Change of list owner/moderator

2013-02-08 Thread Nelson B Bolyard
Dear dev-tech-crypto readers: Today I have given up the position of list owner and moderator for the dev-tech-crypto mailing list and mozilla.dev.tech.crypto news group, a position I have held since the list was formed over 10 years ago. The new owner/moderator is Kai Engert. Please join me in

Re: NSS 3.12.5.0: Error '-8152' (SEC_ERROR_INVALID_KEY) when connecting to ssl-enabled servers

2012-05-25 Thread Nelson B Bolyard
On 2012/05/21 05:21 PDT, Bernhard Thalmayr wrote: Hi Wan-Teh, Nelson, could it be that this error is also raised by the client if the client can not 'participate' in ssl client-auth? Unfortunately I only got a text-output of 'ssldump', not sure if this is would be helpful. [snip] The

Re: NSS 3.12.5.0: Error '-8152' (SEC_ERROR_INVALID_KEY) when connecting to ssl-enabled servers

2012-05-08 Thread Nelson B Bolyard
On 2012/05/08 04:53 PDT, Bernhard Thalmayr wrote: Hi experts, an OpenAM community member is using OpenAM policy agent to connect to an ssl-secured server. The policy agent uses NSPR 4.8.2, NSS 3.12.5.0 optimized build for Linux (RHEL) 64bit. If the agent tries to open a connection to

Re: The PKCS #12 operation failed for unknown reasons

2012-02-27 Thread Nelson B Bolyard
On 2012/02/27 09:47 PDT, VictorMiller wrote: On Feb 24, 7:57 pm, Nelson B Bolyard nel...@bolyard.me wrote: On 2012/02/24 07:26 PDT, VictorMiller wrote: I have a new PKI certificate as a .p12 file which I want to import into firefox and thunderbird on a RedHat system. However, every time I

Re: The PKCS #12 operation failed for unknown reasons

2012-02-24 Thread Nelson B Bolyard
On 2012/02/24 07:26 PDT, VictorMiller wrote: I have a new PKI certificate as a .p12 file which I want to import into firefox and thunderbird on a RedHat system. However, every time I try an import I get the above error message. If I log onto an MS Windows machine I can get IE to import it

Re: Google about to fix the CRL download mechanism in Chrome

2012-02-08 Thread Nelson B Bolyard
On 2012/02/08 12:57 PDT, Kai Engert wrote: My criticism: [snip] Won't the set of CRLs be too big for download? [snip] This is my question as well. Will they really include the CRLs from all of mozilla's trusted CAs? Won't the union of all those CRLs be huge, even if they strip off certain

Re: Explicitly distrusted certificates in certdata.txt (NSS built-in root CA certificate list)

2011-10-10 Thread Nelson B Bolyard
On 2011/10/10 12:16 PDT, Wan-Teh Chang wrote: [...] The certdata.txt file in the NSS source tree (http://mxr.mozilla.org/security/source/security/nss/lib/ckfw/builtins/certdata.txt) is the master source of the NSS built-in trusted root CA list, so people have written scripts to extract the

Re: Question about pathlen extension checked

2011-09-19 Thread Nelson B Bolyard
On 2011/09/18 03:15 PDT, Ralph Holz (TUM) wrote: does NSS check the pathlength extension in an issuing certificate? I am particularly wondering if pathlen:0 is honoured. Yes and Yes. NSS 3.12 claims compliance with RFC 3280. -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org

Re: JSS SSLSocket problems choosing Client Certificates

2011-09-19 Thread Nelson B Bolyard
On 2011/09/07 09:38 PDT, praspa wrote: I'm trying to make two separate HTTPS requests to a remote host using two client sockets and two different client certificates respectively (client cert A and B). [...] From my host, I'm able to make two connections on two different sockets to the

Re: Protecting PRNG against malicious users / multiple independent PRNG states

2011-08-01 Thread Nelson B Bolyard
On 2011-07-26 13:30 PDT, Brian Smith wrote: Mozilla would like to expose a secure PRNG (basically, a wrapper around PK11_GenerateRandom) to JavaScript content: https://bugzilla.mozilla.org/show_bug.cgi?id=440046 There is some agreement that we should maintain separate PRNG state for each

Re: undefined reference to `PK11_CopyToSlot'

2011-06-11 Thread Nelson B Bolyard
On 2011-06-10 16:43 PDT, Crypto User wrote: On May 25, 11:33 am, Crypto User cryptou...@gmail.com wrote: Hi , I am trying to use this method to move my symmetric key to the key for wrapping. when I use this method , I get undefined reference to `PK11_CopyToSlot' collect2: ld returned 1

Re: S/MIME Encryption Certificate without email address

2011-03-22 Thread Nelson B Bolyard
On 2011/03/22 02:23 PDT, silent...@gmail.com wrote: Well, the reasons are at least obvious to us :) - the card is supposed to be in use for least 5 years. Card owners (Health Care Providers in our case) should be able to use various email providers for exchanging medical reports. Nothing

Re: S/MIME Encryption Certificate without email address

2011-03-20 Thread Nelson B Bolyard
On 2011/03/17 02:41 PDT, silent...@gmail.com wrote: It seems that Thunderbird refuses to use X.509 certificates for S/MIME encryption when these certificates do not contain email address of the subject. We want to use S/MIME with keys stored on smart cards and certificates distributed via

Re: Root certificate authorities

2011-03-05 Thread Nelson B Bolyard
Brian Smith wrote: Ritmo2k wrote: Anyone know if its possible to configure Firefox to implicitly trust all certificate authorities installed in the Windows Trusted Root Certification Authorities Store? Firefox does not support this yet. See:

Re: problem with the certificate name in Firefox

2011-02-25 Thread Nelson B Bolyard
On 2011/02/24 12:08 PDT, Datar, Raju wrote: Hi all: There are two very different issues in Firefox. If some kind person can reply with some information, that would be highly appreciated. ISSUE 1: The certificate name in the display is a hex value. We use client side certificate for

Re: certutil -D corrupting NSS database...

2011-02-12 Thread Nelson B Bolyard
On 2011-01-25 13:07 PDT, Michael H. Warfield wrote: [...] Instead of having a cert in the database with the name I specified in creating the .p12 file, I ended up with a cert in the database with the name of the E-Mail address in the cert. Not sure where that problem is (openssl or the

Re: TLS server keys in DNS: client policy proposal

2011-02-05 Thread Nelson B Bolyard
On 2011-02-01 07:57 PDT, Zack Weinberg wrote: I've been following the mailing list for the IETF's keyassure working group, which plans to standardize a mechanism for putting application-layer server keys (or their hashes) in DNS, certified by DNSSEC. TLS/SSL is the first target, and of

Re: TLS server keys in DNS: client policy proposal

2011-02-05 Thread Nelson B Bolyard
On 2011-02-05 13:28 PDT, Zack Weinberg wrote: On 2011-02-05 1:13 PM, Nelson B Bolyard wrote: Zack, thanks for bringing this to this list/group. I think many of us were caught by surprise by it, because it is a browser policy proposal rather than a technical discussion of the protocols

Re: FireFox v3.0.1 of Windows uses SSLv2 Record Layer even when SSLv2 is disabled

2011-01-30 Thread Nelson B Bolyard
On 2011-01-27 09:00 PDT, volkerk wrote: I am having the same problem with Firefox 3.0.15, which is suddenly unable to contact our Peoplesoft server and gets the no cypher error. After capturing the packet exchange with Wireshark, I found out the same as Suresh here - Firefox 3.0.15 (Windows)

Re: S/MIME encrypted e-mails

2011-01-30 Thread Nelson B Bolyard
On 2011-01-29 06:41 PDT, Matej Kurpel wrote: Hello, as far as I know, Thunderbird sends encrypted e-mails as an attachment named smime.p7m. Can anybody let me briefly know what this file contains? Yes, it contains a message in the Cryptographic Message Syntax (CMS). CMS is NOT SIMPLE. To

Re: S/MIME encrypted e-mails

2011-01-30 Thread Nelson B Bolyard
On 2011-01-30 02:30 PDT, Matej Kurpel wrote: On 30. 1. 2011 10:57, Nelson B Bolyard wrote: Yes, the P7M holds all those encrypted copies of the key that encrypts the main message, and of course, the ciphertext produced with that key, And cert chains, and capabilities, and ... it's like bread

Re: Encoding and comparing certificates with NSS

2011-01-30 Thread Nelson B Bolyard
On 2011-01-29 06:06 PDT, Ambroz Bizjak wrote: Hello. I have a problem with NSS. Here's what I'm trying to achieve: [ If I may paraphrase, system C sends a cert to systems A and B. ] [ A forwards its copy to B. B must compare the two copies. ] Here's how I encoded the certificate (on

Re: certutil -D corrupting NSS database...

2011-01-30 Thread Nelson B Bolyard
Michael, Can you make available to me the cert8.db file and the nokey p12 files exactly as they were before you did the fateful certutil -D step? If so, I'm interested in trying to track this down. I have a test for you to try that *MAY* (or may not) prove to be a solution for you. I believe

Re: FireFox v3.0.1 of Windows uses SSLv2 Record Layer even when SSLv2 is disabled

2011-01-30 Thread Nelson B Bolyard
On 2011-01-30 11:48 PDT, Wan-Teh Chang wrote: On Sun, Jan 30, 2011 at 1:32 AM, Nelson B Bolyard nel...@bolyard.me wrote: Firefox doesn't send TLS client hellos to servers that fail to complete ANY handshake with ANY version of SSL or TLS some number of times in a row when it has tried sending

Re: Force usage of a certificate for client authentication

2011-01-27 Thread Nelson B Bolyard
With my newsgroup/mailing list moderator hat on, I write: PLEASE DO NOT reply to this list by multiple addresses. Please reply to no more than one of the following addresses: mozilla-dev-tech-cry...@lists.mozilla.org dev-tech-crypto@lists.mozilla.org

Re: Firefox PSM locks NSS

2011-01-13 Thread Nelson B Bolyard
On 2011-01-13 03:58 PDT, Irune Prado Alberdi wrote: I've tried the same test with Chromium and it worked correctly as Wan-Teh said. The database does not get locked. [snip] I had to activate the FRIENDLY flag in order Chrome to correctly obtain the smartcard's certificate. I'm new to Chrome

Re: Where to get 'modlogger.pl'

2011-01-12 Thread Nelson B Bolyard
On 2011-01-12 13:18 PDT, Bernhard Thalmayr wrote: Hi Experts, where do I get the script 'modlogger.pl' mentioned in 'http://www.mozilla.org/projects/security/pki/nss/tech-notes/tn2.html'? Sadly, it no longer exists. But IMO, you don't need it. The raw output is equally readable without it,

Re: How to get 'TRACE' build?

2011-01-12 Thread Nelson B Bolyard
On 2011-01-11 13:26 PDT, Bernhard Thalmayr wrote: Hi experts, https://developer.mozilla.org/en/NSS_reference/NSS_environment_variables tells me that I have to build NSS/NSPR with 'TRACE'. Unfortunatley I have not found how to make this build work. I've already search the archive and

Re: NSS 3.12.5: Error '-8023' ... how to track it down?

2011-01-12 Thread Nelson B Bolyard
Bernhard wrote: 331569088[1bd1610]: flags = 0x4 331569088[1bd1610]: pApplication = 0331569088331569088[1bd1610]: Notify = 0x13231f31569088[1bd1610]: phSession = 0x7fffc331569088[1bd1610]: phKey = 0x36c1618 331569088[1bd1610]: CKA_CLASS = CKO_SECRET_KEY [8] Was that a copy

Re: How to get 'TRACE' build?

2011-01-12 Thread Nelson B Bolyard
On 2011-01-12 13:53 PDT, Bernhard Thalmayr wrote: Although I've only done a debug build I get an ssl-trace file starting with .. SSL: tracing set to 127 SSL: debugging set to 127 12676: SSL: grow buffer from 0 to 18432 12676: SSL: grow buffer from 0 to 18432 12676: SSL[107778448]:

Re: Firefox PSM locks NSS

2011-01-12 Thread Nelson B Bolyard
On 2011-01-11 04:48 PDT, Irune Prado Alberdi wrote: I'm trying to access a NSS shareable database (3.1.2 with NSS_DEFAULT_DB_TYPE=sql) while having a Firefox NSS session already initialized over the pkcs11 module of my smartcard. My test is really simple but I don't get to know why firefox

Re: Thunderbird crashing when C_SignInit returns other than CKR_OK

2010-12-27 Thread Nelson B Bolyard
On 2010-12-27 01:44 PDT, Matej Kurpel wrote: If I only was able to load the source code of Thunderbird in Visual Studio, that would be great. I could debug it line-by-line as usual. You can. Download and unpack the sources from

Re: Thunderbird crashing when C_SignInit returns other than CKR_OK

2010-12-27 Thread Nelson B Bolyard
On 2010-12-27 10:39 PDT, Matej Kurpel wrote: Wow - I was able to Attach To Process... in VS2008 and then I caused the crash deliberately. Bravo. It showed me the source code and call stack, which is great. But evaluating most of the variables returned CXX0069: Error: variable needs

Re: Thunderbird crashing when C_SignInit returns other than CKR_OK

2010-12-19 Thread Nelson B Bolyard
On 2010-12-19 00:56 PDT, Marsh Ray wrote: On 12/19/2010 02:27 AM, Nelson Bolyard wrote: Yes, Mozilla builds its own CRT, which is a modified version of the MSVC CRT, whose sources come only with the pay (not free) versions of MSVC. They do this in order to replace MSVC's normal heap code

Re: Thunderbird crashing when C_SignInit returns other than CKR_OK

2010-12-11 Thread Nelson B Bolyard
Matej, Your message contains an obvious self-contradiction. Observe: On 2010-12-10 09:57 PDT, Matej Kurpel wrote: CK_RV CK_ENTRY C_SignInit(CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechanism, CK_OBJECT_HANDLE hKey) { return CKR_FUNCTION_CANCELED; } 89: C_SignInit

Re: importing leaf cert into NSS db via JSS

2010-12-10 Thread Nelson B Bolyard
On 2010-12-10 03:45 PDT, David Stutzman wrote: On 12/9/2010 2:29 PM, Wan-Teh Chang wrote: The (-8157) Certificate extension not found part is most likely wrong (a stale error code). Please try to track that down and fix it. I remember Nelson saying pretty much anytime that error pops out

Re: Certificate login in Firefox - how does it work?

2010-11-27 Thread Nelson B Bolyard
On 2010-11-26 13:20 PDT, ryan-mozdevtechcry...@sleevi.com wrote: [snip] And to save you a bit of trouble/pain: for CryptoAPI, you cannot simply sign raw data - you can only sign previously hashed data. I understand this to mean that you cannot write a pure PKCS#11 - CryptoAPI mapper, whether

Re: NSS ss-sec.uncache is NULL

2010-11-25 Thread Nelson B Bolyard
On 2010-11-24 11:17 PDT, passfree wrote: Speaking of firefox, I know it is not meant to be used as a server but it does provide server sockets through nsIServerSocket interface. I'd say it's a BUG in PSM if it offers a way for XPCom users to use NSS server sockets, but doesn't offer any way

Re: CMSUTIL Problem

2010-11-11 Thread Nelson B Bolyard
On 2010-11-10 05:41 PDT, stephen.mocca...@gdc4s.com wrote: I am on a Linux system and I am trying to send a signed email message using cmsutil and the smime toolkit but it fails with the following error: cmsutil: the corresponding cert for key (null) does not exist: Certificate key usage

Moderator note: Happy Day - newsgroup moderation has begun (I think)

2010-11-09 Thread Nelson B Bolyard
This morning, in the moderation queue for this list, I found a message that was different from others I'd seen before. It appeared to have originated as a newsgroup posting at google. I'm still not 100% sure if this was a moderated newsgroup posting, or if the poster merely sent it both as a

Re: Usage of FreeBL and FreeBL/mpi through JavaScript in Firefox 4 Sync

2010-10-30 Thread Nelson B Bolyard
On 2010/10/29 01:44 PDT, Nelson B Bolyard wrote: No, passwords simply have NO PLACE in protecting the average user from phishing. And it doesn't matter whether the password is used to derive a session encryption key, or just as an authentication token. The user is just as vulnerable either

Re: Usage of FreeBL and FreeBL/mpi through JavaScript in Firefox 4 Sync

2010-10-29 Thread Nelson B Bolyard
On 2010/10/28 03:12 PDT, Jean-Marc Desperrier wrote: Nelson B Bolyard wrote: [...] It because none of them: J-PAKE, SPEKE, SRP, or for that matter, good old CRAM-MD5 address the NUMBER ONE problem with passwords. PHISHING. They are a very significant

Re: Invalide certificate encoding crashing certutil [Re: Thunderbird: Could not verify this certificate for unknown reasons]

2010-10-29 Thread Nelson B Bolyard
On 2010/10/28 02:14 PDT, Jean-Marc Desperrier wrote: Nelson B Bolyard wrote: Please don't file a bug without a stack trace showing the crash is in NSS. [...] If the back trace shows the crash is not in NSS, but in some other library, please direct the bug report accordingly. The report

Re: certutil generated with MSVC9 for Win dows 64 bits doesn´t work with tokens

2010-10-27 Thread Nelson B Bolyard
On 2010-10-26 23:03 PDT, Kaspar Brand wrote: Microsoft's directory naming might actually confuse you here. On a 64-bit Windows system, %systemroot%\SysWOW64 has the *32*-bit DLLs, while the 64-bit versions can be found under %systemroot%\system32. AAARRGGG! What do you suggest ?

Re: Invalide certificate encoding crashing certutil [Re: Thunderbird: Could not verify this certificate for unknown reasons]

2010-10-26 Thread Nelson B Bolyard
On 2010-10-26 05:07 PDT, Jean-Marc Desperrier wrote: Matej Kurpel wrote: However, how does a printable string differ from utf8string (and other strings, particularly ia5string) when there are no non-ascii characters? Do you think it's a bug in NSS...? printable string basically allows only

Re: Thunderbird: Could not verify this certificate for unknown reasons

2010-10-24 Thread Nelson B Bolyard
On 2010-10-24 02:12 PDT, Matej Kurpel wrote: [snip] You can clearly see both my CA and user certificates. Certutil has used my PKCS#11 module to obtain my user certificate. Then I launched the second commany you were suggesting: certutil -d . -L -n HTC Touch HD T8282:Matej Kurpel Now it

Re: Thunderbird: Could not verify this certificate for unknown reasons

2010-10-23 Thread Nelson B Bolyard
On 2010-10-21 13:31 PDT, Matej Kurpel wrote: This looks like Thunderbird cannot find the user certificate in its database. Well, it shouldn't anyway, since it resides on the token provided by a PKCS#11 module I am developing. Right. It's not necessary for the cert to be in the database.

Re: JSS4.DLL and JSS.jar for Windows 64 bits

2010-10-23 Thread Nelson B Bolyard
On 2010-10-22 07:39 PDT, stephen.mocca...@gdc4s.com wrote: Thanks. I'll try it. Stephen Moccaldi General Dynamics C4 Systems, Inc. stephen.mocca...@gdc4s.com 781-455-5466 This message and/or attachments may include information subject to GDC4S O.M. 1.8.6 and GD Corporate Policy

Re: PARAMORE MP3

2010-10-22 Thread Nelson B Bolyard
Gerv, On 2010-10-22 01:25 PDT, Jan Huynh wrote: Click Here to Enter: http://better-web-365.com/12/paramore-mp3 . . Paramore Mp3 Paramore Franklin Free Mp3 [Hundreds of lines beginning with the word Paramore deleted] This is clearly a failure of the new newsgroup moderation, and

Re: Usage of FreeBL and FreeBL/mpi through JavaScript in Firefox 4 Sync

2010-10-22 Thread Nelson B Bolyard
This is a resend. Don't know why my previous copy went only to Marsh. I intended it to go to the list as well. On 2010-10-21 16:50 PDT, Marsh Ray wrote: On 10/21/2010 05:53 PM, Nelson B Bolyard wrote: - Letting mozilla products become a playground for home-baked crypto protocols. That's

Re: Usage of FreeBL and FreeBL/mpi through JavaScript in Firefox 4 Sync

2010-10-22 Thread Nelson B Bolyard
On 2010-10-22 11:35 PDT, Wan-Teh Chang wrote: On Thu, Oct 21, 2010 at 3:53 PM, Nelson B Bolyard nel...@bolyard.me wrote: I'd say the interfaces to those functions (more precisely, their signatures) are quite frozen. The mp_int bignum package API is so frozen as to have become something

Re: Usage of FreeBL and FreeBL/mpi through JavaScript in Firefox 4 Sync

2010-10-21 Thread Nelson B Bolyard
On 2010-10-20 17:13 PDT, Brian Smith wrote: See https://bugzilla.mozilla.org/show_bug.cgi?id=601645. The following internal functions and data structures in FreeBL that would be used Firefox 4.0 Sync's J-PAKE implementation through JSCtypes (a mechanism for calling native code through

Re: Discussion forums anti-spam: configuration change

2010-10-20 Thread Nelson B Bolyard
On 2010-10-19 01:23 PDT, Gervase Markham wrote: At 11pm Pacific Time on Tuesday night (6am UTC on Wednesday morning) we are implementing[0] the new discussion forums anti-spam plan[1] on the following guinea pig groups: mozilla.community.philippines mozilla.governance.mpl-update

Re: Thunderbird: Could not verify this certificate for unknown reasons

2010-10-20 Thread Nelson B Bolyard
On 2010-10-20 09:54 PDT, Matej Kurpel wrote: Hello, I have set up my own CA and issued one certificate signed by this CA. However, I cannot use this certificate to send signed e-mail from Thunderbird. It says Could not verify this certificate for unknown reasons. PSM's infamous for an

Re: PKCS#11: C_Sign provides invalid signature

2010-10-16 Thread Nelson B Bolyard
On 2010-10-16 06:25 PDT, Matej Kurpel wrote: Hello, I am developing a PKCS#11 module to be used with Thunderbird. However, I have trouble providing a valid signature for e-mails. The mechanism used is CKM_RSA_PKCS and I have a 1024bit private key along with the certificate, stored on the

Re: PKCS#11: C_Sign provides invalid signature

2010-10-16 Thread Nelson B Bolyard
On 2010-10-16 11:39 PDT, Matej Kurpel wrote: On 16. 10. 2010 18:33, Nelson B Bolyard wrote: The SignData method you're trying to use does all the above steps. It wants the input to step 1. Since you're implementing CKM_RSA_PKCS, the data you're given is the input to step 3, the output from

Re: how to modify the absolute profile path in secmod.db

2010-10-12 Thread Nelson B Bolyard
On 2010-10-08 10:58 PDT, al...@yahoo.com wrote: I noticed when moving a profile that secmod.db retains the old absolute profile path (configdir='...') Is the path used for anything? Does it need to be updated? How? Can secmod.db be deleted and regenerated? What are the consequences?

Re: NSS and PKCS#11 Certificate+Private key

2010-10-10 Thread Nelson B Bolyard
On 2010-10-10 07:45 PDT, Matej Kurpel wrote: Never mind, solved it myself. What turned out to be the problem, was that the CK_BBOOL values were 4-bytes and not 1 byte in size. Glad you figured it out. I think we could not have helped you without a LOT of work and looking at your code. --

Re: ssl stream pipe

2010-10-02 Thread Nelson B Bolyard
On 2010-10-02 09:11 PDT, passfree wrote: The problem is within the write method of the component which fails for some unknown reasons. Here is the code I am using for testing: char b[] = { 12345 }; int result = PR_Write(sfd, b, 5); if (result =

Re: Can a ssl3.ca_list be configured on a model file descriptor?

2010-09-18 Thread Nelson B Bolyard
On 2010-09-16 00:54 PDT, Wolter Eldering wrote: Hi, I have configured a model file descriptor using SSL_SetTrustAnchors(PRFileDesc *fd, CERTCertList *list) The ssl3.ca_list information set in the model is not copied into the new file descriptor when calling PRFileDesc

Re: Enforcing Definite Encoding on Constructed CMS Objects

2010-09-11 Thread Nelson B Bolyard
On 2010-09-09 03:37 PDT, Vincent Agriesti wrote: How do I get the CMS encoder in mozilla's NSS 3.12.7 to use definite encodings on constructed types as well as data [?] [snip] Researching into the code, I've found (in secasn1e.c) /* The !isString test below is apparently intended to

Re: Proposal to remove SSL 2.0 support from NSS trunk (NSS 3.13)

2010-09-07 Thread Nelson B Bolyard
On 2010-09-07 06:20 PDT, Konstantin Andreev wrote: On 08/31/10 05:01, Nelson B Bolyard wrote: On 2010/08/30 17:32 PDT, Wan-Teh Chang wrote: I propose that we remove SSL 2.0 support from the NSS trunk (NSS 3.13). [... skip ...] It's something I wanted to do for YEARS, but for as long as I

Re: signature verification. VFY_CreateContextWithAlgorithmID help

2010-09-07 Thread Nelson B Bolyard
On 2010-09-06 08:17 PDT, Xavier Toth wrote: I'm trying to verify the signature of a file I've signed but I don't understand where to get the sigAlgorithm and hash to pass to VFY_CreateContextWithAlgorithmID. I presume you've read the description of these parameters in

Re: Using a 'secret' SSL client certificate from Mozilla

2010-09-03 Thread Nelson B Bolyard
On 2010-08-30 11:04 PDT, Michael Smith wrote: On Aug 28, 10:08 am, Nelson Bolyard nonelsons...@nobolyardspam.me wrote: What is the real underlying objective of this? Is it to authenticate the individual user of the product to the servers? Is it to ensure that the client applications of the

Re: Proposal to remove SSL 2.0 support from NSS trunk (NSS 3.13)

2010-08-30 Thread Nelson B Bolyard
On 2010/08/30 17:32 PDT, Wan-Teh Chang wrote: On Mon, Aug 30, 2010 at 8:12 AM, Brian Smith br...@briansmith.org wrote: Wan-Teh Chang wrote: I propose that we remove SSL 2.0 support from the NSS trunk (NSS 3.13). The entire gather logic, by which incoming records are received, could be

Re: how to send encrypted mail to email list address ?

2010-08-27 Thread Nelson B Bolyard
On 2010/08/26 01:02 PDT, fishjohn wrote: Hi. Hope this forum is ok for such question. Yes. We have simple lists implemented through /etc/aliases . basically I want to send encrypted mail to l...@example.com ( which is alias for person1, person2, ...) A common desire. Is there way to

Re: Why does Softoken refuse to create keys with C_CreateObject in FIPS mode?

2010-08-22 Thread Nelson B Bolyard
On 2010-08-22 16:44 PDT, Brian Smith wrote: When NSS Softoken is in FIPS mode, it refuses to create keys with C_CreateObject. What means that it refuses to import secret or private key material that is being kept in the clear outside of the security module boundary into the security module,

Re: Why does Softoken refuse to create keys with C_CreateObject in FIPS mode?

2010-08-22 Thread Nelson B Bolyard
On 2010-08-22 20:46 PDT, Nelson B Bolyard wrote: On 2010-08-22 16:44 PDT, Brian Smith wrote: When NSS Softoken is in FIPS mode, it refuses to create keys with C_CreateObject. What means that it refuses to import secret or private key material Sorry, that should have read: Which means

Re: Assertion when using SEC_ASN1EncodeItem with subtemplate

2010-07-31 Thread Nelson B Bolyard
On 2010-07-30 20:53 PDT, Wan-Teh Chang wrote: On Fri, Jul 30, 2010 at 11:29 AM, Nelson B Bolyard nel...@bolyard.me wrote: I think you're right. I filed https://bugzilla.mozilla.org/show_bug.cgi?id=583308 with a patch to fix at least one problem. I ran Hanno's test program in a debugger

Re: Assertion when using SEC_ASN1EncodeItem with subtemplate

2010-07-31 Thread Nelson B Bolyard
On 2010-07-30 20:53 PDT, Wan-Teh Chang wrote: Here is Hanno's code modified to use a PointerTo template: SEC_ASN1_MKSUB(SECOID_AlgorithmIDTemplate) const SEC_ASN1Template MY_PointerToAlgorithmIDTemplate[] = { { SEC_ASN1_POINTER, 0, SEC_ASN1_SUB(SECOID_AlgorithmIDTemplate) } };

Re: Assertion when using SEC_ASN1EncodeItem with subtemplate

2010-07-31 Thread Nelson B Bolyard
On 2010-07-31 14:23 PDT, Nelson B Bolyard wrote: So, I moved the XTRN flag up to the PointerTo template, and that didn't crash, but it failed. I'm debugging it now. My mistake. It succeeded. I interpreted the returned pointer to the output buffer as a non-zero result code indicating failure

Re: cmsutil: deprecated class usage

2010-07-30 Thread Nelson B Bolyard
On 2010-07-29 18:35 PDT, Alexander V Vershilov wrote: Hello. I'm trying to build package pki-utils-1.3.1. And it fails on building cmsutils: pki-util-1.3.1/src/com/netscape/cmsutil/crypto/CryptoUtil.java at string: org.mozilla.jss.crypto.KeyPairGeneratorSp[2^i.Usage[]

Re: Assertion when using SEC_ASN1EncodeItem with subtemplate

2010-07-30 Thread Nelson B Bolyard
On 2010-07-29 15:14 PDT, Hanno Böck wrote: After digging down deeper into the code, it seems it fails somewhere here: http://mxr.mozilla.org/security/source/security/nss/lib/util/secasn1e.c#897 It gives state-theTemplate to the SEC_ASN1GetSubTemplate-function, while state-theTemplate points

Re: Assertion when using SEC_ASN1EncodeItem with subtemplate

2010-07-29 Thread Nelson B Bolyard
On 2010-07-26 06:07 PDT, Hanno Böck wrote: Hi, Just recently, the templates for decoding the RSA-PSS ASN1 parameters got added to cvs head (in cryptohi/seckey.c). Currently I'm working on implementing the creation of PSS signatures, so I need them also to encode. My naive thought was

Re: Fwd: Hi, I have three questions about embed bank CA cert in Firefox

2010-07-23 Thread Nelson B Bolyard
On 2010-07-21 18:26 PDT, Amax Guan wrote: Thank you very much, this really help alot:) We won't let end-users use that tool, instead, we put it in a installer, and let the installer do the dirty work. btw, Since this certutil.exe is downloaded from microsoft.com I'm a little worried

Re: Netscape Enterprise Server 3.63 2048 bit ssl cert

2010-07-23 Thread Nelson B Bolyard
On 2010-07-23 13:48 PDT, Robert Relyea wrote: You may be stuck. I believe NES 3.63 ran using an older version of NSS that is available in the open source world (or even available as shared ^ NOT! libraries, for that matter). I'm not sure if anyone has access to that old

Re: JSS in Firefox - loading applets over mutual SSL stopped working since the v. 3.6.x

2010-07-21 Thread Nelson B Bolyard
On 2010-07-20 02:21 PDT, Waldek wrote: Hi again, is there anybody who's been able to get such a setup working after upgrading to FF 3.6.x ?? Is it a FF 3.6.x bug ?? Could someone from Mozilla guys state anything in this case ?? I've no other ideas so far but recommending my customers

Re: Fwd: Hi, I have three questions about embed bank CA cert in Firefox

2010-07-21 Thread Nelson B Bolyard
On 2010-07-21 10:50 PDT, Ryan Sleevi wrote, quoting Gervase Markham: On 21/07/10 07:26, Amax Guan wrote: But if you generate a user Certificate that's issued by a untrusted CA, there will be an alert popup. Can some NSS or PSM hacker explain why this is? Gerv While neither an NSS nor PSM

Re: Passing random numbers between tokens - what FIPS thinks ?

2010-07-21 Thread Nelson B Bolyard
I wrote: FIPS 140 will not allow *any* hardware pure noise source to be used by itself as a random number/bit source. Instead, such a source MUST be fed into a DRBG from which any internal random data is taken. To clarify, by pure noise source, I meant such as a forward biased silicon PN

Re: Passing random numbers between tokens - what FIPS thinks ?

2010-07-21 Thread Nelson B Bolyard
On 2010-07-19 03:18 PDT, Konstantin Andreev wrote: Let assume, I have high-quality, conformant to all relevant standards (e.g. FIPS 140-1), hardware, true random numbers source - token B. Token vendor intimately cares about standard API to the token, and provides PKCS#11 library. Indeed,

Re: JSS/NSS library dependencies on Windows XP

2010-07-19 Thread Nelson B Bolyard
On 2010-07-19 10:56 PDT, Caden.smith Smith wrote: Just for your information, here is the tree: JSS4.DLL NSPR4.DLL ADVAPI32.DLL The factors under the control of the way in which JSS and NSPR are built end here. Anything below this point has NOTHING to do with them. Everything below

Re: Passing random numbers between tokens - what FIPS thinks ?

2010-07-17 Thread Nelson B Bolyard
On 2010-07-12 02:18 PDT, Konstantin Andreev wrote: Hello. I am asking in this newsgroup, because I believe FIPS mode can affect the answer. Let assume -- Token A is software token, and able to make ECC signatures. -- Token B is hardware token providing TRUE random numbers.

Re: How to refresh Firefox keystore

2010-07-03 Thread Nelson B Bolyard
On 2010-07-01 18:10 PDT, james07 wrote: I'm importing the key pair into the browser's soft token. I can see that the cert8.db and key3.db files in the profile directory are updated and I can also see the new certificate using certutil.exe -L. However when attempting to connect to a website

Re: 6 year old bug forcing my office to outlook

2010-06-22 Thread Nelson B Bolyard
On 2010-06-22 06:24 PDT, Logan Jones wrote: Whenever someone receives an email with a .p7m extension as an attachment, Thunderbird eats it. I suppose you mean /attachment/ rather than /extension/. Normally it would be saved to the desktop and decrypted with the standalone entrust

Re: C_EncryptUpdate( inlen != N * blksize ) for CBC, ECB cipher modes.

2010-06-22 Thread Nelson B Bolyard
On 2010-06-22 07:06 PDT, Konstantin Andreev wrote: At the moment, NSS softoken still return CKR_DATA_LEN_RANGE when CBC/ECB ciphers are updated with odd length. I wonder, are any chances for this aspect of NSS softoken to be more PKCS#11 compliant in the near future ? Yes. Step 1. File a

Re: PK11_CipherOp with RC4 and invalid memory access

2010-06-22 Thread Nelson B Bolyard
On 2010-06-21 17:57 PDT, Brian Smith wrote: From arcfour.c: http://mxr.mozilla.org/mozilla/source/security/nss/lib/freebl/arcfour.c#390 My guess is that valgrind is considering malloc(5) to allocate 5 bytes, when really it allocates 8 bytes at least (because of alignment). See the

Re: Using NSS to export PKCS#12 pfx files

2010-06-18 Thread Nelson B Bolyard
On 2010-06-15 14:17 PDT, John Scott wrote: I'm doing the following to create a signed Firefox plugin http://oyoy.eu/huh/firefox-extension-code-signed-with-spc-pvk/ However, I'm trying to automate the process, and the first step would be removing the need for pvkimprt. .NET code can export

Question for CA representatives about PKCS#10 CSRs you accept

2010-06-17 Thread Nelson B Bolyard
I have a question for CAs that accept PKCS#10 CSRs. Background: PKCS#10 certificate requests may contain an optional set of ATTRIBUTEs. One type of ATTRIBUTE, the only type mentioned in PKCS#10, is the PKCS#9 certificate Extension Request. But PKCS#10 suggests that other types could be defined,

Re: How pkcs#11 modules read the CONFIG_STRING from modutil -string command

2010-06-17 Thread Nelson B Bolyard
On 2010-06-17 13:45 PDT, Klaus Heinrich Kiwi wrote: If I'm coding a PKCS#11 module, how exactly the -string parameter from modutil gets passed down to the library? i.e., $ modutil -add mylib -libfile /lib/mylib.so -string my conf string I though C_Initialize, OpenSession or even InitToken

System NSS DB Directory selection challenges

2010-06-14 Thread Nelson B Bolyard
In https://bugzilla.mozilla.org/show_bug.cgi?id=490238#c37 David Woodhouse asks how well-behaved applications, which may or may not be running on a system with System NSS, are supposed to determine the value of the directory name string they pass to NSS_Init. He observes that the value may differ

Re: (nss-3.12.6) unable to engage FIPS mode: security library: invalid arguments.

2010-06-13 Thread Nelson B Bolyard
On 2010/06/13 01:33 PDT, Robin H. Johnson wrote: LOOK at the links I provided, there are ZERO changes to the actual source code. Robin, The point is that the upstream NSS team simply doesn't have time or resources to look at every downstream distribution. There's no point in asking us to do

Re: (nss-3.12.6) unable to engage FIPS mode: security library: invalid arguments.

2010-06-13 Thread Nelson B Bolyard
On 2010-06-13 13:02 PDT, Robin H. Johnson wrote: On Sun, Jun 13, 2010 at 02:02:39AM -0700, Nelson B Bolyard wrote: The root of the problem is that the shared libraries can change POST-install, as needed for ELF signing, split-debug and prelinking. The ELF signing is a catch-22. Either I have

Re: (nss-3.12.6) unable to engage FIPS mode: security library: invalid arguments.

2010-06-13 Thread Nelson B Bolyard
On 2010-06-13 17:24 PDT, Robin H. Johnson wrote: On Sun, Jun 13, 2010 at 03:08:07PM -0700, Nelson B Bolyard wrote: On 2010-06-13 13:02 PDT, Robin H. Johnson wrote: As an intermediate related question, is there a standalone verification tool for the CHK files shlibsign -V -i seems

Re: (nss-3.12.6) unable to engage FIPS mode: security library: invalid arguments.

2010-06-13 Thread Nelson B Bolyard
On 2010-06-13 17:56 PDT, I wrote: Perhaps the easiest thing to do is rerun shlibsign and compare the old and new files. Please forget that I wrote that. That won't work. -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto

Re: S/MIME interop issue with Outlook 2010 beta

2010-06-12 Thread Nelson B Bolyard
On 2010-06-12 00:50 PDT, Kaspar Brand wrote: Sigh. I just came across this: http://support.microsoft.com/kb/2142236 Non-Outlook email clients unable to decrypt email sent from Outlook 2010 which states under Cause: Outlook 2010 now more fully implements the Cryptographic Message

Re: (nss-3.12.6) unable to engage FIPS mode: security library: invalid arguments.

2010-06-12 Thread Nelson B Bolyard
On 2010-06-10 22:59 PDT, Robin H. Johnson wrote: On Thu, Jun 10, 2010 at 10:45:03PM +, Robin H. Johnson wrote: Testcase 2: (see attached minimal C code, based on posts to the list and used in the modutils source AND Mozilla). Bah, forgot the actual file. The testcase has been run on

Re: (nss-3.12.6) unable to engage FIPS mode: security library: invalid arguments.

2010-06-12 Thread Nelson B Bolyard
On 2010-06-12 12:49 PDT, Robin H. Johnson wrote: On Sat, Jun 12, 2010 at 12:15:07PM -0700, Matt McCutchen wrote: On Jun 12, 2:25 pm, Nelson B Bolyard nel...@bolyard.me wrote: On 2010-06-10 22:59 PDT, Robin H. Johnson wrote: The testcase has been run on Arch and Fedora now, and both of those

Re: Thunderbird problem with the search for certificates in the S-TRUST trust list service

2010-06-10 Thread Nelson B Bolyard
On 2010-06-10 07:49 PDT, Jean-Marc Desperrier wrote: Nelson B Bolyard wrote: Fame and Glory await.:-) Which means a mention in http://www.mozilla.org/credits/ or about:credits : We would like to thank our contributors, whose efforts make this software what it is. [...] Any

Re: S/MIME interop issue with Outlook 2010 beta

2010-06-10 Thread Nelson B Bolyard
On 2010-06-03 21:52 PDT, Kaspar Brand wrote: On 03.06.2010 22:57, PDF3 SecureEmail wrote: I suspect that NSS is not supporting sender key ID yet/properly. If you replace sender key ID by RecipientIdentifier, then that statement is true, yes. (Note, however that the MSFT moderator mixes up

Re: Generation of key pair and CSR

2010-06-07 Thread Nelson B Bolyard
On 2010-06-06 20:38 PDT, james07 wrote: I would like to create a plug-in for Firefox that, when invoked, generates a new key in the Firefox key/certificate store. Is it possible to generate a new keypair in using NSS from the plug-in, or do I need to somehow call crypto.generateCRMF() via

  1   2   3   4   5   6   7   8   >