, including the private key, but it requires some kind of handshake with the target TPM; you cannot export to a file whose destination is unspecified. I am perplexed by something: the export-to-file wizard in ProtectTools offers the user several file formats: DER encoded binary X.509 (.cer), Base-64 encoded X.509 (.cer), Cryptograhic Message Syntax Standard (.p7b), and PKCS#12 (.pfx). That last option, the PKCS#12 option, is always greyed out (unavailable); why? Might it be that .pfx requires that the private key be exported too? ___ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: My shy certificate
Nelson Bolyard wrote: A week after applying for his certificate, he download the certificate onto the same desktop box where he had generated the CSR, which combined the cert and private key in the same mozilla softoken module. Then he "exported" the cert and private key into a PKCS#12 file, which he then imported onto the notebook. That's how I read the description. Dave, if I misunderstood, please jump in here. :) It was as you have described, Nelson. The purchase process took me through a wizard-like sequence of pages; at one step in that process, the keys were generated and installed in Firefox. I don't know the mechanics of how the keys were generated; I assume that it happened in Firefox, but perhaps they were generated on the GateKeeper (CA) server and downloaded into Firefox - could a web site initiate key generation inside Firefox? In any case, the public and private keys were created on a machine that had no TPM, and moved to the machine with the TPM as a .p12 file. Dave ___ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: My shy certificate
Thanks for doing some research on this, Peter. I am comforted by the participation of several dedicated and generous souls in the investigation of this problem. It is currently 9:20 pm here in Sydney; I will attempt to contact a techie at HP tomorrow, to see if I can get some answers. I posted several messages on the HP support forums, with zero replies, but maybe I will be more successful by phone. Dave ___ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: My shy certificate
Microsoft Windows XP [Version 5.1.2600] (C) Copyright 1985-2001 Microsoft Corp. C:\>certutil -L -h "Embedded Security Chip" -d X:/ThunderbirdProfile Enter Password or Pin for "Embedded Security Chip": Embedded Security Chip:David Michael Pinn's eSign Australia ID u,u,u Embedded Security Chip:David Michael Pinn's eSign Australia ID pu,Pu,pu C:\> ta-da! ___ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: My shy certificate
I need to clarify something: there are two states in which I can have my notebook (the one with the TPM): 1. Certificates directly (via ProtectTools import function) and fully (the icons indicate that private keys are available) imported into the TPM. This is the state in which I found my machine at the end of the certificate purchase process that I described earlier in detail. In this state, Thunderbird *cannot* see the certificates; nor can certutil. 2. Certificates indirectly (via Thunderbird) imported into the TPM. In this state, Thunderbird can see and use the certificates to sign and validate signed e-mails; but the icons in the ProtectTools Certificate Viewer show that the private key is not available. certutil *can* see the certificates (I will re-verify this later tonight). It is unclear to me where the private keys are in fact stored; and that is my only remaining concern. Dave ___ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: My shy certificate
Nelson B wrote: So, assuming that you're the first of many future HP TPM users, please help us to understand exactly how you got that private key in the first place. With pleasure: On a desktop PC, I opened Mozilla Firefox, and navigated to http://www.verisign.com.au/gatekeeper/individual.shtml. I clicked Buy Now, and followed the instructions presented to me. At a point in that process, I was informed that public and private keys had been created for me. Further, I was informed that, when I eventually received my certificate - it takes about a week - I would have to download and install it using the same machine with which I had registered. I then took an inordinate number of identity evidence documents to the post office, had an interview, and submitted a form. A week later, I received an e-mail with instructions on how to download my certificate. Again using my desktop PC, I downloaded the certificate - well two actually: one for signing, and one for encrypting - and installed it in Firefox. I don't remember the exact sequence of key presses, but I know that it had to be done from the same browser that I had used for registration. I also downloaded the root certificate for GateKeeper. I opened Firefox's Certificate Manager, highlighted one of the certificates, clicked Backup, entered a new file name, and clicked Save. Firefox required me to enter a password that would protect the new file. Firefox then informed me, "Successfully backed up your security certificate(s) and private key(s)." I did the same with the other certificate. I copied the two files to my notebook: the one with the TPM. I opened the Embedded Security Certificate Viewer, and clicked Import. I selected one of the backup .p12 files, and entered the password that I had used to protect it. The certificate was successfully imported, and showed up in the Certificate Viewer. I did the same with the other certificate file. The icons next to the imported certificates indicated that the private keys had been successfully imported. ___ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: My shy certificate
Arshad Noor wrote: You may have been a little hasty, Dave. It wouldn't be the first time, Arshad. I suspect you've deleted the Private Key from the TCP chip. Hmm. I think you may be right. But if you did delete it from ProtectTools, where did you find a certificate to import it into Thunderbird? I obtained the certificate from Verisign, using IE, from which I exported a .p12 file. I cunningly saved the .p12 file for just an emergency. Thunderbird allows you to import a cert into its cert-store even without a Private Key, because the tool can legitimately use a certificate to encrypt e-mails with it. However, the certificate most likely will not show up as Your Certificate, but as belonging to Other People. No, it shows up under "Your Certificates" - this is a good thing, Yes? I send a signed e-mail to myself, and, as the recipient, successfully validated the signature. So that private key is lurking around somewhere, right? It may not be in the TPM, but it lives. The Private Key was in the TCP chip (ProtectTools), but if you deleted the certificate associated with it, you've likely deleted the Private Key too. BTW, what model of the HP comes with this chip? Thanks. The model is Compaq nw8440. It has a TPM chip, fingerprint reader, and adds all manner of enhanced security features, like: creation of virtual encrypted drive, hard disk drive locking, BIOS protection, and enhanded folder encryption. Way cool. Thanks for taking an interest, Arshad. ___ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: My shy certificate
I am very excited to report that I managed to find a solution, although why it worked remains a mystery. I deleted my certificate from ProtectTools; I then imported it into Thunderbird, selecting "Embedded Security Chip" as the token. Simple, huh? Why didn't I try that earlier, I ask myself. One thing still puzzles me. There's an icon in ProtectTools Certificate Viewer for each certificate; the one next to the certificate that I added to Thunderbird "is used for certificates without corresponding private key" (according to the Help documentation). So where is the private key? Could it still be in Thunderbird's certificate database? I don't want it in there; I want it to be safely stored away in the TPM. Can good 'ol modutil and certutil help me determine where my private key is? ___ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: My shy certificate
Is there a Mozilla utility with which I can attempt to import a certificate *into* my PKCS#11 module? ___ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: My shy certificate
Nelson Bolyard wrote: Try certutil -L -h all to get a list of all certs in all slots. X:\ThunderbirdProfile>certutil -L -h all -d . Enter Password or Pin for "Embedded Security Chip": Gatekeeper Root CA - eSign Australia CT,C,C Gatekeeper Grade 3 Individual CA - eSign Australia CT,C,C Gatekeeper TYPE 3 CA - eSign Australia CT,C,C Builtin Object Token:Verisign/RSA Secure Server CA CG,C,p Builtin Object Token:GTE CyberTrust Root CA CG,C,C Builtin Object Token:GTE CyberTrust Global Root CG,C,C Builtin Object Token:Thawte Personal Basic CAp,C,C Builtin Object Token:Thawte Personal Premium CA p,C,C Builtin Object Token:Thawte Personal Freemail CA p,C,p Builtin Object Token:Thawte Server CACG,p,C Builtin Object Token:Thawte Premium Server CACG,p,C Builtin Object Token:Equifax Secure CA C,C,C Builtin Object Token:ABAecom (sub., Am. Bankers Assn.) Root CA CG,C,C Builtin Object Token:Digital Signature Trust Co. Global CA 1 CG,C,C Builtin Object Token:Digital Signature Trust Co. Global CA 3 CG,C,C Builtin Object Token:Digital Signature Trust Co. Global CA 2 CG,C,C Builtin Object Token:Digital Signature Trust Co. Global CA 4 CG,C,C Builtin Object Token:Verisign Class 1 Public Primary Certification Authority p,C,p Builtin Object Token:Verisign Class 2 Public Primary Certification Authority p,C,C Builtin Object Token:Verisign Class 3 Public Primary Certification Authority CG,C,C Builtin Object Token:Verisign Class 1 Public Primary Certification Authority - G2 p,C,p Builtin Object Token:Verisign Class 2 Public Primary Certification Authority - G2 p,C,C Builtin Object Token:Verisign Class 3 Public Primary Certification Authority - G2 C,C,C Builtin Object Token:Verisign Class 4 Public Primary Certification Authority - G2 CG,C,C Builtin Object Token:GlobalSign Root CA C,C,C Builtin Object Token:ValiCert Class 1 VA C,C,C Builtin Object Token:ValiCert Class 2 VA C,C,C Builtin Object Token:RSA Root Certificate 1 C,C,C Builtin Object Token:Verisign Class 1 Public Primary Certification Authority - G3 p,C,p Builtin Object Token:Verisign Class 2 Public Primary Certification Authority - G3 p,C,C Builtin Object Token:Verisign Class 3 Public Primary Certification Authority - G3 C,C,C Builtin Object Token:Verisign Class 4 Public Primary Certification Authority - G3 CG,C,C Builtin Object Token:Entrust.net Secure Server CAC,C,C Builtin Object Token:Entrust.net Secure Personal CA C,C,C Builtin Object Token:Entrust.net Premium 2048 Secure Server CA C,C,C Builtin Object Token:Baltimore CyberTrust Root C,C,p Builtin Object Token:Equifax Secure Global eBusiness CA C,C,C Builtin Object Token:Equifax Secure eBusiness CA 1 C,C,C Builtin Object Token:Equifax Secure eBusiness CA 2 C,C,C Builtin Object Token:Visa International Global Root 2C,C,p Builtin Object Token:beTRUSTed Root CA C,C,C Builtin Object Token:AddTrust Low-Value Services RootC,C,p Builtin Object Token:AddTrust External Root C,C,C Builtin Object Token:AddTrust Public Services Root ,, Builtin Object Token:AddTrust Qualified Certificates RootC,C,C Builtin Object Token:Verisign Class 1 Public Primary OCSP Responder C,C,C Builtin Object Token:Verisign Class 2 Public Primary OCSP Responder C,C,C Builtin Object Token:Verisign Class 3 Public Primary OCSP Responder C,C,C Builtin Object Token:Verisign Secure Server OCSP Responder C,C,C Builtin Object Token:Verisign Time Stamping Authority CA C,C,C Builtin Object Token:Thawte Time Stamping CA C,C,C Builtin Object Token:Entrust.net Global Secure Server CA C,C,C Builtin Object Token:Entrust.net Global Secure Personal CA C,C,C Builtin Object Token:AOL Time Warner Root Certification Authority 1 C,C,C Builtin Object Token:AOL Time Warner Root Certification Authority 2 C,C,C Builtin Object Token:beTRUSTed Root CA-Baltimore Implementation C,C,C Builtin Object Token:beTRUSTed Root CA - Entrust Implementation C,C,C Builtin Object Token:beTRUSTed Root CA - RSA Implementation C,C,C Builtin Object Token:RSA Security 2048 v3C,C,C Builtin Object Token:RSA Security 1024 v3C,C,C Builtin Object Token:GeoTrust Global CA C,C,C Builtin Object Token:UTN-USER First-Network Applications C,C,C Builtin Object Token:America Online Root Certification Authority 1 C,C,C Builtin Object Token:America Online Root Certification Authority 2 C,C,C Builtin Object Token:Visa eCommerce Root C,C,C Builtin Object Token:TC TrustCenter, Germany, Class 2 CA C,C,C Builtin Object Token:TC TrustCenter, Germany, Class 3 CA C,C,C Builtin Object Toke
Re: My shy certificate
I ran certutil -L, which produced the following output (some lines deleted to protect my privacy): Gatekeeper TYPE 3 CA - eSign Australia CT,C,C Gatekeeper Grade 3 Individual CA - eSign Australia CT,C,C Gatekeeper Root CA - eSign Australia CT,C,C What conclusions should I now draw? ___ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: My shy certificate
I created the .netscape directory, and plonked into it the following files from my Thunderbird profile directory: 1. cert8.db 2. key3.db 3. secmod.db I then ran modutil -list, which produced the following output: Listing of PKCS #11 Modules --- 1. NSS Internal PKCS #11 Module slots: 2 slots attached status: loaded slot: NSS Internal Cryptographic Services token: NSS Generic Crypto Services slot: NSS User Private Key and Certificate Services token: NSS Certificate DB 2. Builtin Roots Module library name: C:\Program Files\Mozilla Thunderbird\nssckbi.dll slots: 1 slot attached status: loaded slot: token: Builtin Object Token 3. HP TPM library name: C:\WINDOWS\system32\IfxTpmCk.dll slots: 1 slot attached status: loaded slot: HP ProtectTools Embedded Security Chip token: Embedded Security Chip --- So it appears that the ProtectTools PKCS#11 module is loaded. Now for certutil; stay tuned. ___ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: My shy certificate
Nelson B Bolyard wrote: ... 1) use modutil to get a listing of all the PKCS#11 modules that have been configured into Thunderbird. If your new laptop's PKCS#11 module is not among them, that's the first thing to fix. ... I downloaded the NSS 3.11 binary build for WINNT5.0 - there were no builds for Win XP specifically - and the corresponding NSPR 4.6 binary build. When I run modutil -list, I get the following error message: ERROR: Directory "/.netscape" does not exist. ___ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: My shy certificate
Nelson B Bolyard wrote: Out of curiosity, what tool(s) did you use to get that data? An Embedded Security Certificate Viewer is part of HP's ProtectTools suite. There's no way to copy the output of the viewer to the clipboard, so I had to transpose it manually. ___ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: My shy certificate
Nelson B wrote: Best bet is to get a formatted listing of the certificate itself, showing all the extensions and their criticality. OK, here goes: Non-critical X.509 version 3 extensions: * CRL Distribution Points * Authority Key Identifier * Subject Key Identifier * Authority Information Access * Subject Alternative Name * Netscape Cert Type * Certificate Policies Critical X.509 version 3 extensions (values shown below keys): * Basic Constraints - Subject Type=End Entity, Path Length Constraint=None * Key Usage - Digital Signature, Non-Repudiation (c0) I don't have a clue what it all means. Is it all good? ___ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: My shy certificate
Peter Djalaliev wrote: Hello Dave, In your first posting, you said that you have loaded "the relevant PKCS#11 module". What module are you using? Is it provided with ProtectTools? The module ships with ProtectTools as a DLL: ifxtpmck.dll, to be precise. Otherwise, I read through some of the HP ProtectTools Embedded Security Manager whitepapers and it seems that the private key and certificate should both be accessible through the PKCS#11 interfaces... Cool! Please tell us when you find the solution, I am quite interested :) I certainly will. I'm new to cryptography and digital security in general, and I'm having much more fun than is reasonable sorting it all out. When I bought my notebook (Compaq nw8440, if you are interested), I had no idea that it came with an embedded security chip, nor any of the marvelous software that manages it. I bought the digital certificate just for fun - I must be mad. I have a sneaking suspicion now that it is the certificate that is wonky. It is provided by verisign, but is is special: it is compliant with Gatekeeper (http://www.verisign.com.au/gatekeeper/), which is an initiative of the Australian Federal Government. If only I put print out the details of the certificate and post them here so that everyone could check them out for me. Gotta be careful, though, that I don't publish something that should be secret. ___ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: My shy certificate
Dave Pinn wrote: Right-oh. I'd love to run pk11util. Do you know of a binary build of pk11util for Windows XP? Hang on, am I being blonde? is NSS something that I can download and run, which incorporates pk11util? ___ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: My shy certificate
Nelson B wrote: Have you looked in all of cert manager's tabs? Yes, I have looked; it does not appear in any of Certificate Manager's tabs. Your cert won't show up in "Your certificates" unless TBird can also find the private key as a PKCS#11 object, with the same CKA_ID value as the cert (and/or public key) object(s). Hmmm. I understand that HP's ProtectTools Embedded Security Manager encrypts private keys. Here's an excerpt from a document entitled "HP ProtectTools Embedded Security – the HP Trusted Computing implementation": "In a conventional security implementation, the private key is stored on the local hard drive, potentially compromising the user’s digital identity. One of the primary applications for ProtectTools Embedded Security is to help provide stronger protection for the user’s digital identity by encrypting the private key with another key that is uniquely associated with the given user and resides within the TPM itself." I'm wondering if that means that the private key is unavailable to Thunderbird; although, if ProtectTools implements the PKCS#11 standard... Modern certificates contain data elements called extensions. There are "well known" extensions, that everybody uses, and there are other extensions, less well known, and there may be extensions completely unknown to TBird. Extensions may be marked "critical" (or not). When an extension is marked critical, this tells the relying software (such as mozilla/FF/TB) "Don't use this certificate at all, unless you fully understand the format and meaning of this extension". So, if your cert has an unknown critical extension, mozilla/FF/TB will ignore it. Best bet is to get a formatted listing of the certificate itself, showing all the extensions and their criticality. pk11util's new -l (ell, for list) option would show you ALL the necessary info to debug this issue, I think. Right-oh. I'd love to run pk11util. Do you know of a binary build of pk11util for Windows XP? ___ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
My shy certificate
I'm newish to security issues, so be gentle with me. I bought a digital certificate, and installed it on my TPM chip. I have loaded the relevant PKCS #11 module in Thunderbird; however, the certificate on my TPM chip does not appear in Thunderbird's Certificate Manager. I know that Thunderbird is accessing the PKCS#11 module, because it asks me for my TPM password when I open Certificate Manager. After reading the posts in this group, I checked that the certificate has a nickname (Yes). I'm wondering if it could have something to do with certificate purposes: my certificate says that it is intended for "All application policies", but doesn't specifically list e-mail signing as an intended purpose. I don't have to import the certificate into Thunderbird separately, do I? I mean, it should stay in the TPM, and Thunderbird should be able to see it, right? I dunno; I'm lost. Any ideas where I should start looking for a cause? Dave ___ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto