On 01/26/2012 06:50 PM, weizhong qiang wrote:
hi,
On Jan 26, 2012, at 6:28 PM, Robert Relyea wrote:
On 01/26/2012 05:08 AM, weizhong qiang wrote:
hi,
Is there a fact that nss does not permit the reading of the attribute
CKA_PRIVATE_EXPONENT, CKA_PRIME_1, etc.?
Because with all of the eight
On Jan 26, 2012, at 6:57 PM, Robert Relyea wrote:
On 01/26/2012 07:55 AM, weizhong qiang wrote:
On Jan 26, 2012, at 4:44 PM, helpcrypto helpcrypto wrote:
AFAIK, returning or not the attributes from an object, depends on the token.
Everything I am operating is on the nss internal softoken
On 02/08/2012 04:20 PM, Brian Smith wrote:
However, I don't think we should reject Google's improvement here because it
isn't perfect. OCSP fetching is frankly a stupid idea, and AFAICT, we're all
doing it mostly because everybody else is doing it and we don't want to look
less secure. In the
On 02/23/2012 11:52 AM, Kai Engert wrote:
As soon as the certificate has been revoked, the domain owner is able
to obtain an OCSP response for the rogue certificate. The domain owner
could configure their server to include this OCSP response in all TLS
handshakes, even though this OCSP
On 03/01/2012 02:07 PM, Christopher Howard wrote:
Quick Firefox question here from one of your non-developer users: Say I
try to connect to a site over HTTPS, but I am presented with a This
Connection is Untrusted dialogue due to an invalid certificate
(self-signed, non-matching, etc.) If I make
On 03/10/2012 12:23 PM, VJ wrote:
Im porting all RSA encryption from the nss library.
Im a newbie, may I know where C_Encrypt function under
pk11_PubEncryptRaw() function is implemented.
Also, I would like to know if anyone has ever ported only RSA related
functions?
Regards,
Vejey
What do you
On 03/24/2012 03:05 PM, VJ wrote:
I'm trying to use RSA_HashCheckSign() function to verify the message.
How are you even Linking with RSA_HashCheckSign()? It's a completely
internal function to softoken. If you want verify an RSA signature you
can use PK11_Verify(), or better yet one of the
On 03/27/2012 01:00 AM, helpcrypto helpcrypto wrote:
Cough, cough...exit(CKR_OK) != return CKR_OK...cough, cough
Now cert8 is modified always (with or without our module).
Anyway, can someone tell me why cert8 is rewrited on each run/close?
Because that's how the old berkeley DB works. It's
On 04/04/2012 04:30 PM, Brian Smith wrote:
helpcrypto helpcrypto wrote:
IMHO, this is some that needs some clarification, as Mozilla *IS*
supporting it developing JSS but at the same time saying we do not
support it,
Some people who are part of the Mozilla project maintain JSS. I will help
On 04/04/2012 05:57 PM, Wan-Teh Chang wrote:
On Wed, Apr 4, 2012 at 4:39 PM, Brian Smithbsm...@mozilla.com wrote:
I don't know what platform JV is on, but I know on Mac OS X,
all the internal symbols in FreeBL and maybe other libraries
are exported. This is how the Firefox Sync developers got
On 04/30/2012 02:22 AM, VJ wrote:
Hi,
I've tested encryption, decryption, signing and verification with public
(NSSLOWKEYPublicKey) and private keys (NSSLOWKEYPrivateKey) in low level.
Big question, Why are you using private interfaces? The low level
interfaces are only for specific
On 05/01/2012 12:01 PM, VJ wrote:
On Tuesday, 1 May 2012 00:46:21 UTC+8, Robert Relyea wrote:
On 04/30/2012 02:22 AM, VJ wrote:
Hi,
I've tested encryption, decryption, signing and verification with public
(NSSLOWKEYPublicKey) and private keys (NSSLOWKEYPrivateKey) in low level.
Big question
On 06/04/2012 08:20 AM, David Dahl wrote:
- Original Message -
From: Denis Cormierdenis.r.corm...@gmail.com
To: dev-tech-crypto@lists.mozilla.org
Sent: Monday, June 4, 2012 9:10:34 AM
Subject: Firefox profile encryption
1. Assuming the user does not enter a master password, would
On 06/08/2012 01:06 PM, Denis Cormier wrote:
I plan on using a randomly generated 32-byte key provided by a trusted 3rd
party. I also plan on using a randomly generated 32-byte initialization
vector generated by NSS within Firefox (to use with the AES Chain Block
Cipher scheme).
So you are
I've gotten NSS to build and mostly run the tests for Android. There are
still a number of tests failing, so the work isn't all done, but it was
a good point to snapshot what I had.
I've stuck some very rough instructions on
https://wiki.mozilla.org/NSS:Android . I'm move them to
On 07/12/2012 03:20 AM, Sam Laidler wrote:
Hello, hope all is well.
I want to distribute NSS without the MS redistribution package. When I read the
following, I got the impression that it should be theoretically possible:
https://developer.mozilla.org/en/USE_STATIC_LIBS
USE_STATIC_LIBS
So what I actually want is
- To fix the API to the NSS system database so it isn't insane.
Do you have any suggestions on how the API would be changes. One thing=20
I'm always fighting is providing an API for apps without breaking=20
existing apps.
Well, *not* having to grub around for
On 07/27/2012 10:25 AM, David Woodhouse wrote:
On Fri, 2012-07-27 at 10:08 -0700, Robert Relyea wrote:
Oh, so you switch between sql:/etc/pki/nssdb and sql:$HOME/.pki/nssdb=20
depending on whether libnsssysinit.so exists.
It's worse than that. It's not just whether libnsssysinit.so *exists
On 07/24/2012 11:19 AM, Vasantharangan, Shruthi M. wrote:
Hi,
We require a random number generator that's FIPS2 complaint on RedHat Linux
5.6.
In the linux rpm for NSS nss-3.12.8-1.el5. I find random generation api's in
pkcs11f.h.
If I use them can I be sure that the random data
On 07/25/2012 02:00 PM, Vasantharangan, Shruthi M. wrote:
HI,
I am using the NSS Cryptographic Module document to use the random number
generator for FIPS2 random number. If I use the FC_GetFunctionList fpr
PK11_GenerateRandom and initialise with slotid as 0, then is the Mode set to
On 07/25/2012 02:32 PM, Vasantharangan, Shruthi M. wrote:
Hi,
How can run drbg test vectors provided by NIST to validate the response of
the random output for the various algorithms on NSS.
Rgds
Shruthi
Softoken 3.11.4 uses the DSA RNG and not the DRBG (that would be RHEL 6
and Softoken
+svasantharangan=idirect@lists.mozilla.org]
On Behalf Of Robert Relyea
Sent: Friday, 27 July, 2012 3:25 PM
To: dev-tech-crypto@lists.mozilla.org
Subject: Re: RandomNumberGenerator that is FIPS2complaint
On 07/25/2012 02:32 PM, Vasantharangan, Shruthi M. wrote:
Hi,
How can run drbg test vectors provided
On 08/26/2012 06:20 PM, Vasantharangan, Shruthi M. wrote:
Apologize. Bug number is 695571.
https://bugzilla.mozilla.org/show_bug.cgi?id=695571
Thanks
Shruthi
-Original Message-
From: Kai Engert [mailto:k...@kuix.de]
Sent: Saturday, 25 August, 2012 5:05 AM
To: mozilla's crypto code
On 10/02/2012 05:42 PM, Wan-Teh Chang wrote:
On Tue, Oct 2, 2012 at 7:45 PM, Michael Demeter
michael.deme...@intel.com wrote:
Continuation would then be to eliminate any unnecessary work being
done to increase the randomness..Since the HW generated values
can be used directly. This could help
On 10/06/2012 03:34 AM, tehhzstar wrote:
Hi,
Currently, are there any code samples available that uses
PK11_SetSymKeyUserData, PK11_GetSymKeyUserData? I am trying to store
information relating to PK11SymKey:
- Start Date of when the keys were created
- End Date of when the keys will expire
On 11/27/2012 06:11 AM, Brian Teh wrote:
Hi,
Here is the posting of partial Makefile:
# Change this to point at Thunderbird source's directory.
THUNDERBIRD_SOURCE ?= $(HOME)/comm-beta18.0-hg/src
PYTHON_PATH?= $(THUNDERBIRD_SOURCE)/mozilla/config/pythonpath.py
XPIDL_HEADER ?=
On 01/13/2013 02:51 AM, Sergey Emantayev wrote:
Hi all,
We are using NSS 3.12.5 in our security project. I'm interested in applying the
fix of CVE-2011-3389 in this version. Due to the project requirement we are
obligated to use a FIPS certified NSS module so we cannot move to NSS 3.13
there
- Original Message -
Hello,
I am using NSS 3.12.6. I am trying to add different certs (with
slightly) different nickname in my db using certutil. However I
found, that certutil adds them with the same nick name. I have about
130 certificates in database and it is happening on at
- Original Message -
On Tue, 2013-02-26 at 17:05 -0500, Robert Relyea wrote:
Whether or not ECC works is a function of the version of NSS you
have.
If built by Mozilla, ECC works for signature verification and
client
auth out of the box. The NSS built by red hat will not do
On 02/27/2013 06:26 AM, marathi...@gmail.com wrote:
On Monday, February 25, 2013 1:44:15 PM UTC-5, Robert Relyea wrote:
- Original Message -
Hello,
I am using NSS 3.12.6. I am trying to add different certs (with
slightly) different nickname in my db using certutil. However I
found
On 03/23/2013 12:00 AM, Sachin Shetty wrote:
Hi,
We are using Apache HttpClient to download files from remote server, the files
are encrypted, so we wrap a CipherOutputStream around the InputStream returned
from HttpClient.
While doing this, we always see this error this error the first time
On 04/15/2013 02:34 PM, Matt Yakel wrote:
Hi all, Is the certutil a linux tool only? I am needing to deploy
Local Security Certs to our work network (windows).
No, it can be built for pretty much any NSS supported platform. We use
it as part of the NSS tests. However, I know of no one who is
On 04/17/2013 06:28 PM, Bharath wrote:
Hi ,
We were planning on using the nss drbg model for validating the HASH_DRBG
implementation inside (nss-3.14.3/mozilla/security/nss/cmd/fipstest) .
The fipstest.c needs updating for FIPS SP800-90A testing to validate drbg .
Please refer to the
On 04/17/2013 06:38 PM, bratchan...@gmail.com wrote:
Hi,
The fipstest.c does not seem to support the scenario with prediction resistance
= true . The case statement for function drbg has to change if prediction
resistance is true and also the NIST request file has an additional parameter
On 04/22/2013 04:16 PM, bratchan...@gmail.com wrote:
I may have the required fipstest changes on the NSS 3.12.9.1 branch in
CVS. Your best best is to write a bug and attach a patch to it, and
request me to review it. That will put it on a list that will eventually
get my attention.
bob
On 04/30/2013 02:28 PM, Brian Smith wrote:
Hi all,
I propose we remove the Revocation Lists feature (Options - Advanced -
Revocation Lists). Are there any objections? If so, please explain your objection.
Let me check with our group that works with the DoD. My guess is it's
probably OK. I
On 05/01/2013 03:07 PM, Sean Leonard wrote:
Please, do not remove this important feature.
On 4/30/2013 2:28 PM, Brian Smith wrote:
Hi all,
I propose we remove the Revocation Lists feature (Options -
Advanced - Revocation Lists). Are there any objections? If so,
please explain your
On 05/01/2013 08:40 PM, Brian Smith wrote:
Robert Relyea wrote:
Brian, I was under the impression you wanted to remove the CRL
autofetching feature (where you enter a URL and a fetching time and
the CRL will automatically be fetched). When I looked at the UI, it
looked like it had both the URL
On 05/02/2013 02:02 PM, Brian Smith wrote:
Robert Relyea wrote:
Oh, in that case I can say we have customers that definately need to
use CRLs that have been loaded and stored in the database.
To be clear, I don't know of any reason to consider the processing
of already-loaded CRLs
On 05/09/2013 03:47 PM, Brian Smith wrote:
Robert Relyea wrote:
On 05/02/2013 02:02 PM, Brian Smith wrote:
So are you actually going to ship a different version of NSS with the
default Firefox, or are you going to create a switch that changes the
behavior of NSS with respect to stored CRLs
On 06/10/2013 02:50 PM, Gregory Szorc wrote:
- Original Message -
From: Gregory Szorc g...@mozilla.com
To: Christopher Howard cmhowa...@alaska.edu
Cc: Mozilla Dev Builds dev-bui...@lists.mozilla.org, Brian
Smith bsm...@mozilla.com
Sent: Monday, June 10, 2013 6:32:14 AM
Subject: Re: No
On 06/17/2013 10:58 AM, Chris Newman wrote:
I'll mention one other usability issue. I am getting pressure from my
employer to stop using NSS due to the MPL 2 license. I got less
pressure when I could use NSS under the LGPL 2.1 branch of the
tri-license. Switching to OpenSSL has been suggested.
On 06/20/2013 02:56 PM, Rodney Simioni wrote:
I'm trying to setup LDAP/SSL/TLS. Somebody told me that PKCS is a moznss
issue and I should ask this question with you guys and not the openssl
group.
What OS are you running? I does look like you are using NSS..
TLS: certdb config:
ldap_start_tls: Connect error (-11)
additional info: TLS error -8172:Peer's certificate issuer
has been marked as not trusted by the user.
This means that the given cert wasn't signed by any trusted certificate.
[[Rod's comment]] Can I sign it by using the CA I downloaded from
On 06/21/2013 08:13 AM, John Dennis wrote:
On 06/20/2013 01:20 PM, Johan Dahlin wrote:
[Sorry if this appears twice, the first copy got stuck in the moderation queue]
I'm investigating the use of smart card readers for my application[1],
which is also free software.
As part of the brazilian
Third, you may need to hook the client_auth_callback as John describes
below. If your server sends the list of trusted CA's in it's client
auth request, then the default client_auth_callback should be able to
find the cert on your smartcard without requiring the use of any
special hooks,
On 07/01/2013 03:53 AM, Stefan Scheidewig wrote:
Hello,
I added a smart card PKCS#11 module to my certdb (without specifying
any mechanisms) and I am able to list the certificates as well as the
keys within the sole token of this smart card. Within the program I am
able to login to the
On 05/30/2013 01:45 PM, prax.xyzc...@gmail.com wrote:
Platform/OS: CentOS release 6.3 (Final)
Linux x 2.6.32-279.el6.x86_64 #1 SMP Fri Jun 22 12:19:21 UTC 2012 x86_64
x86_64 x86_64 GNU/LinuxLinux
NSS Version:
nss.x86_643.13.3-6.el6
nss-softokn.x86_64
On 07/08/2013 12:00 PM, Rick Andrews wrote:
I need to remove some 1024-bit roots from Firefox’s trust store, but I realize
that these trusted roots are part of the NSS library, and that the NSS library
is used by lots of other software, not just Firefox. Removing these roots may
have
On 07/24/2013 10:55 AM, David Widen wrote:
Hi,
I'm trying to generate a certificate for an RSA key and then put it onto a
smart card using NSS. I can successfully generate the RSA key and a
self-signed certificate as well as putting that certificate on the card.
However, I am unable to
On 07/29/2013 06:00 PM, John wrote:
Hi,
Is is possible to import a symmetric key such that it is persisted in the
database?
Short answer: use PK11_ImportSymKeyWithFlags().
Set flags=0, and isPerm to PR_TRUE.
Longer answer:
NOTE: neither PK11_ImportSymKey() nor PK11_ImportSymKeyWithFlags()
On 07/30/2013 02:58 PM, hv wrote:
Hi,
I was not able to open NSS on FF android. Is NSS available on FireFox on
Android?
I tried the follwing:
var ds = Services.dirsvc.get(GreD, Components.interfaces.nsILocalFile);
var libName = ctypes.libraryName(nss3);
ds.append(libName);
var nsslib =
On 07/30/2013 04:27 PM, Brian Smith wrote:
See
https://mxr.mozilla.org/mozilla-central/source/services/crypto/modules/WeaveCrypto.js#123
and https://bugzilla.mozilla.org/show_bug.cgi?id=583209
and https://bugzilla.mozilla.org/show_bug.cgi?id=648407
Oh, I didn't get that it was a call from
On 07/30/2013 05:34 PM, John wrote:
Thank you.
FIPS is not enabled so PK11_ImportSymKeyWithFlags() works for me. However
I'm unable to export the imported key using PK11_ExtractKeyValue() and
PK11_GetKeyData(). I suspect this is by design - keys are protected from
being exported?
keys that are
On 07/30/2013 06:37 PM, John wrote:
At this point I usually ask, what is it you are trying to do? usually
when I see someone trying to import or export keyblobs, they are coding
at the wrong level and we should be pushing more of whatever protocol
you are running into NSS.
I'm developing a One
On 08/06/2013 09:41 AM, epva...@gmail.com wrote:
I am using the NSS certutil.exe app command line to add a self-signed certificate to Firefox. Using the command line I'm able to
get my certificate to show up in the Certificate Manager under the Authorities and Others tabs. I have
even gotten
On 08/07/2013 10:31 AM, james.burt...@btconnect.com wrote:
I software i want to download is the NSS version 1.2
Really? Do you mean NSS used in Firefox 1.2?
NSS 1.2 wasn't even called NSS at the time, and was never released as
open source. I think NSS 3.0 or 3.2 was the first open source
On 08/07/2013 10:38 PM, Augustin Wolf wrote:
Hi List,
I have a Centos 6.4, fresh install, and I'm trying to configure
OpenLDAP with moznss. For now, self signed certificate is sufficient
for my needs. But when I try to search using secure connection (-Z
option), I got error:
ldap_start_tls:
On 08/09/2013 02:57 AM, Gervase Markham wrote:
Can an NSS hacker please tell me, in the fashion of the attempt by the
IE representative below, what types of certificate NSS accepts for
making SSL connections? What features must the cert or chain have or not
have?
Or, if this is a PSM question,
On 08/09/2013 10:12 AM, Brian Smith wrote:
On Fri, Aug 9, 2013 at 3:27 AM, Gervase Markham g...@mozilla.org wrote:
* Can you provide some background or references on exactly how
ciphersuite construction and choice works? Can I invent e.g.
TLS_DHE_ECDSA_WITH_AES_128_MD5 or some other random
On 08/14/2013 10:45 AM, Daniel Jackoway wrote:
Hi all,
With the guidance of Trevor Perrin (cc-ed), I have put together the beginnings
of a patch to allow clients of the NSS library to implement support for
arbitrary TLS extensions. The motivation is to allow clients of NSS to
implement new
On 08/15/2013 03:21 AM, Gervase Markham wrote:
On 15/08/13 01:19, Robert Relyea wrote:
On 08/09/2013 02:57 AM, Gervase Markham wrote:
Can an NSS hacker please tell me, in the fashion of the attempt by the
IE representative below, what types of certificate NSS accepts for
making SSL connections
Time_Stamp == EKU_Time_Stamp // 597-601
Technically this is EXT_KEY_USAGE_TIME_STAMP || EKU_TIME_STAMP.
What is the difference between these two? Looking at the wording, they
seem identical - EKU stands for EXT_KEY_USAGE...
One is the bit set in the Netscape
On 08/19/2013 11:06 AM, Kurt Roeckx wrote:
On 08/09/2013 04:30 AM, Brian Smith wrote:
Please see https://briansmith.org/browser-ciphersuites-01.html
First, this is a proposal to change the set of sequence of ciphersuites
that Firefox offers.
So I think there are a whole bunch of things
On 08/16/2013 03:05 PM, Wan-Teh Chang wrote:
On Fri, Aug 16, 2013 at 11:13 AM, Camilo Viecco cvie...@mozilla.com wrote:
Hello Brian
I think this proposal has 3 sections.
1. Unifing SSL behavior on browsers.
2. Altering the criteria for cipher suite selection in Firefox (actually
NSS)
3.
On 08/23/2013 02:03 AM, Gervase Markham wrote:
On 22/08/13 19:21, Robert Relyea wrote:
The attack profile protection of PFS versus non-PFS is basically two points:
1) some government agency could force a server to give up it's private
keys and decrypt all the traffic sent to that server
On 08/26/2013 02:24 PM, Brian Smith wrote:
On Thu, Aug 22, 2013 at 11:21 AM, Robert Relyea rrel...@redhat.com wrote:
So looking at this list, I think we have a major inconsistency.
We put Ephemeral over non-ephemeral, but we put 128 over 256.
While I'm OK with Ephemeral (PFS) over non
On 09/11/2013 05:52 PM, Kyle Hamilton wrote:
Elio,
Thanks for responding.
IBM Notes reports that the path is invalid. Is there a requirement that
softokn3.chk be in the current working directory?
-Kyle H
softokn3.chk should be in the same directory as softoken. Softoken
asked the OS
On 09/27/2013 05:01 PM, Ryan Sleevi wrote:
On Fri, September 27, 2013 4:09 pm, Eddy Nigg wrote:
On 09/28/2013 01:59 AM, From Ryan Sleevi:
If your site requires a client certificate, and you know that a client
certificate is stored in a smart card, then you also know that when
using
On 09/28/2013 12:17 PM, Brian Smith wrote:
On Sat, Sep 28, 2013 at 7:52 AM, Sean Leonard dev+mozi...@seantek.com wrote:
On 9/27/2013 5:51 PM, Robert Relyea wrote:
I don't have a problem with going for an industry standard way of doing
all of these things, but it's certainly pretty presumptuous
On 10/04/2013 06:52 PM, Ludovic Hirlimann wrote:
Hi,
AFAIK NSS still contains code for SSL2 , but no product uses it. SSL2
has been turned off at least 2 years ago. By removing SSL2 code we get :
Smaller librarie
faster compile time + test time
What do you guys think ?
Ludo
On 10/07/2013 11:19 AM, Ryan Sleevi wrote:
On Mon, October 7, 2013 11:07 am, Robert Relyea wrote:
On 10/04/2013 06:52 PM, Ludovic Hirlimann wrote:
Hi,
AFAIK NSS still contains code for SSL2 , but no product uses it. SSL2
has been turned off at least 2 years ago. By removing SSL2 code we get
On 10/07/2013 12:01 PM, Kurt Roeckx wrote:
On Mon, Oct 07, 2013 at 11:17:46AM -0700, Brian Smith wrote:
On Fri, Oct 4, 2013 at 6:52 PM, Ludovic Hirlimann
ludovic+n...@mozilla.com wrote:
Hi,
AFAIK NSS still contains code for SSL2 , but no product uses it. SSL2
has been turned off at least 2
On 10/07/2013 12:44 PM, Wan-Teh Chang wrote:
On Mon, Oct 7, 2013 at 11:17 AM, Brian Smith br...@briansmith.org wrote:
I think it is likely that some vendors of NSS-based products with very
conservative backward-compatibility guarantees, like Oracle and maybe
Red Hat, may need to continue
On 11/01/2013 01:43 AM, Brian Smith wrote:
On Fri, Nov 1, 2013 at 1:28 AM, Jeff Hodges j...@somethingsimilar.com wrote:
/* New non-experimental openly spec'ed versions of those cipher suites. */
#define SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA 0xfeff
#define SSL_RSA_FIPS_WITH_DES_CBC_SHA
On 11/18/2013 07:00 AM, Gervase Markham wrote:
Hi everyone,
Following Microsoft's announcement re: SHA-1, some CAs are asking
browser and OS vendors about the ubiquity of SHA-256 support. It would
be a help to them if we could say:
- Which version of NSS first supported SHA-256
I quick look
actually supports (since XP SP3).
My evaluation on when we supported SHA-2 covers all 3 hash functions.
On 19/11/13 02:20, Robert Relyea wrote:
I think it's safe to say if your NSS ap is newer than a decade old, you
have SHA-2 support. The one caveat is that SHA-224 support was added
much later
On 11/19/2013 10:40 AM, Wan-Teh Chang wrote:
Bob's answer is accurate.
Note that CAs are more interested in SHA-2 based signature support
rather than plain SHA-2 support. So another way to track down the NSS
version is to look at the CVS history of the secvfy.c file:
On 03/03/2014 04:31 AM, Raad Bahmani wrote:
Hello together,
I need to implement a PKCS11-library which simulates a smart-card and
responds to login attempts with SSL certificates.
I have found out that SSL needs the following mechanisms, so the
C_GetMechanismList of my library specifies
On 03/04/2014 03:54 PM, Julien Pierre wrote:
Did anyone ever write a script that measures the performance of all
the low-level algorithms in freebl, and collects the data in a way
that's easy to compare ? This would probably be using bltest.
This is for the purpose of evaluating different
On 03/05/2014 01:21 AM, Raad Bahmani wrote:
Hello Robert,
thank your for your answer !
3) Which algorithm is used for login with SSL ?
I'm not sure what you mean by 'login with SSL'. Do
On 03/10/2014 08:50 PM, Dave wrote:
I'm having trouble initializing the nss soft token when linking against it
directly. The function _NSSUTIL_EvaluateConfigDir (utilpars.c) is
segfaulting when passing the following initialization arguments to
C_Initialize:
CK_CHAR * configString =
On 03/13/2014 05:12 AM, Leon Brits wrote:
Robert,
Attached is a log of the backtrace when I try to use Thunderbird to decrypt
an email. As you can see in the log it reaches C_DecryptUpdate(), but then
asserts at cmscipher.c:452.
I don't see the attachment? did you forget or did the mailing
On 03/18/2014 04:29 AM, Leon Brits wrote:
Robert,
Thanks for your help. This discussion has helped me to find the error in our
padding implementation for symmetric ciphers using OpenSSL which defaults to
always pad.
Encryption and decryption via thunderbird now works just fine.
go ahead
On 04/08/2014 06:31 AM, Alan Braggins wrote:
On 08/04/14 13:11, Jean-Marc Desperrier wrote:
Ryan Sleevi a écrit :
reliance on PKCS#11 means that there are non-trivial overheads when
doing something as simple as hashing with SHA-1. For something
that is
such a simple transformation, multiple
On 05/30/2014 07:47 AM, Jonathan Schulze-Hewett wrote:
To whom it may concern,
I have a PKCS#11 device that supports ECC operations. In particular
C_GetMechanismList includes the following items:
CKM_ECDH1_DERIVE
CKM_ECDH1_COFACTOR_DERIVE
CKM_EC_KEY_PAIR_GEN
CKM_ECDSA
The module is
On 06/10/2014 09:47 AM, Kurt Roeckx wrote:
On Mon, Jun 09, 2014 at 04:27:56PM -0700, Rick Andrews wrote:
AFAIK, Symantec and other CAs have added ECC roots to Mozilla's root store
using NIST curves. Are any other ECC curves supported by Mozilla, in case
one wanted to use a different curve?
On 07/10/2014 01:53 PM, ramahmoo wrote:
Thanks,i would ready the documentation.
Can i extend/modify the NSS internal pkcs#11 source (softokn3.dll source) to
achieve my requirement?
It's probably not a good idea to try to create your own softokn3.dll to
replace the mozilla one, you will be
On 07/16/2014 07:31 AM, Jonathan Schulze-Hewett wrote:
Does having this enabled violate the FIPS 140 requirements on exposing key
materials in the clear?
No, because the key logging fails if you are in FIPS mode (It used the
PK11_ExtractKeyValue() to get the key, which will return an error
On 07/15/2014 08:05 PM, Chuck Lee wrote:
Yes, but it doesn't work because it also calls
PK11_ExportPrivKeyInfo() to get the RSA private key info.
Now I am trying to decrypt key exported by
PK11_ExportEncryptedPrivKeyInfo() with method
SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_40_BIT_RC4
On 07/21/2014 05:48 AM, ramahmoo wrote:
Hi,
I am trying to add the newly built softtoken dll using the following command
modutil -add Softoken -mechanisms RSA:DSA:RC4:DES -libfile
C:\nss-3.16.1\dist\WIN954.0_OPT.OBJ\lib\softokn3.dll -dbdir c:\nssdb
But i am getting the following error
ERROR:
On 08/04/2014 05:43 AM, Andrey Askerko wrote:
I want to add support of local cryptography algorithm into firefox. And I want
to ask some questions:
1) I must modify only NSS module, or some firefox functions/definitions too?
2) Where I can find some manual, how I can add algorithm into NSS and
On 09/25/2014 04:22 AM, Sunil Raj wrote:
Hi, Even I am facing the same issue. Were u able to find the problem?
Java is trying to do something that isn't allowed in FIPS mode. It's
trying to import a key in the clear. It should instead generate the key
inside the token rather than import it.
On 09/28/2014 03:09 PM, Eric Rescorla wrote:
Eventually, but it's not a very high priority. Is there some reason you
can't use AES-128?
Actually the issue is ths SHA384. We need to implement the new PKCS #11
spec to TLS key derive in softoken first.
bob
-Ekr
On Mon, Sep 22, 2014 at 4:49
On 11/06/2014 03:12 PM, Mike Gerow wrote:
Apologies if a dupe of this shows up. I had posted my last question
without _properly_ subscribing to list and so it is stuck in some kind
of moderator queue.
I'm trying to add the opencryptoki PKCS#11 module to Chrome/Firefox's
nssdb, and it seems to
On 11/06/2014 04:08 PM, Mike Gerow wrote:
Thanks for the quick reply! I can see how caching the PIN would have
its issues, but I'm not interested in having NSS ask for the PIN once
and save it, but in configuring it to just use a provided PIN in the
first place.
Still has the same issue, if you
On 11/11/2014 12:32 PM, Ryan Sleevi wrote:
On Tue, November 11, 2014 10:26 am, Nicholas Nethercote wrote:
On Mon, Nov 10, 2014 at 7:06 PM, Ryan Sleevi
ryan-mozdevtechcry...@sleevi.com wrote:
Not to be a pain and discourage someone from hacking on NSS
My patches are in the following
On 12/04/2014 03:31 AM, David Woodhouse wrote:
You say that this shouldn't be necessary (and probably a bug), just to
clarify things for me, do you mean that,
1 ) adding the libnssckbi.so to shouldn't be necessary since it should
already be there from the beginning, and that the bug is that
On 12/04/2014 02:00 PM, David Woodhouse wrote:
On Thu, 2014-12-04 at 10:33 -0800, Robert Relyea wrote:
That one. libnssckbi.so is what provides the default trust roots. It's
*always* supposed to be loaded in an NSS system. You shouldn't need to
add it manually. I don't.
Huh? that is not true
On 12/08/2014 05:05 AM, David Woodhouse wrote:
On Mon, 2014-12-08 at 10:15 +, Martinsson Patrik wrote:
So, to summarize,
$ sudo update-alternatives --install /usr/lib64/libnssckbi.so
libnssckbi.so.x86_64 /usr/lib64/p11-kit-proxy.so 1000
$ cat /etc/pki/nssdb/pkcs11.txt
301 - 400 of 458 matches
Mail list logo