Re: PKCS#11 software token & concurrent database access

Eddy Nigg (StartCom Ltd.) wrote: Robert Relyea wrote: If you want to start playing with it, try the instructions at http://wiki.mozilla.org/NSS_Shared_DB_Samples I wrote them up when we had the first alpha version of the shared database. I just went in and added a few comments to bring them

Re: window.crypto functions

Eddy Nigg (StartCom Ltd.) wrote: Does anybody know if and which parameters might be obtained by the window.crypto functions and smart cards? For reference see this page: http://developer.mozilla.org/en/docs/JavaScript_crypto#Handling_Smart_Card_Events Specifically I'd like to know if there is

Re: window.crypto functions

Nelson Bolyard wrote: Robert Relyea wrote, On 2008-02-19 14:20: Eddy Nigg (StartCom Ltd.) wrote: Does anybody know if and which parameters might be obtained by the window.crypto functions and smart cards? For reference see this page: http://developer.mozilla.org/en/docs

Re: window.crypto functions

Eddy Nigg (StartCom Ltd.) wrote: Subrata Mazumdar wrote: Eddy, I think that you can do it. Have you looked into nsIPK11Token interface (http://lxr.mozilla.org/mozilla1.8.0/source/security/manager/ssl/public/nsIPK11Token.idl) ? The nsIPK11Token interface would allow you to filter tokens bas

Re: SEC_ERROR_BAD_SIGNATURE with Firefox 3

Christophe Thiaux wrote: Hello, I can't connect on an ssl server with Firefox 3: it displays SEC_ERROR_BAD_SIGNATURE But if i'm connecting with Firefox 2 and accept the certificate definately, then the connexion with Firefox 3 works. Any idea of the problem ? Not from this sparse descrip

Re: SEC_ERROR_BAD_SIGNATURE with Firefox 3

Christophe Thiaux wrote: Christophe Thiaux a écrit : I can't connect on an ssl server with Firefox 3: it displays SEC_ERROR_BAD_SIGNATURE But if i'm connecting with Firefox 2 and accept the certificate definately, then the connexion with Firefox 3 works My certificate is a self signed

Re: Cert_DecodeDERCertificate?

Stephen Hamilton wrote: Nelson, Thanks for the quick response. Cert_NewTempCertificate works well with the redefinition statement from nssrenam.h. This is for my Master's project, so I needed an explanation of what was going on, and this helps tremendously. Stephen Cert_NewTempCertific

Re: SECU_GetModulePassword throwing error

[EMAIL PROTECTED] wrote: All of these functions are declared in secutil.h(and defined in secutil.c). Most of the NSS headers have macros around the headers so that they can be included in C++ programs (SEC_BEGIN_PROTOS) secutil.h is a header that's not part of NSS proper, but part of a u

Re: Questions about NSS PKCS#11 module configuration

Subrata Mazumdar wrote: Thanks Nelson. My comments are inline. Nelson Bolyard wrote: Subrata Mazumdar wrote, On 2008-02-28 17:18: I have two question about configuartion of PKCS#11 module in Firefox 3: - is there any documentation on how to configure MS CAPI as PKCS#11 module i

Re: Questions about NSS PKCS#11 module configuration

Subrata Mazumdar wrote: Hi Robert, thanks a lot for your response. I will definitely use it and see if I can uncover/fix the memory leak. That would be great! BTW, what is name of the DLL for CAPI PKCS#11 module that I should use to configure the device manager? Is it nsscapi.dll? yes, I

Re: Python Wrapper for NSS

Heikki Toivonen wrote: Kevin wrote: I dont mind going in and trying to wrap the pieces of NSS that I need, but if I dont have to reinvent the wheel, then that would be great too. I am not aware of a Python wrapper for NSS, although that has been discussed here before. Although maybe th

Re: Failed to decrypt on smart card based-PKCS module

[EMAIL PROTECTED] wrote: Good Day, I have developed a custom smart card based Pkcs library, I'm currently testing it qith Thunderbird, so far i can encrypt, sign and verify e-mails, but when i send myself an encrypted e-mail, I encounter something weird. On Initial Viewing of my encrypted e-mai

Re: Project Dogtag, an open source certificate system

I 'pushed' and announcement out, but it seems to be hung up somewhere in the mail server...;). Frank Hecker wrote: I thought this was worth noting: http://boblord.livejournal.com/19010.html To quote from the Project Dogtag wiki page: "The Dogtag Certificate System is an enterprise-cl

Re: How do I find a certificate using SubjectPublicKeyInfo data?

Subrata Mazumdar wrote: Hi, is there any way I can find the certificate associated with a public key using the SubjectPublicKeyInfo (CERTSubjectPublicKeyInfo)? I am looking for public API and not too low level. I looked in the .../nss/certdb/cert.h and .../nss/pk11wrap/pk11pub.h files - cou

Re: Erratic SSL client-cert-auth in FireFox

Anders Rundgren wrote: on the URL http://demo.webpki.org/mozkeygen you can get yourself a certificate by clicking a single button. What is a bit hard to understand is why the test-service at https://www.apache-ssl.org/cgi/cert-export often (but not always!) asks the user multiple times to OK the

Re: Linking of code using NSS 3.11.9 on redhat9

Kai Engert wrote: D3|\||\|!$ wrote: Later on, I decided to test the code onto redhat9 Wow, you're really still using Red Hat Linux version 9? and now the code compiles properly but throws up linking error("undefined reference") with the following functions: SECU_DefaultSSLDir() SECU_ConfigDi

Re: Installing PKCS#11 Security Devices globally

Jaime Soriano wrote: As a workaround, I have solved it creating a initial configuration with the module loaded in the profile: sudo modutil -create -dbdir /etc/firefox3.0/profile sudo modutil -dbdir /etc/firefox3.0/profile -add eToken -libfile /usr/ lib/libeTPkcs11.so Is there any better way

Re: Problems importing private keys that already exist

Dave Townsend wrote: Wan-Teh Chang wrote: It seems that if the private key already exists, we modify its attributes: http://lxr.mozilla.org/security/source/security/nss/lib/softoken/sftkdb.c#848 Many PKCS #11 errors of the softoken are mapped to SEC_ERROR_BAD_DATA: http://lxr.mozilla.org/sec

Re: Linking of code using NSS 3.11.9 on redhat9

D3|\||\|!$ wrote: I tried separately compiling the .cpp containing my server class and the .cpp containing main() with g++. Then I tried building the object files with g++ along with the "trace" option - this enables one to see the order in which the files are accessed. The output is as given be

Re: Problems importing pkcs12 keystore to NSS

Nelson B Bolyard wrote: David Stutzman wrote, (quoting me) On 2008-06-09 04:46 PDT: In NSS version 3.10 and later versions, pk12util has a third command option, in addition to -i (import) and -o (export) there is -l (that's ell, as in list). You can use it to list the contents of your PKCS

Re: Debian Weak Key Problem

Aren't the people who send their credit card number on an https connexion where the private key of the server is public knowledge already screwed ? Yes, of course. The question for this thread is: who is responsible for each screwedness? I beg to differ. The question is:

Re: Update on DigiNotar and Entrust

Frank Hecker wrote: 3. Find some other way to get NSS not to recognize DigiNotar certs for email, perhaps in combination with some action by Entrust and/or DigiNotar. For example, one idea is to have end users of DigiNotar certs reconfigure their email clients to have cert chains that termina

Re: NSS support in cURL

Ruchi Lohani wrote: Hi, Since NSS support has been added to cURL library, has this (link below) come to the notice of Mozilla dev? http://cool.haxx.se/cvs.cgi/curl/lib/README.NSS?rev=HEAD&content-type=text/vnd.viewcvs-markup

Re: Certificate Database location

Nelson B Bolyard wrote: What is the default cert database location for NSS? It's application dependent and OS dependent. There isn't one yet. Until the shared database code went in, each application had to keep its databases separate from other applications. With shared databases, we

Re: Certificate Database location

Ruchi Lohani wrote: Also, aren't functions NSS_InitReadWrite suppose to return an error incase the db has already been opened by another process in read-write mode? I tried opening the mozilla profile db in read-write mode and it doesn't return any error in my application. No, The function it

Re: Firefox 3 connection now results in ssl_error_bad_cert_domain

Bruce Keats wrote: Hi, I started using firefox 3 and I am now getting errors connecting to intra-net sites that were OK in firefox 2. We have our own intra-net and we have a CA that issues server certs and user certs. I have loaded the CA certs and the CA certs are visable under "Authoriti

Re: NSS PKCS#11 and CAPI

Nelson B Bolyard wrote: Chris Hills wrote, On 2008-07-03 10:47: From what I have read in this group, there is already some experimental code in NSS, but I have no idea as to its functionality or usability. The files are in http://lxr.mozilla.org/security/source/security/nss/lib/ckfw/

Re: RSA OAEP encryption support in NSS

Nelson Bolyard wrote: Yes, please. You can put this text into the bug report, if you'd like. I just walked through that code again more carefully. It's definitely a bug. It's really a flaw in the design of the private function pk11_ForceSlot. That function can have any of the following outco

Re: pkcs11 nss specific types

133mmx wrote: If you instead would tell us exactly what you want to know or perhaps what your specific problem is, perhaps someone might be able to actually help. I will try to summarize my problem. I am implementing pkcs#11 library to access our smart card. Currently i am testing ssl. I h

Re: stand-alone PKCS#11 + soft token using NSS(?)

avih wrote: I'd really appreciate any answer or further pointers. I'm still interested in this stand alone implementation... I've described my latest experience earlier on this topic. Sorry I was away when you first asked your questions A good place to start in implementing a PKCS #11 m

Re: Comparison of OpenSSL and NSS

Nelson B Bolyard wrote: Joe Orton wrote, On 2008-07-28 16:09: On Sat, Jul 26, 2008 at 05:17:56PM -0700, Nelson Bolyard wrote: Daniel Stenberg wrote, On 2008-07-26 13:45: As a user of OpenSSL, NSS, yassl and GnuTLS I can certainly agree that GnuTLS has flaws in its API but NSS m

Re: Problem with Content-type:application/x-x509-user-cert

Nelson B Bolyard wrote: [EMAIL PROTECTED] wrote, On 2008-08-04 23:23: I found this mime type(Content-type:application/x-x509-user-cert) is used for firefox 1.5. It just not have popup windows for notification. Is there any version of Firefox where it DOES have a dialog? I believe t

Re: NSS PKCS#11 and CAPI

Subrata Mazumdar wrote: Hi Bob, I can neither generate key-pair nor use the private key to sign either a PKCS#10 CSR or another Cert. I remembered that I had that working at one point, but it may have attropied... It may actually be an issue in the NSS wrapper rather than the CAPI pkcs

Re: Creating detached PKCS#7 signature with cmsutil

Wan-Teh Chang wrote: On Thu, Aug 7, 2008 at 4:40 AM, Michael Ströder <[EMAIL PROTECTED]> wrote: Ok, I've extracted ftp://ftp.mozilla.org/pub/security/nss/releases/NSS_3_11_4_RTM/Linux2.6_x86_glibc_PTH_DBG.OBJ/nss-3.11.4.tar.gz and set LD_LIBRARY_PATH to the extracted lib/ dir (see output of

Re: Importing symmetric keys to NSS from Java code

Yevgeniy Gubenko wrote: Thanks a lot for your answer. I still need some clarifications: 1. If I understand you right, when I have to use a predefined persistent key to do a crypto with it, there is no way, other than importing the key into a PKCS#11 token as a token object in NSS db? (Even if t

Re: Creating detached PKCS#7 signature with cmsutil

Wan-Teh Chang wrote: 2008/8/7 Robert Relyea <[EMAIL PROTECTED]>: signver was finally made to link with the dynamic NSS libraries in NSS 3.12.1 (not yet released), so pretty much any package will have static linked version of it. That's 'signtool', not '

Re: Comparison of OpenSSL and NSS

Nelson B Bolyard wrote: Howard Chu wrote, On 2008-08-11 20:07: Nelson B Bolyard wrote: Howard Chu wrote, On 2008-08-10 14:13: It would make it impossible to use in e.g. OpenLDAP/nss_ldap because applications would be unable to load their own configuration settings after nss_ldap

Re: OpenLDAP and NSS

Julien R Pierre - Sun Microsystems wrote: Michael, Michael Ströder wrote: Wan-Teh Chang wrote: Most NSS-based server applications open the NSS databases in read-only mode, so they can run with multiple processes safely. But client applications such as Firefox and Thunderbird open the

Re: NSS Support

Wan-Teh Chang wrote: 2008/8/15 Sam Laidler <[EMAIL PROTECTED]>: Hello, hope all is well. I was wondering if I might ask about hashing efficiency. I am reiteratively hashing values. Basic algorithm is: digestCntxt = PK11_CreateDigestContext(algorithm); while (counter < configuredI

Re: Trusted CA issuing SSL server certs with unvetted FQDNs!

Nelson B Bolyard wrote: Thorsten Becker wrote: Nelson Bolyard wrote: On the other hand, it is possible that the domain validation was performed but that it was deceived through the use of DNS attacks. In his slides on the subject of DNS attacks, Dan Kaminsky did say that it was possibl

Re: FireFox v3.0.1 of Windows uses SSLv2 Record Layer even when SSLv2 is disabled

Nelson B Bolyard wrote: Suresh Kumar J wrote, On 2008-09-02 10:55: Hi Nelson, You are correct that Apache Tomcat web-server(v6.0.13) choked with the full set of cipher suites implemented in the Windows FF3.0.1. When I disable the following cipher suites via the "about:config" option, the web

Re: NSS equivalent of OpenSSL's EVP_CipherUpdate

Graham Leggett wrote: Hi all, I am trying to port some symmetrical encryption / decryption code using OpenSSL's EVP_CipherUpdate function to NSS, and I am running into trouble trying to find the API documentation for NSS. So far, the closest to documentation that I have found is a list of t

Re: Inclusion of the "KeyGen" tag in HTML5

Anders Rundgren wrote: "Eddy Nigg" wrote: The keygen tag is used widely and Mozilla supports smart cards with the associated PIN excellent. I'm sure about that! However... What I was referring to is the inability for an issuer specifying that generated keys should be PIN-protected

Re: NSS equivalent of OpenSSL's EVP_CipherUpdate

Graham Leggett wrote: Robert Relyea wrote: "Newer applications should use more standard algorithms such as PKCS#5 v2.0 for key derivation." I am assuming NSS supports PKCS#5 v2, what functions should I be looking at to achieve this? Ah, It's a PBE algorithm. That is a perfe

Re: NSS support for RFC2898 / PBKDF2

Graham Leggett wrote: Hi all, Does NSS support RFC2898 (derivation of keys from a passphrase), and if so, what set of functions should I be looking at to use this? Yes, The standard NSS PBE interface supports PBKDF2 automatically on reading if the algid specifying the PBE is PBEDKF2. On genera

Re: How do I reset a password of slot for soft-token after removing the token

Subrata Mazumdar wrote: nsCOMPtr softToken; rv = pkcs11Slot->GetToken(getter_AddRefs(softToken)); softToken->Login(PR_FALSE); // prompts for initializing password . . . softToken->Reset(); // expected that token/slot password would be in the uninitialized state SECMOD_Close

Re: How does PK11_GetPadMechanism work?

Graham Leggett wrote: Completeness I guess - xml-security's API allowed you to choose both CBC and ECB modes, so I was trying to emulate the same thing. The only mechanism that I cannot find an oid for is CKM_DES3_ECB - do you know which SEC_OID_* macro I should be using? The PK11_Mechanis

Re: How does PK11_GetPadMechanism work?

Nelson B Bolyard wrote: Graham Leggett wrote, On 2008-09-06 12:51: I think a big source of confusion is that everything is an OID, or everything is a mechanism, but not all OID or mechanisms are relevant for every situation, and this isn't clear from each function call. I think this

Re: IPsec implementations using NSS?

Wan-Teh Chang wrote: On Thu, Sep 11, 2008 at 9:29 AM, Paul Hoffman <[EMAIL PROTECTED]> wrote: Greetings again. Are people aware of any IPsec implementations using NSS's crypto, even as a non-default build option? No, I don't know of any IPsec implementations using NSS's crypto. Since

nss pam_pkcs11 in solaris....

Just thought you'd like to know... the code I did to add nss to pam_pkcs11 has been ported to solaris. (pam_pkcs11 is the smart card login stack. It was one of the first nss converted packages). bob On Tue, Sep 9, 2008 at 3:45 AM, Huie-Ying Lee <[EMAIL PROTECTED]> wrote: > I have completed

Re: Beginner with NSS

Francisco Puentes wrote: Being a beginner with NSS, I need help :-( I am trying to generate a RSA pair of keys with this code: NSS_Init("./rsa.db"); NSS_Init requires a pointer to a directory (which should already exist). You should check the error code coming back for NSS_Init. It's pr

Re: NSS and initialisation

Graham Leggett wrote: Hi all, I am having a dilemma that I am trying to find a solution for. In the httpd webserver, if the mod_nss module is loaded, the mod_nss module will try and initialise NSS. If mod_authnz_ldap is loaded into the same server, and mod_authnz_ldap depends on the Mozilla L

Re: nssModule=keystore problem

[EMAIL PROTECTED] wrote: Hi, I am trying use nss for obtaining keystore with user certificates from firefox but i am ending with java.security.ProviderException: Library / home/xxx/.mozilla/firefox/16zcyg70.default/libnssckbi.so does not exist. For creating SunPKCS11 provider I've used following

Re: nssModule=keystore problem

Robert Relyea wrote: [ output deleted]. Which means that libnssckbi.so is used for obtaing trustanchors and i dont know why. In configuration I've set that i want only access to keystore. Any ideas? Yes, the trust anchors are stored in libnssckbi.so. NSS nssckbi is the NSS cryptoki Bu

Re: Working on Perl bindings for NSS

Wan-Teh Chang wrote: On Wed, Sep 24, 2008 at 2:28 AM, Claes Jakobsson <[EMAIL PROTECTED]> wrote: Hi, I just wanted to drop a note saying that I'm working on Perl bindings for NSS. I saw there was a previous discussion about using SWIG but imho swig doesn't produces a very Perl-like API. I'm

Re: nssModule=keystore problem

[EMAIL PROTECTED] wrote: On 23 Zář, 01:20, Robert Relyea <[EMAIL PROTECTED]> wrote: Robert Relyea wrote: [ output deleted]. Which means that libnssckbi.so is used for obtaing trustanchors and i dont know why. In configuration I've set that i want only access to ke

Re: Unable to read PKCS#8 file generated using OpenSSL command line tool

Subrata Mazumdar wrote: Nelson, thanks very much for the clear answer - I did not realize that the Mozilla NSS does not support PKCS#8. I also agree with you that PKCS#12 format is the right way to import/export keys. The problem is that a large number of OpenSSL based applications still use

Re: Unable to read PKCS#8 file generated using OpenSSL command line tool

Hmm, sounds like a bug in openSSL, though I do remember tripping over this. I believe there is an NSS interface that lets you set the salt length specifically when generating the PBE (at least in NSS 3.12). bob -- Subrata Robert Relyea wrote: Subrata Mazumdar wrote: Nelson, thank

Re: Unable to change password of FIPS enabled internal key token

Kyle Hamilton wrote: On Tue, Oct 7, 2008 at 5:22 PM, Subrata Mazumdar <[EMAIL PROTECTED]> wrote: I guess that the problem is in documentation and the PSM GUI. The PSM GUI should have clearly stated the password policy requirement in the password change dialog window. Also, NSS should have en

Re: storing custom public key / private key pair securely in Firefox

Nelson B Bolyard wrote: [EMAIL PROTECTED] wrote, On 2008-10-13 13:52: I have a crypto library which I connect to a Firefox extension using Xpcom. The library generates custom size public and private key pairs which I would like to store securely in Firefox. How would this be done? I

Re: MITM in the wild

Nelson B Bolyard wrote: b) some unmistakeable blatantly obvious way to show the user that this site is not using security that's good enough for banking but, well, is pretty good security theater. Flashing pink chrome? Empty wallet icon? The whistling sounds associated with falling things? http

Re: revocation of roots

Julien R Pierre - Sun Microsystems wrote: How do we revoke Mozilla's root? By updating mozilla software :) Certainly not by issuing a CRL. Mozilla doesn't have the keys needed to issue a CRL to revoke any root. (CRL's must be signed by the issuer, or by an agent with the appropriate key usage

Re: revocation of roots

Paul Hoffman wrote: At 3:25 PM +0200 10/24/08, Ian G wrote: Robert Relyea wrote: The problem with this idea is that mozilla probably does not want to be in the CA business. The overhead of creating a mozilla root key in a safe and secure manner is quite involved (and more than doing a

Re: multiple pkcs 12 files vs. firefox software pkcs 11 module...

[EMAIL PROTECTED] wrote: On Oct 28, 5:10 pm, Nelson B Bolyard <[EMAIL PROTECTED]> wrote: [EMAIL PROTECTED] wrote, On 2008-10-28 13:29: From what I have read, the internal pkcs 11 data store is protected by 1 master password. Is there a way to store my keys in the firefox pkcs 11 data

Re: Creating a cert. database at runtime?

Antonio wrote: Hi all, Is it possible to create a brand new certificate database at runtime for read/write purposes, without it being the default database? Thanks, Antonio Yes, The thread "multiple pkcs 12 files vs. firefox software pkcs 11 module..." has a link to two functions that allow

Re: Creating a cert. database at runtime?

Ah, The CERTCertDBHandle is basically an historical dreg in our code. NSS always has a consoldiated view of all the databases. The only time they are distinguished is if you specify a particular token (PK11SlotInfo *). What is it you are trying to actually do? bob On Oct 29, 8:46 pm, Robert Rely

Re: why nss has very little doc about usage of api

NZzi wrote: hi all: when i use nss to develop some cipher program(just for local, not internet), i.e. just perform miscellaneous cryptographic operations, the only reference i can use is the example code from MDC. when i want a detail parameter explanation, what i got is just this function's MX

Re: why nss has very little doc about usage of api

Ken wrote: 2008/11/5 Robert Relyea <[EMAIL PROTECTED]>: NZzi wrote: hi all: when i use nss to develop some cipher program(just for local, not internet), i.e. just perform miscellaneous cryptographic operations, the only reference i can use is the example code from MDC. when i

Re: MITM in the wild

Ian G wrote: Nelson B Bolyard wrote: Ian G wrote, On 2008-11-06 12:48: Nelson B Bolyard wrote: What curious things do you notice about these certs? Only one key? Yup. That's the biggie. It allows the MITM to get by with just a single private key. OK. We can of course all imagine ways

Re: MITM in the wild

Bernie Sumption wrote: If we create an error display that says "No kidding, this absolutely is an attack and we're stopping you cold to protect you from it." it seems unavoidable that users will learn to treat the absence of such an unbypassable error display as proof to the contrary, proof that

Re: Help to use PKCS 11 functions in firefox extension

Akkshayaa Venkatram wrote: Hi I am developing a Firefox extension that calls PKCS 11 functions like C_Encrypt, C_Sign, C_Decrypt and others.. We don't expose the direct C_ calls in NSS. NSS typically has the token open during the entire time, so applications making calls and changing states

Re: how to decrypt with pubkey without pkcs1 padding things

NZzi wrote: hi all: I want to use private key to encrypt a message, and decrypt with public key. Are you encrypting data or a symmetric Key? Most of the nss code that does these operations does so on actual symetric keys (which are then used to do additional encryption/decryption/macing). In

Re: how to decrypt with pubkey without pkcs1 padding things

NZzi wrote: Robert Relyea wrote: NZzi wrote: hi all: I want to use private key to encrypt a message, and decrypt with public key. Are you encrypting data or a symmetric Key? Most of the nss code that does these operations does so on actual symetric keys (which are then used to do

Re: how to decrypt with pubkey without pkcs1 padding things

Ken wrote: 2008/11/15 Robert Relyea <[EMAIL PROTECTED]>: NZzi wrote: Robert Relyea wrote: NZzi wrote: hi all: I want to use private key to encrypt a message, and decrypt with public key. Are you encrypting data or a symmetric Key? Most of the ns

Re: NSS DB migration problem

Hans Petter Jansson wrote: This works for some databases, but not others. It doesn't seem to matter which application created the database (I've tried with databases from Firefox and Evolution) - e.g. one user's database may fail while another user's database may migrate properly. When it fails,

Re: How-to guide for email encryption

Anders Rundgren wrote: IM[NS]HO, S/MIME encryption using PKI is one of the biggest security farces ever. Even the use-case is often wrong. Please start your debate in another thread. S/MIME and PKI are a supported part on the NSS feature set, and supported in pretty much every email client

Re: Firefox' password manager with sqlite based NSS

Wolfgang Rosenauer wrote: Nelson B Bolyard schrieb: Wolfgang Rosenauer wrote, On 2008-11-18 05:38: Hi, I'm trying to use Firefox with an sqlite based NSS. So far all the certificate stuff still works as expected as far as I can see but the password manager component is broken now: The

Re: Slamming S/MIME. Re: How-to guide for email encryption

Anders Rundgren wrote: Robert, Pardon me. I did indeed not intended to slam Paul's guide. I changed the thread but I don't expect a fruitful debate since the difficulties are mostly unrelated to NSS. I feel sorry for those who feel that S/MIME encryption needs to become mainstream because tha

Re: Firefox' password manager with sqlite based NSS

Wolfgang Rosenauer wrote: Robert Relyea schrieb: This was a new profile actually. And yes, the database which reveals this issue isn't complete it seems. I removed it and created a new empty one using "certutil -d sql:. -N" and now Firefox works correctly. What I'v

Re: Firefox' password manager with sqlite based NSS

Nelson Bolyard wrote: Robert Relyea wrote: Typically needsUserInit means there isn't a password record in your key database. Without this you can not store any keys. The difference between 'not initialized', 'doesn't have a master password', and 'has mas

Re: How to use SECMOD_LoadUserModule and SECMOD_UnloadUserModule

Wan-Teh Chang wrote: The SECMOD_LoadUserModule and SECMOD_UnloadUserModule functions were added in https://bugzilla.mozilla.org/show_bug.cgi?id=132461, but no NSS utilities or test programs use these functions, so the only sample code for these functions that I can find is PSM. PSM uses these fu

Re: NSS DB migration problem

Wolfgang Rosenauer wrote: Hi, Hans Petter Jansson schrieb: This database only fails to migrate if the target database was not already created by another, successful merge, though. I think you're saying that the failures only occur if the "target" (cert9) DB doesn't already exist wh

Re: Help to use PKCS 11 functions in firefox extension

I'll repeat my answer to your question in the opensc list. We should probably keep followups in this list since there is more NSS/mozilla expertise here (which is really where your questionis coming from)... Akkshayaa Venkatram wrote: Hello, From the mozilla tree, http://mxr.mozilla.org/moz

Fork() issue...

I have a couple of thoughts about some of the worries about shutting down after a fork(). First, the PKCS #11 spec is silent on this issue particularly, but it is clear about one thing, you do need to be able to handle C_Initialize after the fork. The quickest way to get there is to allow shut

Re: NSS_Initialize failed. NSS with apache 2.2.10 (mod_nss 1.0.8)

Stefan Kirchner wrote: Ok, I am sorry. It was just a small mistake. The gencert script did not change the access rights of the databases. After chmod everything works fine. Both this and the error code should probably get feed back to mod_nss. I believe you can create a bug in bugzilla.redh

Re: NSS and PKCS#11 versions of modules

Martin Paljak wrote: Thanks! I was only trying to figure out if there is any difference in 2.11 vs 2.20 handling. 2.20 allows slots to be added during the lifetime of a cryptoki application. Can you also explain how NSS handles the feature or any gotchas in implementing support for hotplugg

Re: UTF8 support in the Firefox certificate store?

[EMAIL PROTECTED] wrote: Initially I posted this on another support forum, but was kindly requested to post here instead: For a screendump please refer to: http://www.vandersman.org/certstore.PNG Interesting. The sequence ?? in the cert isn't valid thai. ? is a vowel (roughly 'a' as in fath

Re: NSS and PKCS#11 versions of modules

Martin Paljak wrote: Thanks for tips! Could you point me to the line in spec where it says that slots can only be added. I cant find the place where it forbids removing. That's what I get for not checking the spec after the meeting in which we discussed this. The original agreement was that

Re: mod_nss OCSP failover to CRL

sg4all wrote: Hi, I'm trying to set up a apache webserver with mod_nss. When available, OCSP should be used to verify the validity of the certificate. When the OCSP is unavailable, CRLs are used. I installed the CRLS, and configured everything. (My nss.conf is included in this message). Wh

Re: NSS and PKCS#11 versions of modules

Nelson B Bolyard wrote: Firefox does not allow removal. It'll be a small change to the code to handle removal, though it makes the slot checks more expensive. If you could write a bug up I'd appreciate it. I don't recall the details now, but as I recall, there was some nasty problem

NSS Shared DB and Linux proposal.

I've made a proposal on how applications should initialize NSS when using shared databases on Linux. That draft is located here: https://wiki.mozilla.org/NSS_Shared_DB_And_LINUX Comments and edits are welcome. Thanks, bob smime.p7s Description: S/MIME Cryptographic Signature ___

Re: Security-Critical Information (i.e. Private Key) transmitted by Firefox to CA (i.e. Thawte) during X.509 key/cert generation

Eddy Nigg wrote: On 12/27/2008 12:44 AM, Subrata Mazumdar: A related question: Is it possible to configure the NSS Soft-Token associated with the internal slot like smart-card based token so that the private key key cannot be exported out of the token? If not, would it be useful feature to suppo

Re: Cert expiry with Key Continuity Management

Ben Bucksch wrote: On 08.01.2009 23:15, Nelson B Bolyard wrote: I encourage people to read through that bug, especially the early comments, before contributing here. (The later comments are mostly "me too") Esp. because the first are from you (and are dissenting, and therefore important, while

Re: Cert expiry with Key Continuity Management

Ben Bucksch wrote: Advocacy: One of the core assumptions of the x.509 world is ONE SIGNATURE, and ONE AUTHORITY. Thing is: There is no one authority :-). God doesn't issue SSL certificates. Apart from him, I trust only me and my friends. That's clearly not the case. You have admitted to owni

Re: CABForum place in the world

Ben Bucksch wrote: On 08.01.2009 23:35, Eddy Nigg wrote: On 01/08/2009 11:44 PM, Ian G: Well, what Firefox does is cert-exception-click-thru-ordeal; whereas people are asking for key-continuity-management, with perhaps the emphasis on the last word. Well, is it than an endorsement for self-

Re: CABForum place in the world

the longer a key is used the better the chances of getting compromised, isn't it? It doesn't make a difference whether you have one key for two years on a system or two keys for one year each, one after the other. The longer a key is on a system, the chances are higher for compromise I th

Re: ECC

ps_mitrofa...@mail.ru wrote: Hi. I've got a problem. I need to use NSS freebl3.dll ECC-functions (for ECDH). The first and most obvious question... Why? freebl3.dll is a private NSS DLL. NSS does not support applications using it's functions directly, and doing so would be a good way to have y

Re: ECC

ps_mitrofa...@mail.ru wrote: Freebl3.dll works fine ) err. I highly suggest you do not go that route. NSS does not guarrentee the freebl3 interface as a stable interface. Your app may break when new versions of NSS are installed. Let me make this perfectly, crystal-clear. Freebl3.dll is a

Re: OCSP and privacy concerns

Michael Ströder wrote: Nelson Bolyard wrote: OCSP stapling allows a TLS server to send a copy of a recent OCSP response (issued by the issuer of that server's cert) along with the cert in the TLS handshake, thereby saving the client extra connections and extra round trips. It reduces load on

RE: offtopic question in bug 47295

In https://bugzilla.mozilla.org/show_bug.cgi?id=472975 georgi said in comment 12: offtopic question: afaict when doing a ssl connection, the server *doesn't sign* anything with his private key (in most cases). though the server needs it for finding the session secret. are attacks with symmetr

  1   2   3   4   5   6   >