RE: PK11_CipherOp with RC4 and invalid memory access

2010-06-21 Thread Brian Smith
From arcfour.c: http://mxr.mozilla.org/mozilla/source/security/nss/lib/freebl/arcfour.c#390 My guess is that valgrind is considering malloc(5) to allocate 5 bytes, when really it allocates 8 bytes at least (because of alignment). Regards, Brian -Original Message- From:

PKCS#11 header files: license and updating to the newest version

2010-08-02 Thread Brian Smith
I read a rumor that Mozilla received explicit permission from RSA labs to distribute the PKCS#11 header files under the Mozilla tri-license. Does anybody know anything about that, and how I can verify it? I noticed that the header files are out of date. They do not include the AES-GCM

RE: PKCS#11 header files: license and updating to the newest version

2010-08-03 Thread Brian Smith
Martin Paljak wrote: FYI, OpenSC project [1] has a fork of the PKCS#11 headers [2]. Yes, I read the discussion about that and it also seems iffy. If Mozilla already has explicit permission to distribute them under the LGPL/GPL/MPL then that works much better. At the same time, isn't GCM only

Why does Softoken refuse to create keys with C_CreateObject in FIPS mode?

2010-08-22 Thread Brian Smith
When NSS Softoken is in FIPS mode, it refuses to create keys with C_CreateObject. The same method works fine in regular (non-FIPS) mode. But, it is possible to achieve the exact same effects using either any of the procedures outlined below. So, what is the motivation for prohibiting the key

RE: Why does Softoken refuse to create keys with C_CreateObject in FIPS mode?

2010-08-23 Thread Brian Smith
Nelson B Bolyard wrote: It's all about making it difficult enough that people start to ask why is this obviously more difficult than the casual developer thinks it must be? Thank you. That makes a lot of sense. My understanding is that there doesn't really need to be a difference in the way the

RE: Re[5]: PKCS#11 header files: license and updating to the newest version

2010-08-27 Thread Brian Smith
Konstantin Andreev wrote: On 08/03/10 19:13, Brian Smith wrote: I think I found a problem with the GCM interface that seems to make it impossible to use the PKCS#11 interface in a FIPS-140-compliant manner. In particular, NIST SP800-38D requires that the IV for the GCM mode be generated

How important is FIPS-140 compliance and PKCS#11 interoperability to Firefox, Chrome, etc.?

2010-08-27 Thread Brian Smith
In accepting patches to implement TLS 1.2 and/or AES-GCM cipher suites, is a (potentially-)FIPS-140-compliant implementation required? Or, would it be acceptable in the short-term to have an implementation that is known to be non-compliant and thus disabled in FIPS mode? The main issue

RE: Proposal to remove SSL 2.0 support from NSS trunk (NSS 3.13)

2010-08-30 Thread Brian Smith
Hanno Böck wrote: May I make a provocative enhancement proposal? Just remove SSLv3 altogether with it. The reason are bugs like this: https://bugzilla.mozilla.org/show_bug.cgi?id=450280 I think this is unfixable as long as one wants to support SSLv3 (see comment #15), though when using

Re: browser sandbox security

2010-10-12 Thread Brian Smith
On 10/11/2010 7:02 PM, Mountie Lee wrote: Hi. I'm mountie lee from paygate, seoul. I have some question for firefox browser sandbox security. I'm not sure this mailling list is suitable for my subject. If not, recommend me the new group I recommend posting on dev-security:

NSS linkage and FIPS-140 compliance for Firefox

2010-10-18 Thread Brian Smith
[I cannot participate in any legal discussions now. Please don't ask me questions about legal stuff.] We (Mozilla) are are exploring some approaches to statically link NSS into Firefox to reduce dynamic linkage overhead caused by the NSS shared libraries and to allow for whole-program

Re: problem Importing certificates in NSS db using Cert_importcerts -

2010-10-19 Thread Brian Smith
I will try to help you if you can wrap the code below in a complete program that I can compile and run using Visual Studio 2010. - Original Message - From: PeachUser anupama.jo...@gmail.com To: dev-tech-crypto@lists.mozilla.org Sent: Tuesday, October 19, 2010 8:06:33 AM Subject: Re:

Re: problem Importing certificates in NSS db using Cert_importcerts -

2010-10-19 Thread Brian Smith
I am using NSS on linux as a part of a bigger project. To implement similar functionality on windows I used windows system APIs. If you have any working example pl. share with me. That's OK. Post a complete, minimal program that runs on Linux. -- dev-tech-crypto mailing list

Usage of FreeBL and FreeBL/mpi through JavaScript in Firefox 4 Sync

2010-10-20 Thread Brian Smith
See https://bugzilla.mozilla.org/show_bug.cgi?id=601645. The following internal functions and data structures in FreeBL that would be used Firefox 4.0 Sync's J-PAKE implementation through JSCtypes (a mechanism for calling native code through Javascript). I personally would like to find a way

Firefox Sync, Key Exchange/Entry, and FIPS (was Re: NSS linkage and FIPS-140 compliance for Firefox)

2010-10-20 Thread Brian Smith
Brian Smith wrote: (Because of Firefox Sync, we are now always going to have crypto features that won't work in FIPS mode.) Sigh, ignoring FIPS mode in a feature, is usually a red flag. It means you are handling CSP's where you really shouldn't be. Firefox Sync *CAN* be implemented in FIPS

J-PAKE (was Re: Usage of FreeBL and FreeBL/mpi through JavaScript in Firefox 4 Sync)

2010-10-22 Thread Brian Smith
Jean-Marc Desperrier wrote: Why are you choosing J-PAKE instead of SRP ? The J-PAKE authors claim they developed J-PAKE to avoid patents that cover other algorithms, and they claim they won't patent it. I don't know if either claim is true or not.

Re: Usage of FreeBL and FreeBL/mpi through JavaScript in Firefox 4 Sync

2010-10-22 Thread Brian Smith
Nelson B Bolyard wrote: Brian Smith wrote: I personally would like to find a way to avoid calling these internal functions from within Firefox--especially since there's no way to detect incompatibilities at compile-time and because the interface to these functions isn't frozen. To what

Re: J-PAKE (was Re: Usage of FreeBL and FreeBL/mpi through JavaScript in Firefox 4 Sync)

2010-10-25 Thread Brian Smith
Jean-Marc Desperrier wrote: The reference I gave before shows that there is now a widely accepted opinion that SRP does not infringe on patent more than J-PAKE (even if there was indeed that doubt a few years ago). A patent that covers SRP might be found, but it does not appear today to

Re: Usage of FreeBL and FreeBL/mpi through JavaScript in Firefox 4 Sync

2010-10-25 Thread Brian Smith
Nelson B Bolyard wrote: [...] I'm talking about putting JBAKE (or whatever it is) into the base product. [...] Is there something specific about J-PAKE that you think is bad or worse than some alternative? Are you objecting to J-PAKE because you do not trust the proofs of security given

Re: Thunderbird UnwrapKey on message decryption?

2010-11-01 Thread Brian Smith
Matej Kurpel wrote: I am implementing a PKCS#11 module. Today I tried to send encrypted e-mail to my second gmail account, and it works perfectly (in fact, nothing is needed from my token to support this). However, when the message arrives and I try to read it, Thunderbird calls C_UnwrapKey

Re: Book recommendation?

2010-11-03 Thread Brian Smith
Ludovic Hirlimann wrote: I'd like to uplift my knowledge with regards to crypto, certs and S/Mime the idea is to be able to figure out bugs that are entered into bugzilla, when certs are incorects etc ...) . So I'm looking for a book that would explain all the things that I don't know about

Re: Using dll in mozilla

2010-11-04 Thread Brian Smith
Hi, I am unsure what you are asking. It might be better to write your question in English and also in a second language (Vietnamese) if you are not a native English speaker. I can probably find somebody to translate the second language. Are you trying to add a new PKCS#11 module to Firefox so

Re: NSS linkage and FIPS-140 compliance for Firefox

2010-11-12 Thread Brian Smith
I have been told that some things about my message were not so clear so I will try to clarify them by responding to myself below. In particular, there is some confusion about what has been decided and what is being explored. Brian Smith wrote: 1. Create a supported configuration of NSPR+NSS

Plan B for J-PAKE in Fennec B3 / Firefox B9 -- exposing MPI to Firefox for one beta cycle

2010-11-18 Thread Brian Smith
(Note that this is to: dev-tech-crypto) Short Version: We are looking at taking a private patch for one Firefox beta cycle in mozilla-central to export the MPI functions from FreeBL on all platforms in our private copy of NSS. Then, we could push the next NSS 3.12 release to the week after

Re: NSS ss-sec.uncache is NULL

2010-12-01 Thread Brian Smith
passfree wrote: Speaking of firefox, I know it is not meant to be used as a server but it does provide server sockets through nsIServerSocket interface. So, could these initialisation routines be included in future versions of FF? If not, is it possible to detect somehow if they have been

Re: J-PAKE in NSS

2011-03-04 Thread Brian Smith
Jean-Marc Desperrier wrote: I notice the committed code extracts the generated shared symmetric key up to the javascript level, so takes no real advantage from having generated it inside NSS (I'd expect it instead to leave the AES256 key inside NSS and just get back the handle to it to

Re: Root certificate authorities

2011-03-04 Thread Brian Smith
Ritmo2k wrote: Anyone know if its possible to configure Firefox to implicitly trust all certificate authorities installed in the Windows Trusted Root Certification Authorities Store? Firefox does not support this yet. See: https://bugzilla.mozilla.org/show_bug.cgi?id=454036

Re: Root certificate authorities

2011-03-04 Thread Brian Smith
Ritmo2k wrote: I took a look at http://www.mozilla.org/projects/security/pki/nss/tools/index.html but it wasn’t obvious to me if this was even possible using those tools. In theory you could write a script that exports all the CA certificates from the Windows certificate store and then uses

Re: Known Issue? Looping CA Cross-Certificates not displayed as going to a Root CA

2011-03-07 Thread Brian Smith
Ridley wrote: Presence both of a pair of cross-certificates in the Authorities certificarte store results looping rather than traversing to a root certificate. See https://bugzilla.mozilla.org/show_bug.cgi?id=634074. - Brian -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org

Re: J-PAKE in NSS

2011-03-07 Thread Brian Smith
Jean-Marc Desperrier wrote: Brian Smith wrote: The kind of improvement you described above will be made to resolve Bug 443386 and/or Bug 638966. I think Bug 638966 is slightly different, it's about permanently storing the secret keys in the NSS db (I don't know if that's really possible

TLS-SRP (was Re: J-PAKE in NSS)

2011-03-07 Thread Brian Smith
Jean-Marc Desperrier wrote: But Curl, that supports secret keys from version 7.21.4, with GnuTLS only at the moment but is pushing hard to get in in Openssl also, apparently has simply given up about having TSP-SRP support when compiled with NSS. I see in an old doc that Johnathan was

Re: TLS-SRP (was Re: J-PAKE in NSS)

2011-03-10 Thread Brian Smith
Jean-Marc Desperrier wrote: I don't see it as a substitute for PKI, only as a substitute for user/password. If you want SRP but don't need TLS-SRP then you could implement SRP outside of NSS and then build the UI support around that non-NSS support as a HTTP 1. The user's username is sent

Removal of Windows CE support from NSS

2011-05-08 Thread Brian Smith
Are there any users of NSS on Windows CE? Does anybody object to removing the Windows CE support from NSS? If not, Windows CE support is likely to be removed sometime soon. - Brian -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org

Mixed HTTPS/non-HTTPS content in IE9 and Chrome 13 dev

2011-05-17 Thread Brian Smith
See https://twitter.com/#!/scarybeasts/status/69138114794360832: Chrome 13 dev channel now blocks certain types of mixed content by default (script, CSS, plug-ins). Let me know of any significant breakages. See https://ie.microsoft.com/testdrive/browser/mixedcontent/assets/woodgrove.htm IE9:

Re: Mixed HTTPS/non-HTTPS content in IE9 and Chrome 13 dev

2011-05-18 Thread Brian Smith
Desperrier jmd...@gmail.com wrote: Brian Smith wrote: See https://twitter.com/#!/scarybeasts/status/69138114794360832: Chrome 13 dev channel now blocks certain types of mixed content by default (script, CSS, plug-ins). Let me know of any significant breakages. See https

Re: Unable to generate ECC signature keys with crypto.generateCRMFRequest

2011-07-13 Thread Brian Smith
Fei Fong wrote: I am able to generate ECC encryption keys using: reqtype = 'ec-ex' However, it fails when I try to generate ECC signature keys using reqtype = 'ec-sign' I tried the other options for ECC given in https://developer.mozilla.org/en/generateCRMFRequest as well but have only

Re: compiling nss-3.12.10 with linux-3.0 fails

2011-07-13 Thread Brian Smith
ron wrote: i just tried compiling nss while running a linux-3.0rc5 kernel, which fails with: for there are no major changes between linux-2.6.39 and linux-3.0 copying Linux2.6.mk to Linux3.0.mk did the trick, now everything compiles fine again. hope this is the right plcae to post this

Re: Problem with building NSS

2011-07-13 Thread Brian Smith
radek102 radel wrote: When I try building NSS 3.12.9 on Windows 7, I have some strange error: make: *** No rule to make target `../../nsprpub/configure`, needed by `../../nsprpub/WINNT6.1_OPT.OBJ/config.status`. Stop I'm using mozilla_build. When I compile nss 3.12.9 with nspr 4.8.7

Re: help starting with nss

2011-07-13 Thread Brian Smith
florent ainardi wrote: does anyone can help me starting coding in c the nss library ? i had to encrypt and decrypt data can you tell me the list of function i had to call to do that and tell me the order i suppose that there is a initialization of context, generate key, set mode, set algo,

Re: does anyone try to use AES_CBC ???

2011-07-22 Thread Brian Smith
- Original Message - From: Matej Kurpel mkur...@gmail.com On 22 juil, 14:41, helpcrypto helpcryptohelpcry...@gmail.com wrote: at this time, i had just to make some test about the AES_CBC or AES_ECB like time to encrypt, time to decrypt,how memory used, how cpu used for just a

Protecting PRNG against malicious users / multiple independent PRNG states

2011-07-26 Thread Brian Smith
Mozilla would like to expose a secure PRNG (basically, a wrapper around PK11_GenerateRandom) to JavaScript content: https://bugzilla.mozilla.org/show_bug.cgi?id=440046 There is some agreement that we should maintain separate PRNG state for each origin (roughly: domain name), and that all those

Re: NSS patch for TLS timing attack on elliptic curve cyrptography

2011-09-23 Thread Brian Smith
Douglas Stebila wrote: The same attack applies to NSS. A while back I submitted a bug and patch for NSS, but it has been languishing in Bugzilla without any attention. While the use of ECC in deployed TLS environments is quite low, it's still probably a good idea to get the code patched.

Re: Mozilla NSS and DANE

2011-10-13 Thread Brian Smith
Pontus Ericson wrote: If anyone has any directions/recommendations on where in the NSS library I should focus to implement changes to the retrieval and association of certificates I would be grateful. Also if there is any interest in the project I could answer any questions. Do you have a

NSS 3.12.* maintanence after the NSS 3.13 release?

2011-10-17 Thread Brian Smith
Are we going to stop maintaining NSS 3.12 after the 3.13 release? People have asked if we were going to backport bug 665814 to 3.12, specifically. My understanding is that Bob proposed that the 3.13 release will mark the end of 3.12 maintenance. This is why we (Mozilla) upgraded to 3.13 instead

Re: Recent builds of NSS on Windows?

2011-10-17 Thread Brian Smith
Walter Goulet wrote: I'm wondering if anyone has recently built a version of NSS on Windows per the instructions on the NSS build pages (http://www.mozilla.org/ projects/security/pki/nss/nss-3.7.7/nss-3.7.7-build.html)? I've run into problems building NSS using both MozillaBuild

Re: NSS 3.12.* maintanence after the NSS 3.13 release?

2011-10-17 Thread Brian Smith
NSS release announcements are made on the Mozilla dev-tech-crypto mailing list: http://groups.google.com/group/mozilla.dev.tech.crypto/browse_thread/thread/28c9fd2d65f7bd55# - Brian - Original Message - From: Julien Pierre julien.pie...@oracle.com To: Brian Smith bsm...@mozilla.com

NSS 3.13.1 release to fix regression caused by NSS 3.13 bug 693228

2011-10-18 Thread Brian Smith
Will we release a special update to NSS 3.13 to fix the regression bug 693228, or will we wait until the next release? Thanks, Brian -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto

Re: NSS 3.12.* maintanence after the NSS 3.13 release?

2011-10-18 Thread Brian Smith
There is one known regression. Also, the BEAST workaround is an incompatible change for some applications. Otherwise, I expect it to be drop-in compatible. - Brian - Original Message - From: Julien Pierre julien.pie...@oracle.com To: Brian Smith bsm...@mozilla.com Cc: mozilla's

Proposed change for the way we import NSS into mozilla-central

2011-10-18 Thread Brian Smith
Hi, Mozilla wants to commit the beginnings of our SPDY implementation into mozilla-central sooner than I expected, and sooner than we probably want to do another NSS release--ideally some time next week. Our SPDY implementation will depend on the following changes. Two of them are almost done

Re: NSS 3.12.* maintanence after the NSS 3.13 release?

2011-10-18 Thread Brian Smith
I just emailed the mailing list about it: bug 693228. It is a crashing bug in NSS_Init. - Original Message - From: Julien Pierre julien.pie...@oracle.com To: Brian Smith bsm...@mozilla.com Cc: mozilla's crypto code discussion list dev-tech-crypto@lists.mozilla.org Sent: Tuesday

tstclnt exit code: do we really need to distinguish between failures during PR_Send and PR_Recv?

2011-10-31 Thread Brian Smith
I am modifying tstclnt to test my patch for bug 542832. With my patch, tstclnt always succeeds or fails like it did before, but in some of the failure cases it exits with exit code 1 when the testcase expects it to exit with exit code 254, and sometimes it exits with exit code 254 when the

Re: Recent builds of NSS on Windows?

2011-10-31 Thread Brian Smith
helpcrypto helpcrypto wrote: and, has anyone achieved to compile it using mingw? im always having many issues with that... MozillaBuild is pretty much mingw. Please post the errors you receive during your build and I will try to help you decipher them. Cheers, Brian -- dev-tech-crypto

Re: tstclnt exit code: do we really need to distinguish between failures during PR_Send and PR_Recv?

2011-10-31 Thread Brian Smith
Robert Relyea wrote: That being said, I suspect that we currently don't distinguish between these two, and wind up with a false success on expected client auth failure cases when the server is down. In practice that's not too much of a problem because several of the other tests in the suite

Re: HTML KEYGEN element not working with ECC keys

2011-11-29 Thread Brian Smith
Jean-Marc Desperrier wrote: Brian reported there that this should be investigated by the legal group, but I'm worried nothing happened since then. What I said/meant is that inquiries regarding legal issues should be made to Mozilla Legal instead of the technical areas of bugzilla or the

Re: Developing pkcs11 module for Firefox

2011-12-29 Thread Brian Smith
Matej Kurpel wrote: On 22. 12. 2011 10:36, Imen Ibn Hotab wrote: I`m developing pkcs#11 module for Firefox. I was developing a PKCS#11 module as well. Just out of curiosity, what do your PKCS#11 modules do? Would it make things easier for either of you if Firefox and Thunderbird supported

Re: Regarding PSM with external SSL library

2012-01-03 Thread Brian Smith
Ashok Subash wrote: Firefox 3.6 :( Beware that you will not get any more security updates for the Firefox 3.6 codebase from Mozilla soon. (We are still sometimes finding security bugs in Firefox 3.6 that won't ever be fixed in 3.6.x, only in Firefox 12+). Currently due to footprint issue we

What exactly are the benefits of libpkix over the old certificate path validation library?

2012-01-03 Thread Brian Smith
1. libpkix can handle cross-signed certificates correctly, without getting stuck in loops. Non-libpkix validation cannot. 2. libpkix can accept parameters that control each individual validation, whereas non-libpkix validation relies on global settings. 2.a. libpkix can control OCSP/CRL/cert

Re: What exactly are the benefits of libpkix over the old certificate path validation library?

2012-01-04 Thread Brian Smith
Ryan Sleevi wrote: IIRC, libpkix is an RFC 3280 and RFC 4158 conforming implementation, while non-libpkix is not. That isn't to say the primitives don't exist - they do, and libpkix uses them - but that the non-libpkix path doesn't use them presently, and some may be non-trivial work to

Re: What exactly are the benefits of libpkix over the old certificate path validation library?

2012-01-04 Thread Brian Smith
Gervase Markham wrote: On 04/01/12 00:59, Brian Smith wrote: 5. libpkix has better AIA/CRL fetching: 5.a. libpkix can fetch revocation information for every cert in a chain. The non-libpkix validation cannot (right?). 5.b. libpkix can (in theory) fetch using LDAP in addition to HTTP

Re: What exactly are the benefits of libpkix over the old certificate path validation library?

2012-01-04 Thread Brian Smith
Robert Relyea wrote: 7. libpkix can actually fetch CRL's on the fly. The old code can only use CRL's that have been manually downloaded. We have hacks in PSM to periodically load CRL's, which work for certain enterprises, but not with the internet. I am not too concerned with the fetching

Re: What exactly are the benefits of libpkix over the old certificate path validation library?

2012-01-04 Thread Brian Smith
Brian Smith wrote: Robert Relyea wrote: When I browse with libpkix enabled (which also enables the intermediate fetching), connecting to HTTPS websites (like mail.mozilla.com) ... is much slower, at least when the browser starts up. We may be able to fix this with persistent caching

Re: Developing pkcs11 module for Firefox

2012-01-04 Thread Brian Smith
Robert Relyea wrote: On 01/04/2012 09:04 AM, Anders Rundgren wrote: There is a capi module in the NSS source tree, but it purposefully does not surface removable CAPI modules under the assumption that such devices already have PKCS #11 modules. While it may be true that they have PKCS#11

Re: What exactly are the benefits of libpkix over the old certificate path validation library?

2012-01-04 Thread Brian Smith
Robert Relyea wrote: On 01/04/2012 04:18 PM, Brian Smith wrote: Are you actually fetching intermediates? In the cases where you fetch the intermediates, the old code will not work! We don't fetch the intermediate if we already have it, or it's already sent in the SSL chain. If you

Re: What exactly are the benefits of libpkix over the old certificate path validation library?

2012-01-05 Thread Brian Smith
Jean-Marc Desperrier wrote: Brian Smith a écrit : 3. libpkix can enforce certificate policies (e.g. requiring EV policy OIDs). Can the non-libpkix validation? EV policy have been defined in a way that means they could be supported by a code that handles an extremely tiny part of all

Re: Regarding PSM with external SSL library

2012-01-05 Thread Brian Smith
Ashok Subash wrote: We'll go with your suggestion of using NSS after size reduction for this project for our security requirements. But right now we cannot upgrade to latest firefox due to the current schedule and resources we have for this project. We will follow the guidelines listed in the

libpkix maintenance plan (was Re: What exactly are the benefits of libpkix over the old certificate path validation library?)

2012-01-12 Thread Brian Smith
We (me, Kai, Bob, Wan-Teh, Ryan, Elio, Kai) had a meeting today to discuss the issues raised in this thread. We came to the following conclusions: Ryan seems to be a great addition to the team. Welcome, Ryan! Gecko (Firefox and Thunderbird) will make the switch to libpkix. See Ryan's comments

Re: Removal of NSS and/or NSPR from the API exposed to addons

2012-01-18 Thread Brian Smith
Mike Hommey wrote: Please note that this is going to be a problem on systems that have system nspr and nss libraries that other system libraries use. I am intending to avoid changing how NSS is linked on Linux, at least at the beginning. My priorities are are Android and Windows first, then

Re: Removal of NSS and/or NSPR from the API exposed to addons

2012-01-18 Thread Brian Smith
Benjamin Smedberg wrote: I have no particular opinion about whether this is a good idea for NSS. I do think that we should not do this for NSPR unless we decide to remove support for binary XPCOM components in Firefox (per the ongoing discussion in dev.planning). Many of our XPCOM code

Re: libpkix maintenance plan (was Re: What exactly are the benefits of libpkix over the old certificate path validation library?)

2012-01-18 Thread Brian Smith
Sean Leonard wrote: The most glaring problem however is that when validation fails, such as in the case of a revoked certificate, the API returns no certificate chains My understanding is that when you are doing certificate path building, and you have to account for multiple possibilities

Re: Removal of NSS and/or NSPR from the API exposed to addons

2012-01-18 Thread Brian Smith
Mike Hommey wrote: In the long run, for performance reasons, we should probably prefer the system NSS libraries to our own, whenever the system NSS libraries are available and are the right version, because at least some of them are likely to already have been loaded into RAM by other

Re: Removal of NSS and/or NSPR from the API exposed to addons

2012-01-19 Thread Brian Smith
Mike Hommey wrote: But linux users are not necessarily up-to-date with the latest NSS. I seriously doubt the number of users with the very last system nss exceeds 10% of the linux user base except in exceptional good timing cases (like when ubuntu is released with the latest version), but

Review of changes to the HTTP spec

2012-01-19 Thread Brian Smith
HTTPbis seems to be in its final stages. Although it is supposed to be a somewhat minor revision, quite significant changes have been made to the spec. We should review the changes and make sure we provide our feedback before it is too late. In particular, if there is some change that we think

Documentation of differences between our networking stack and other browsers' stacks and security bug triaging

2012-01-19 Thread Brian Smith
I think that we should start some documentation (e.g. a wiki) that documents the differences between our implementation and other browsers' implementations, along with a justification for the difference and/or a link to a bug about resolving the difference. Examples of differences, off the top

Re: Removal of NSS and/or NSPR from the API exposed to addons

2012-01-19 Thread Brian Smith
Eitan Adler wrote: Brian Smith wrote: If the system NSS isn't new enough, then Firefox's local version of NSS would be used. From a packager point of view, please don't automagically detect these things. If the system NSS is supported provide an option --with-system-nss which if not set

Re: Review of changes to the HTTP spec

2012-01-19 Thread Brian Smith
Thanks Wan-Teh. - Original Message - From: Wan-Teh Chang w...@google.com To: mozilla's crypto code discussion list dev-tech-crypto@lists.mozilla.org Sent: Thursday, January 19, 2012 9:57:29 AM Subject: Re: Review of changes to the HTTP spec On Thu, Jan 19, 2012 at 1:43 AM, Brian

Re: Regarding PSM with external SSL library

2012-01-26 Thread Brian Smith
Ashok Subash wrote: Hi Brian, We have made some progress. We could statically build nss and link on our platform. Do you mean statically link NSS into Firefox? If so, there are several gotchas that need to be taken into account. See Wan-Teh's patch at

Re: Google about to fix the CRL download mechanism in Chrome

2012-02-08 Thread Brian Smith
Eddy Nigg wrote: On 02/09/2012 12:18 AM, From Nelson B Bolyard: BTW, this proposal wouldn't be a problem if it would cover, lets say the top 500 sites and leave the rest to the CAs. There would be probably also the highest gains. Effectively, we would be making the most popular servers on the

Re: Mozilla Team-about the upcoming branding changes at Symantec/VeriSign, and working to implement them in Mozilla/Firefox

2012-03-09 Thread Brian Smith
Geoffrey Noakes wrote: The *only* change we are asking of Mozilla is to change Verified by: VeriSign, Inc. in the hover-over box to Verified by Norton: In Firefox, we show the name of the organization that issued the intermediate certificate (the subject O= field of the intermediate

Re: Recent builds of NSS on Windows?

2012-04-04 Thread Brian Smith
Today, a buggy old/legacy modutil.exe binary we are using, made me try building NSS using mingw. Once again. The only way I recommend building NSS on Windows is with Microsoft Visual C++ and the mozilla-build package located at

Re: To NSS-Java or not to NSS-Java, thats the question.

2012-04-04 Thread Brian Smith
helpcrypto helpcrypto wrote: IMHO, this is some that needs some clarification, as Mozilla *IS* supporting it developing JSS but at the same time saying we do not support it, Some people who are part of the Mozilla project maintain JSS. I will help review patches to JSS if/when the members of

Re: Alternative for SGN_DecodeDigestInfo

2012-04-04 Thread Brian Smith
Robert Relyea wrote: On 03/24/2012 03:05 PM, VJ wrote: I'm trying to use RSA_HashCheckSign() function to verify the message. How are you even Linking with RSA_HashCheckSign()? I don't know what platform JV is on, but I know on Mac OS X, all the internal symbols in FreeBL and maybe other

Re: Alternative for SGN_DecodeDigestInfo

2012-04-06 Thread Brian Smith
Robert Relyea wrote: Why are they linking with Freebl anyway? It's intended to be a private interface for softoken. It's a very good way to find yourself backed into a corner. Right. This was a long time ago. You helped me add the J-PAKE implementation to Softoken after we discovered this

Re: Combining OCSP stapling with advance MITM preparation

2012-04-06 Thread Brian Smith
Kai Engert wrote: The domain owner could configure their server to include this OCSP response in all TLS handshakes, even though this OCSP response is unrelated to the server certificate actually being used. For complete protection, the real domain holder would have to staple all the OCSP

Re: undefined reference to '_InterlockedIncrement' when compiling nss under MinGW

2012-10-09 Thread Brian Smith
weizhong qiang wrote: Thanks for the instruction. I tried the build of nss on with mozillabuild tool (with MS VC and MS SDK, using MS compiler for compilation) on Win7. And the build did pass. But the build with MinGW/MSYS (using gcc for compilation) still failed. I hope the build (with MS

Re: Accessing Mozilla NSS library functions in JavaScript-XPCOM

2012-10-09 Thread Brian Smith
Brian Teh wrote: Currently, my extension uses the NSS library which is coded in C++. But due to 6-week release cycle for Thunderbird, I am wondering whether are there examples on how to use Mozilla NSS for JavaScript-XPCOM, to avoid the need for re-compiling the binary components? Currently,

Re: NSS in Firefox OS

2012-10-20 Thread Brian Smith
Anders Rundgren wrote: Anyway, I guess that Firefox OS uses NSS? Is it still is based on the idea that key access is done in the application context rather than through a service? B2G (Firefox OS) does use NSS. Nothing has changed regarding the process separation between Gecko and the private

How does SMIME work in NSS (was Re: NSS in Firefox OS)

2012-10-26 Thread Brian Smith
Vishal wrote: On Saturday, October 20, 2012 10:33:58 PM UTC+5, Brian Smith wrote: Anders Rundgren wrote: Anyway, I guess that Firefox OS uses NSS? Is it still is based on the idea that key access is done in the application context rather than through a service? B2G (Firefox OS) does

Re: NSS 3.14 release

2012-10-26 Thread Brian Smith
julien.pie...@oracle.com wrote: Oracle still ships NSS with many products even though we are no longer actively involved with its development. It is important to have somebody at least monitoring the bugs filed/fixed in the NSS component in bugzilla. See

Re: NSS 3.14 release

2012-10-26 Thread Brian Smith
Julien Pierre wrote: I know what code changes are necessary. I'm only a developer on a couple of NSS applications at this point, not an NSS maintainer. If this was only about those couple of apps, it wouldn't be an issue. But there are other apps in Oracle that could be affected. I can safely

CVS HEAD tagged NSS_3_14_1_BETA1 and pushed it to mozilla-inbound

2012-11-30 Thread Brian Smith
I tagged the CVS HEAD as NSS_3_14_1_BETA1 and pushed it to mozilla-inbound. If you are building Firefox or a Gecko-based application using --use-system-nss, you need to use the NSS 3.14.1 beta release, as that is now the minimum required version to build Gecko. Thanks for the help from

NSS 3_14_1_BETA1 crashes at startup on Android (was CVS HEAD tagged NSS_3_14_1_BETA1 and pushed it to mozilla-inbound)

2012-11-30 Thread Brian Smith
Brian Smith bsm...@mozilla.com I tagged the CVS HEAD as NSS_3_14_1_BETA1 and pushed it to mozilla-inbound. If you are building Firefox or a Gecko-based application using --use-system-nss, you need to use the NSS 3.14.1 beta release, as that is now the minimum required version to build Gecko

NSS_3_14_2_BETA2 landed, with some patches backported to mozilla-beta (was CVS HEAD tagged NSS_3_14_1_BETA1 and pushed it to mozilla-inbound)

2012-12-07 Thread Brian Smith
Brian Smith wrote: Brian Smith bsm...@mozilla.com https://bugzilla.mozilla.org/show_bug.cgi?id=816392 This change was backed-out before it reached mozilla-central from mozilla-inbound because NSS crashes during startup on Android (and probably B2G). See bug 817233. After the backout, I

NSS 3.14.2 BETA 1 (NSS_3_14_2_BETA1) tagged and is now the minimum version for Gecko 20

2012-12-20 Thread Brian Smith
Today I tagged the CVS HEAD with the NSS_3_14_2_BETA1 tag and imported it into Gecko (pushed to inbound). We expect to finalize the NSS 3.14.2 release in late January, 2013. In the interim, you can pull and build NSS betas from CVS: After mozilla-inbound is merged into mozilla-central, NSS

NSS 3.14.2 BETA 3 tagged ; NSS 3.14.2 BETA 3 + one patch now required to build mozilla-central

2013-01-27 Thread Brian Smith
Hi all, I tagged NSS 3.14.2 BETA 3 and pushed it to mozilla-inbound to fix build breakage of ASAN and dxr builds. Also, now mozilla-central contains a patch for bug 834091. That patch adds a new public function to libsmime, SEC_PKCS7VerifyDetachedSignatureAtTime, which fulfills a last-minute

Re: Create a SelfSign Certificate in C++

2013-02-04 Thread Brian Smith
James Burton wrote: I want to create a selfsign certificate in c++ but i don't know were to start and i would like some help if you could make a example application to show me how to create a selfsign certificate or show me some documentation to create a selfsign certificates in c++. Thanks

Re: Ensuring certificate chain when creating certificates in memory without db.

2013-02-08 Thread Brian Smith
passf...@googlemail.com I use SSL_ConfigSecureServer with a certificate which was created in memory (no db). The certificate was created with the CERT_CreateCertificate passing the CA's issuer. The same cert was also signed with the CA's key. The CA cert was also created on the fly, i.e.

Removal of generateCRMFRequest

2013-04-01 Thread Brian Smith
See https://bugzilla.mozilla.org/show_bug.cgi?id=524664 (bug 524664) and See https://developer.mozilla.org/en-US/docs/JavaScript_crypto/generateCRMFRequest My understanding is that keygen is supposed to replace window.crypto.generateCRMFRequest. I have no idea how common

Re: Clarification regarding SEC_PKCS7VerifyDetachedSignatureAtTime

2013-04-08 Thread Brian Smith
What does this mean for building Firefox? If you want to build a development snapshot of Firefox against a systemwide installed NSS, and you want to build Firefox 22 aurora at this time, you have the following choices: - don't build Firefox 22 aurora until Mozilla cleaned up the

Re: Firefox behavior for CDP and AIA

2013-04-15 Thread Brian Smith
Rick Andrews wrote: I know that FF allows you to choose a CRL and it will check status against that CRL when it finds a cert issued by the CRL issuer. Does anyone know if FF uses the CDP in the cert or the cert's issuer name as a key to find the CRL? I assume you are talking about the

Re: Root Certificates in Firefox OS (was Re: NSS in Firefox OS)

2013-04-19 Thread Brian Smith
Rob Stradling wrote: I presume that Firefox OS trusts NSS's Built-in Root Certificates [1], but what (if anything) does Firefox OS do for EV SSL? As you found, Firefox OS doesn't have an EV UI, and in fact I just disabled the EV validation logic in B2G for performance reasons, given that it

Removal of Revocation Lists feature (Options - Advanced - Revocation Lists)

2013-04-30 Thread Brian Smith
Hi all, I propose we remove the Revocation Lists feature (Options - Advanced - Revocation Lists). Are there any objections? If so, please explain your objection. A certificate revocation list (CRL) is a list of revoked certificates, published by the certificate authority that issued the

  1   2   >