Re: Apache server and NSS db config issue
After chatting with Redhat, mod_nss support for sqlite db is included in the current Fedora, but not yet in RHEL. /ENDOFSTORY -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: best practices - python-nss to serialize PEM
On Thursday, January 15, 2015 at 8:46:04 AM UTC-5, John Dennis wrote: On 01/15/2015 07:50 AM, Robert Daniels wrote: We are using python-nss 0.12. I will pull the newest and see if that fixes the problem. Current version is 0.16.0. Not sure where you're pulling it from, the Mozilla site https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/Python_binding_for_NSS Is always up to date as well as Fedora packages. I think Debian tracks it closely as well. I just realized that pypi was out of date, it only had 0.14.0. I just updated pypi. Also on the password callback, just a theory but it could be since it cannot find the cert, it does not get to the point where it needs the password. Makes sense. I'll chime back after testing with a newer version of python-nss. -- John Ok, I tested this on the latest 0.16 and it works. Thanks again for the help. Robert -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: best practices - python-nss to serialize PEM
We are using python-nss 0.12. I will pull the newest and see if that fixes the problem. Also on the password callback, just a theory but it could be since it cannot find the cert, it does not get to the point where it needs the password. I'll chime back after testing with a newer version of python-nss. Thanks again, Robert -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: best practices - python-nss to serialize PEM
On Wednesday, January 14, 2015 at 2:36:45 PM UTC-5, Robert Daniels wrote: On Wednesday, January 14, 2015 at 11:27:50 AM UTC-5, John Dennis wrote: On 01/14/2015 09:58 AM, Robert Daniels wrote: Trying as you suggested today, but ran into some other thing which is puzzling. When I call cert = find_cert_from_nickname(nn, pwd) I successfully pull the server cert. I then call find_key_by_any_cert(cert, certpassword) I get an object back (nss.nss.PrivateKey). So, presumably the PK exists for the cert. However, after calling pkcx12_data = nss.pkcs12_export(nn, pwd) it throws an exception with Private Key could not be located and exported. So confused as why I can get a PrivateKey object, but not export it with the cert. Does it work using pk12util? -- John Using pk12util as: pk12util -n server cert nickname -d sql:nssdb dir -o newfile.p12 I observe that the private key, server certs and CA chain are included in the p12 file. Make that server cert singular. -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: best practices - python-nss to serialize PEM
On Wednesday, January 14, 2015 at 11:27:50 AM UTC-5, John Dennis wrote: On 01/14/2015 09:58 AM, Robert Daniels wrote: Trying as you suggested today, but ran into some other thing which is puzzling. When I call cert = find_cert_from_nickname(nn, pwd) I successfully pull the server cert. I then call find_key_by_any_cert(cert, certpassword) I get an object back (nss.nss.PrivateKey). So, presumably the PK exists for the cert. However, after calling pkcx12_data = nss.pkcs12_export(nn, pwd) it throws an exception with Private Key could not be located and exported. So confused as why I can get a PrivateKey object, but not export it with the cert. Does it work using pk12util? -- John Using pk12util as: pk12util -n server cert nickname -d sql:nssdb dir -o newfile.p12 I observe that the private key, server certs and CA chain are included in the p12 file. -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: best practices - python-nss to serialize PEM
John, Some additional observations. If I debug with a breakpoint over the password callback, it's never called when invoking pkcs12_export, however it is invoked when calling find_key_by_any_cert. I also notice 2 flavors of the callbacks for password, one taking 2 parameters and the other 3, which is confusing. find_any_key_bt_cert only works with the 3-parameeter flavor. I used a 2-param callback as was given in the sample code for test_pkcs12.py cb1(slot, retry, password) cb2(slow, retry) - Robert -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: best practices - python-nss to serialize PEM
Trying as you suggested today, but ran into some other thing which is puzzling. When I call cert = find_cert_from_nickname(nn, pwd) I successfully pull the server cert. I then call find_key_by_any_cert(cert, certpassword) I get an object back (nss.nss.PrivateKey). So, presumably the PK exists for the cert. However, after calling pkcx12_data = nss.pkcs12_export(nn, pwd) it throws an exception with Private Key could not be located and exported. So confused as why I can get a PrivateKey object, but not export it with the cert. -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: best practices - python-nss to serialize PEM
I also need to serialize private keys in the same fashion. Any hints greatly appreciated. -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: best practices - python-nss to serialize PEM
Basically what I'm doing is pulling from the nss store, the private key, server cert, and the complete CA cert chain and converting to in-memory PEM. -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: best practices - python-nss to serialize PEM
On Monday, January 12, 2015 at 12:49:36 PM UTC-5, John Dennis wrote: On 01/12/2015 08:50 AM, robertdaniels2...@gmail.com wrote: I'm loading certs via python-nss, and need to serialize the format as x509 PEM output. I'm using a mix of python-nss and openssl. crypto.dump_certificate does not take a nss.Certificate parameter, so looking for what is the best practices path to achieve this. The soon to be released version 0.17.0 has support for serializing a SecItem to PEM form. To use it you would get the binary DER data for the cert via the der_data property and then serialize it to PEM like this: nss.SecItem(cert.der_data).to_base64(pem_type='CERTIFICATE') but ... 0.17.0 hasn't been released yet. So in the mean time you can grab the binary DER data from the cert (e.g. cert.der_data) and pass it into this Python function import base64 def make_pem(der_data): data = base64.b64encode(der_data) pemcert = '\n'.join([data[x:x+64] for x in range(0, len(data), 64)]) return '-BEGIN CERTIFICATE-\n' + \ pemcert + \ '\n-END CERTIFICATE-' print make_pem(cert.der_data) -- John Thanks - got it. -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Apache server and NSS db config issue
I posted this same question in the Apache group, but it's a hybrid of Apache+NSS. We changed our NSS database to use the newer sqlite certificate store. We modified wsgi-sfapi.conf from: NSSCertificateDatabase /etc/httpd/alias to NSSCertificateDatabase sql:/etc/httpd/alias Restarting the server showed errors: Unable to change directory to sql:/etc/httpd/alias and NSS_Initialize failed. Certificate database: /etc/httpd/alias. SSL Library Error: -8038 Double checked permissions they are all the same prior to the change: -rw-r- root apache cert9.db -rw-r- root apache key4.db Not sure what the issue is. (Working again since we reverted to the old storage database, but we'd like to move up to the sqlite flavor) -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
