I not sure about the current version (3.6) of FF, but earlier versions
(FF 2.0 and 3.0), the key/certificate DB did not support multiple write
interfaces i.e. DB write using one API does not get propagated to other
API. As a result, keys/certs added by JSS API are not picked by the PSM
XPCOM
Hi,
Can I add more than one e-mail addresses as subjAltName extionsion in
X.509 cert? Since, value type of subjAltName is GeneralNames, I know I
am allowed to do that syntactically.
My questions are :
- Does this fall within the best practices for X.509 based PKI?
- Are the NSS APIs
Hi,
My experience so far is that PSM Certificate Manager is never launched
when PKCS#12 link is clicked. Not on Windows. Not on Linux (as described
by the bug filer). Do not remember for Mac OS X.
Here is what I think is the explanation for the behavior on windows:
On Windows PKCS#12 file
Hi Sudha,
Yes, you can check for existence of smart card by using the
nsIPK11Token.isHardwareToken() method.
(http://mxr.mozilla.org/mozilla-central/source/security/manager/ssl/public/nsIPK11Token.idl#88)
You can iterate of all the tokens, and check for existence of hard token
a follows:
Hi Sunny,
Here are some Cert-related utility code (in Javascript) using XPCOM API
for Mozilla PSM/NSS:
Note: Look into the IDL files for details about the attributes, methods,
and related comments.
// IDL file for nsIX509CertDB :
Hi Aditya,
you can find trust related info in certutil documentation :
http://www.mozilla.org/projects/security/pki/nss/tools/certutil.html.
Look for the -t option for the trust arguments.
If you know that it is a server cert, you can also use the
Please see my inline responses.
Martin Schneider wrote:
Hello Subrata and others
Thanks for your reply. Unfortunately this doesn't work for me.
Here is a bash shell-script that I have used to start the Opencryptoki
PKCS#11 driver :
# BIOS Set up
# Step 1. Turn the computer off.
# Step 2.
Hi Martin,
last December I configured TPM in my Dell D820 to access from Firefox on
Linux.
I am guessing that you are lloking for info for Linux. For windows,
PKCS#11 drivers are
typically supplied by the TPM vendor like any another smart card vendor.
Initialization of TPM for PKCS#11
-token. But, I am not go to question
developer's decision because they have to live with the consequences.
--
Subrata
Wan-Teh Chang wrote:
On Thu, May 14, 2009 at 8:53 PM, Subrata Mazumdar
subrata.mazum...@ieee.org wrote:
I just have another question. According to the source code
(http
Nelson B Bolyard wrote:
Kaspar Brand wrote, On 2009-05-13 22:16:
Subrata Mazumdar wrote:
As I have said in the earlier message, I have no problem in generating
EC key-pair. I get error when I try to sign the request using the
private key.
Maybe you're falling prey
Hi,
I am not able generate key using window.crypto.generateCRMFRequest()
method. I have tried all there possible types : rsa, dsa, and ec.
I am attached my test code fragment. I am running the test within an
add-on - on Firefox 3.0.10/Fedora8.
I am getting NS_ERROR_FAILURE in exception
3.0.10?
--
Subrata
Subrata Mazumdar wrote:
Hi,
I am not able generate key using window.crypto.generateCRMFRequest()
method. I have tried all there possible types : rsa, dsa, and ec.
I am attached my test code fragment. I am running the test within an
add-on - on Firefox 3.0.10/Fedora8.
I am
David Stutzman wrote:
Subrata Mazumdar wrote:
On further testing and reading the description of
generateCRMFRequest() method doc, I figured out why the key
generation was failing.
I have to pass keySize as integer type not string type.
The key genartion now works for RSA and DSA key types
Nelson B Bolyard wrote:
Subrata Mazumdar wrote, On 2009-05-13 06:45 PDT:
The key genartion now works for RSA and DSA key types but it still fails
for EC key type.
else if (keyType == dsa) {
keyGenAlg = dsa-sign-nonrepudiation;
keyParams = null;
}
According
Hi Arun,
You can follow the code in PSM that displays the server certificate when
you double-click on the lock icon in the status-bar :
http://mxr.mozilla.org/mozilla-central/source/browser/base/content/pageinfo/security.js#119
Wan-Teh Chang wrote:
2008/10/6 Kai Engert [EMAIL PROTECTED]:
Wan-Teh Chang wrote:
- The password must be at least seven characters long.
- The password must consist of characters from three or more character
classes (uppercase, lowercase, digits, etc.).
NSS rejects
Hi,
I am using Firefox 3.0.3. I have FIPS enabled the software security
device using Secuirty Devices dialog window in PSM.
This step forced me to add password protect the internal Key token
(Software security device).
Then, I tried to change the password of the internal key token using
the
the OpenSSL API
because NSS uses 16 byte salt for encryption but the OpenSSL API expects
8 byte salt.
--
Subrata
Robert Relyea wrote:
Subrata Mazumdar wrote:
Nelson,
thanks very much for the clear answer - I did not realize that the
Mozilla NSS does not support PKCS#8.
I also agree with you
for private key and public key cert. Actually, the problem is even
worse - some of the applications
use unencrypted private key or OpenSSL specific encrypted PEM file
(generated using 'openssl rsa' command).
Any way, thanks once again.
--
Subrata
Nelson Bolyard wrote:
Subrata Mazumdar wrote, On 2008-09
Hi,
I am having problem in reading PKCS#8 file generated by OpenSSL command
line tool (opnessl pkcs8).
OpenSSL supports a number of encryption algorithms with option v1 and v2
(http://www.openssl.org/docs/apps/pkcs8.html).
I can only successfully read the PKCS#8 file generated using enryption
for the cert so I
can request a password from the user at that point?
Any suggestions or snippets?
Thanks!
Will.
On Sep 25, 5:17 am, Subrata Mazumdar [EMAIL PROTECTED]
wrote:
Hi Will,
you can try as follows:
var /* nsIPK11Token */ token = null;
try {
var
initialization,
I think that problem is with PSM. If I ignore the old-password field
and only provide new password, everything works fine.
Thanks once again for your help.
--
Subrata
Robert Relyea wrote:
Subrata Mazumdar wrote:
nsCOMPtrnsIPK11Token softToken;
rv = pkcs11Slot-GetToken
Hi,
Apache XML Security C++ library
(http://xml.apache.org/security/c/index.html) provides single C++ based
cryptographic interface with multiple Crypto API (OpenSSL, NSS, MS-CAPI)
based implementation. The Apache XML Security C++ library implements
signing, encryption as well as decryption
Thanks Nelson.
Please see my in-line responses.
Nelson Bolyard wrote:
Subrata Mazumdar wrote, On 2008-08-12 20:30:
I have a certificate based mutually authenticated session between the
browser and a web server.
I would like to find out the certificate used presented by the browser
Hi,
I have a certificate based mutually authenticated session between the
browser and a web server.
I would like to find out the certificate used presented by the browser
using a programmatic API.
I can get the server certificate by clicking the icon at the status-bar
window.
How do I find out
Hi,
I have created a self-signed cert using certutil. I want to export the
associated private key in Mozilla Cert/Key DB as an un-encrypted private
key to be used by an OpenSSL based App.
The requirement is to use Mozilla NSS API to export the key - not
OpenSSL API or OpenSSL
command line
Hi Bob,
here is my experience so far with the NSS PKCS#11 and CAPI.
I tried out the NSS PKCS#11 DLL for CAPI with Firefox3 security device
manager and I was able to load the DLL as PKCS#11 module.
Last time (a few months ago) I treid with Firefox2 and it did not work.
I was actually suprised
been stuck on this for more than
2 months..
Thanks,
Akkshayaa
Subrata Mazumdar wrote:
Hi Akkshayaa,
The Device Manager in Mozilla PSM registers the PKCS#11 module
persistently with the browser's Module-DB.
You might want to compare your code with Mozilla PSM Device Manager
code
/resources/content/device_manager.js#459
http://lxr.mozilla.org/mozilla/source/security/manager/ssl/src/nsCrypto.cpp#3017
BTW, once PKCS#11 module is registered, browser will automatically load
the module every time you open the browser.
Your add-on need not load it.
--
Subrata Mazumdar
.
--
Subrata
Nelson Bolyard wrote:
Robert Relyea wrote, On 2008-03-26 18:13:
Subrata Mazumdar wrote:
Hi,
is there any way I can find the certificate associated with a public key
using
the SubjectPublicKeyInfo (CERTSubjectPublicKeyInfo)?
I am looking for public API and not too low level.
I
Hi,
is there any way I can find the certificate associated with a public key
using
the SubjectPublicKeyInfo (CERTSubjectPublicKeyInfo)?
I am looking for public API and not too low level.
I looked in the .../nss/certdb/cert.h and .../nss/pk11wrap/pk11pub.h
files - couldn't find anything
HI,
I have a signed XPI file that passes the signature verification during
installation in FF2 but verification fails in FF3 (running on Fedora7
Linux).
The signing certificate is signed by our own CA and the CA cert's trust
flags are set to true. The XPI file is signed with NSS version of
Please ignore this message. I did not realize that I have imported the
signing certificate and its trust bits were not set to true.
--
Subrata
Subrata Mazumdar wrote:
HI,
I have a signed XPI file that passes the signature verification during
installation in FF2 but verification fails
Hi,
I have two question about configuartion of PKCS#11 module in Firefox 3:
- is there any documentation on how to configure MS CAPI as PKCS#11
module in Firefox 3 and certutil?
- Also, is it possible to configure NSS softoken as PKCS#11 module
(like we do in Java to access NSS) within
Eddy,
I think that you can do it. Have you looked into nsIPK11Token interface
(http://lxr.mozilla.org/mozilla1.8.0/source/security/manager/ssl/public/nsIPK11Token.idl)
?
The nsIPK11Token interface would allow you to filter tokens based on a
number of attributes and
eventually you can
Michael Ströder wrote:
Subrata Mazumdar wrote:
There is a new version of KeyManager available that supports
SeaMonkey.
I'll give it a try.
What I'm really missing are some simple functions like exporting a
cert received in an e-mail S/MIME signature. Things that are really
easy
Yes, it works on SeaMonkey, Thunderbird, Flock, and Sunbird .
--
Subrata
Michael Ströder wrote:
Subrata Mazumdar wrote:
try this add-on : https://addons.mozilla.org/en-US/firefox/addon/4471
Interesting. Does it also work with Seamonkey?
Ciao, Michael
Robert Relyea wrote:
I don't think neither the KEYGEN tag nor the window.crypto objects can
be used to generate keys in tokens
If yes...how can it be done
I just wanted to start a new thread..for the same.
If there is a token installed, Seamonkey/Firefox/Mozilla will
opinion it
is quite
difficult use JSS directly from Javascript API (all those
SecurityManager related problem shows up).
That is why we have defined the XPCOM API for PKCS#10 in our extension.
--
Subrata
Subrata Mazumdar wrote:
Giacomo,
you can try our FF extension :
https://addons.mozilla.org/en
that format is.
OpenSSL can work with PKCS#8 formatted key but it is not default format.
--
Subrata
Nelson Bolyard wrote:
Subrata Mazumdar wrote:
I could only extract the private key in PKCS#8 format not in the
private key format expected by OpenSSL.
Extract the private key from
I also wanted to ask the same question. It would be really nice to have
command line tool for mapping PKCS#12 to OpenSSL private key using NSS
library.
I could only extract the private key in PKCS#8 format not in the
private key format expected by OpenSSL.
BTW, unless the application
Hi Anders,
Please take look at the following extension at (s:
https://addons.mozilla.org/en-US/firefox/addon/4522
I have mentioned this extension in response to your comments on my
KeyManager extension.
It my first effort in supporting XML based security protocols - XML
based signature
are not really keen on learning Mozilla-NSS command line
utilities, such as certutil, pk12util, signtool etc., if you can use
this extension to do the same tasks. It presents XUL based forms for
various parameters.
-
Thanks,
--
Subrata
Subrata Mazumdar wrote:
Hi,
I would like bring to your
You can use the following method :
void exportPKCS12File(in nsISupports aToken,
in nsILocalFile aFile,
in unsigned long count,
[array, size_is(count)] in nsIX509Cert aCerts);
of nsIX509CertDB interface to export the key-pair
44 matches
Mail list logo
