Re: PK11_Verify vs. VFY_VerifyDigest

2007-03-30 Thread Robert Relyea
Peter Djalaliev wrote: Can somebody elaborate a little more about why one is better then the other? I went to the VFY_VerifyDigest code and I saw in vfy_VerifyDigest that: - for signatures produced with the RSA encryption algorithm, it would decrypt the signature using the public key and

Re: Email certificate from TPM does not show up in Thunderbird

2007-04-02 Thread Robert Relyea
Nelson Bolyard wrote: - The certificate is visible in MSIE7 (which just uses the windows cert manager) and appears to work in Outlook (2003) – if I manually set my From address to the one matching the certificate then Outlook sends the message (which then bounces because our mail server rejects

Re: Thunderbird S/MIME: Interoperability problem with gpgsm (KMail / Claws Mail)

2007-04-26 Thread Robert Relyea
wurstsemmel wrote: The behavior of Tb arises from its handling of the S/MIME capabilities. KMail requests an algorithm (I think AES), which Tb does not support. In this case Tb seems to fall back to RC2. please write a bug about this. https://bugzilla.mozilla.org Product would be under

Re: Amending Mozilla's Root CA cert policy with key size requirements

2007-04-30 Thread Robert Relyea
Nelson Bolyard wrote: In case it wasn't obvious, I need to state that *it is my opinion* that 512 bits is not a reasonable length for an RSA public key to be used by a CA in 2007. It's an opinion that's held generally. In the article below, the debate centers around whether or not 1024 is a

Re: Amending Mozilla's Root CA cert policy with key size requirements

2007-05-04 Thread Robert Relyea
Eddy Nigg (StartCom Ltd.) wrote: Hi Robert, I just wondered about that one: Robert Relyea wrote: There is also a critical difference between the Hashing and the keysize. Once a CA chooses it's keysize, then all certs signed by that CA will be signed with that key. If 1024 bits is weak

Re: problem adding pkcs11 module using modutil

2007-05-16 Thread Robert Relyea
Hi David, Modutil explicitly loads the PKCS #11 module into it's address space before it loads it into the database. If you are running a 32-bit version, then you may have problems loading a 64-bit pkcs11 module. In addition you'll want to be careful which applications open the dbdir. A

Re: Block cipher access

2007-06-03 Thread Robert Relyea
Brian Hawkins wrote: I would like to use a block cipher to encrypt some data using a shared secret. It doesn't appear that nss provides access to the low level cipher suite, is that true? I cannot use public/private keys for my encryption because of a design issue. Is there any way to sign

Re: Block cipher access

2007-06-04 Thread Robert Relyea
want. Based on what you have said it looks like I need to create a PK11SymKey and use it right? yes, PK11_PubDerive (potentially followed by PK11_Derive if you need to mangle the bits) would be your way in in this case. bob Thanks Brian On 6/3/07, *Robert Relyea* [EMAIL PROTECTED] mailto

Trying out the shared DBs

2007-06-05 Thread Robert Relyea
Intro This page contains links and instructions for early NSS 3.12 releases to test the major new features of NSS, namely Shared Database and libPKIX. These are developement release of pre-alpha code, some of which are coming from expiremental upstream branches. Bugs should be files against

Re: PKCS11 quagmire... (JSS question)

2007-06-15 Thread Robert Relyea
David Stutzman wrote: Robert Relyea wrote: The JSS method to create this is: SignerInfo(SignerIdentifier signerIdentifier, SET signedAttributes, SET unsignedAttributes, OBJECT_IDENTIFIER contentType, byte[] messageDigest, SignatureAlgorithm signingAlg, PrivateKey signingKey) So

Re: Adding certificates to the nss database

2007-07-09 Thread Robert Relyea
Nelson B wrote: [EMAIL PROTECTED] wrote: I'm having a tricky problem. What I am trying to do is to add an object signing certificate to the NSS database. This can be done using certutil, yes. But this is a xulapp that uses nsINSSCertCache, which I fear is causing problems. You

Re: Getting public/private keys into/out of NSS

2007-07-09 Thread Robert Relyea
Dave Townsend wrote: Nelson Bolyard wrote: Dave Townsend wrote: I've spent much of the afternoon delving through the NSS APIs trying to figure out how to achieve my goals. I'm basicaly working on signing and verifying data with public and private keys. I've figured that SGN_SignData

Re: Getting public/private keys into/out of NSS

2007-07-10 Thread Robert Relyea
Dave Townsend wrote: Hi Bob, thanks for all your help by the way, got me much further so far. Robert Relyea wrote: You really only want to store and retrieve the private keys if you you need to transport them (or back them up). Doing the latter needs to be handled carefully, and can

Re: Can I manually add a certificate in a file such as prefs.js

2007-07-11 Thread Robert Relyea
[EMAIL PROTECTED] wrote: I am trying to make a wireless surfstation to be used in a public area. I'm using LiveKiosk which is CD based. I can use a laptop that runs a livecd linux build. My problem is that I have to accept a certificate every time the computer is restarted. I was wondering

Re: Firefox does not display imported certificate

2007-07-23 Thread Robert Relyea
Andrei Korostelev wrote: After importing a certificate into the Firefox either using certutil.exe utility or programatically using NSS API (P12U_ImportPKCS12Object / PK11_ImportCert), I can see that the certificate has been successfully imported (%certutils.exe -L) , however Firefox does not

Re: Mozilla/Firefox certificate import error with CKA_LABEL

2007-07-27 Thread Robert Relyea
Ulf Leichsenring wrote: I understand your real concern is the ability to import the above two certs (and their private keys) into another module, other than softoken. I suggest you test that. To do so, you need to add another command line argument to the pk12util lines above, the option -h

NSS FIPS 140-2 ceritificate has been issued!

2007-08-03 Thread Robert Relyea
I've just been informed by our testing lab that our FIPS validation is complete. Users of NSS 3.11.4 and 3.11.5 are now FIPS validated! bob smime.p7s Description: S/MIME Cryptographic Signature ___ dev-tech-crypto mailing list

Re: Multiple Private Keys?

2007-08-15 Thread Robert Relyea
gstandefer wrote: I have a situation where I have created a keypair and a cert. I encrypt a CMS enveloped data with recip info using the public key. I am able to decrypt this data without any problem. I then re-create the certificate / keypair. Both private keys are now visible using

Re: Firefox 2.0.x: tracking unsuspecting users using TLS client certificates

2007-09-07 Thread Robert Relyea
Arshad Noor wrote: See below, Alex. Arshad Noor StrongAuth, Inc. - Original Message - From: Alexander Klink [EMAIL PROTECTED] The typical user does not have a client authentication certificate, so after installing one for him, the browser will send that out to anyone who is asking.

Re: hardware security module storing x509 client cert: mozilla code for loging into subversion

2007-09-10 Thread Robert Relyea
Rob Crittenden wrote: Eddy Nigg (StartCom Ltd.) wrote: Nelson Bolyard wrote: Does serf use modSSL? If so, there is a modNSS that causes Apache to use NSS instead of OpenSSL. That might be an easy change for you. Nelson, what about the env variables as in

Re: PSM:CertPrompt

2007-09-10 Thread Robert Relyea
Eddy Nigg (StartCom Ltd.) wrote: A few additional comments to make that clearer: Eddy Nigg (StartCom Ltd.) wrote: I noticed, that in the first section under IE Current Usage, it says that IE will _always_ use that certificate (or lack of certificate) for that site. Only in the second part

Re: Fedora Crypto Consolidation

2007-09-11 Thread Robert Relyea
Arshad Noor wrote: What would be ideal is for JSS to evolve into becoming just another pluggable JCE Provider and hide the access to the consolidated Fedora crypto keystore/library behind that interface. You will then be doing two communities a great service. IIRC, JSS is a JCE provider, as

Re: Decryption using public key

2007-10-22 Thread Robert Relyea
David E. Ross wrote: On 10/19/2007 9:49 AM, Wan-Teh Chang wrote: On 10/19/07, David E. Ross [EMAIL PROTECTED] wrote: On 10/19/2007 5:35 AM, [EMAIL PROTECTED] wrote: I am currently trying to convert from OpenSSL to NSS (seemed like a good idea at the time). The code that I

Re: Decryption using public key

2007-10-23 Thread Robert Relyea
Wan-Teh Chang wrote: On 10/23/07, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: Well, contrary to my expectations, I have now got the code working with PK11_PubEncryptRaw - so again a big thank you. Glad to hear that. If after you decrypt the data with the RSA public key, you check for

Re: KeyGen Tag returns wrong value

2007-10-29 Thread Robert Relyea
Eddy Nigg (StartCom Ltd.) wrote: I'm sure this has been reported before, but can't find something useful at bugzilla. Does somebody know about the issue that sometimes the browser returns the value SPKAC=2048 (High Grade) instead of the key when using the keygen tag? Where can I find the bug

Re: Inclusion of VeriSign EV root in Firefox 3 betas for testing

2007-11-07 Thread Robert Relyea
Frank Hecker wrote: Eddy Nigg (StartCom Ltd.) wrote: Frank, the best test might be, if you could point us to a site signed by the root in question. We could simply follow the chain up to the CA root already in NSS. I gave an example already in my previous message:

Re: Proposed NSS wildcard cert acceptance change - any angst?

2007-12-04 Thread Robert Relyea
Kyle Hamilton wrote: We don't know exactly what rules they enforce. We know that they permit only a single '*', and do not permit any of the other forms of so-called regular expressions that are presently recognized by NSS. We don't know if they require any minimum number of dots to the

Re: Terminating SSL on the web proxy

2007-12-11 Thread Robert Relyea
Florian Weimer wrote: * Nelson Bolyard: Florian Weimer wrote, On 2007-12-07 02:54: Is it possible to configure NSS (or, more precisely, Firefox) to terminate SSL connections on the web proxy, so that the proxy receives requests in the clear (and handles the certificate verification)?

Re: Terminating SSL on the web proxy

2007-12-12 Thread Robert Relyea
Nelson Bolyard wrote: Robert Relyea wrote: NOTE2: None of the proxy nelson mentioned will work if the user is using SSL client auth. I would say two things about that: 1) SSL client auth is generally controlled by the server, not the client. correct. (of course). 2

Re: YA digitally signed email protocol

2007-12-13 Thread Robert Relyea
Nelson Bolyard wrote: Maybe this is news only to me. :-) There is something out there called Domain Signatures (I think), which is meant to be processed by your Email ISP and converted into something that supposedly you trust. The push for this is the need to get 'quiet' signatures

Re: Terminating SSL on the web proxy

2007-12-14 Thread Robert Relyea
Florian Weimer wrote: * Robert Relyea: Oh, how unfortunate. Is it possible to disable all certificate checks? So the question naturally arises: why do you want this?. I want to get rid of the HTTPS confirmation dialogs for testing automation purposes, preferably

Re: Checkin needed for two NSS patches

2007-12-21 Thread Robert Relyea
Wan-Teh Chang wrote: On Dec 5, 2007 1:04 PM, Bruno Escherl [EMAIL PROTECTED] wrote: Hello, I hope this is the right place to ask for it. I need a checkin for the patches in bug 396044 and 396045. Reed said in that bugs, that special checkin rights are needed. Hi Bruno, In the

Re: Handshake Exception with Firefox and Jetty Servlet Container

2008-01-16 Thread Robert Relyea
Question == Why is Firefox a ClientHelloV2, although SSL v2 is disabled in Firefox 2? This is a big question. Firefox2 has turned on a number of SSL3/TLS extensions which require and SSL3 hello. I suspect that for some reason you don't really have SSL2 turned off (and old profile?).

Re: Sorting through EV root CA requests

2008-01-22 Thread Robert Relyea
Frank Hecker wrote: Eddy Nigg (StartCom Ltd.) wrote: Without offending, but does Johnathan has the right background for this? I don't know, but if I remember right his specializations are in different fields... Johnathan and other Mozilla people, e.g., members of the NSS team, have

Re: Generation of key pair and CSR

2008-01-24 Thread Robert Relyea
I don't think neither the KEYGEN tag nor the window.crypto objects can be used to generate keys in tokens If yes...how can it be done I just wanted to start a new thread..for the same. If there is a token installed, Seamonkey/Firefox/Mozilla will prompt the user where the keys

Re: Looking for Certificate Database management cues...

2008-02-07 Thread Robert Relyea
D3|\||\|!$ wrote: The issue isn't with certificates; it is with private keys. I disagree with you...What if somebody deleted the private key from key3.db and its associated certificate entry in cert8.db??? Then added his own thing and went around playing with it...??? The keys in the

Re: PKCS#11 software token concurrent database access

2008-02-11 Thread Robert Relyea
Eddy Nigg (StartCom Ltd.) wrote: Shared DB would be one of the greatest things! So I'm not able to judge if and when it can be done, but looking very much forward to it. Bob, how can I enable this for FF and TB to share the same DB? If you want to start playing with it, try the

Re: window.crypto functions

2008-02-19 Thread Robert Relyea
Eddy Nigg (StartCom Ltd.) wrote: Does anybody know if and which parameters might be obtained by the window.crypto functions and smart cards? For reference see this page: http://developer.mozilla.org/en/docs/JavaScript_crypto#Handling_Smart_Card_Events Specifically I'd like to know if there

Re: window.crypto functions

2008-02-20 Thread Robert Relyea
Nelson Bolyard wrote: Robert Relyea wrote, On 2008-02-19 14:20: Eddy Nigg (StartCom Ltd.) wrote: Does anybody know if and which parameters might be obtained by the window.crypto functions and smart cards? For reference see this page: http://developer.mozilla.org/en/docs

Re: SEC_ERROR_BAD_SIGNATURE with Firefox 3

2008-02-20 Thread Robert Relyea
Christophe Thiaux wrote: Hello, I can't connect on an ssl server with Firefox 3: it displays SEC_ERROR_BAD_SIGNATURE But if i'm connecting with Firefox 2 and accept the certificate definately, then the connexion with Firefox 3 works. Any idea of the problem ? Not from this sparse

Re: SEC_ERROR_BAD_SIGNATURE with Firefox 3

2008-02-22 Thread Robert Relyea
Christophe Thiaux wrote: Christophe Thiaux a écrit : I can't connect on an ssl server with Firefox 3: it displays SEC_ERROR_BAD_SIGNATURE But if i'm connecting with Firefox 2 and accept the certificate definately, then the connexion with Firefox 3 works My certificate is a self signed

Re: Cert_DecodeDERCertificate?

2008-02-25 Thread Robert Relyea
Stephen Hamilton wrote: Nelson, Thanks for the quick response. Cert_NewTempCertificate works well with the redefinition statement from nssrenam.h. This is for my Master's project, so I needed an explanation of what was going on, and this helps tremendously. Stephen

Re: SECU_GetModulePassword throwing error

2008-02-26 Thread Robert Relyea
[EMAIL PROTECTED] wrote: All of these functions are declared in secutil.h(and defined in secutil.c). Most of the NSS headers have macros around the headers so that they can be included in C++ programs (SEC_BEGIN_PROTOS) secutil.h is a header that's not part of NSS proper, but part of a

Re: Questions about NSS PKCS#11 module configuration

2008-03-03 Thread Robert Relyea
Subrata Mazumdar wrote: Thanks Nelson. My comments are inline. Nelson Bolyard wrote: Subrata Mazumdar wrote, On 2008-02-28 17:18: I have two question about configuartion of PKCS#11 module in Firefox 3: - is there any documentation on how to configure MS CAPI as PKCS#11 module

Re: Questions about NSS PKCS#11 module configuration

2008-03-06 Thread Robert Relyea
Subrata Mazumdar wrote: Hi Robert, thanks a lot for your response. I will definitely use it and see if I can uncover/fix the memory leak. That would be great! BTW, what is name of the DLL for CAPI PKCS#11 module that I should use to configure the device manager? Is it nsscapi.dll? yes, I

Re: Failed to decrypt on smart card based-PKCS module

2008-03-19 Thread Robert Relyea
[EMAIL PROTECTED] wrote: Good Day, I have developed a custom smart card based Pkcs library, I'm currently testing it qith Thunderbird, so far i can encrypt, sign and verify e-mails, but when i send myself an encrypted e-mail, I encounter something weird. On Initial Viewing of my encrypted

Re: Project Dogtag, an open source certificate system

2008-03-19 Thread Robert Relyea
I 'pushed' and announcement out, but it seems to be hung up somewhere in the mail server...;). Frank Hecker wrote: I thought this was worth noting: http://boblord.livejournal.com/19010.html To quote from the Project Dogtag wiki page: The Dogtag Certificate System is an

Re: How do I find a certificate using SubjectPublicKeyInfo data?

2008-03-26 Thread Robert Relyea
Subrata Mazumdar wrote: Hi, is there any way I can find the certificate associated with a public key using the SubjectPublicKeyInfo (CERTSubjectPublicKeyInfo)? I am looking for public API and not too low level. I looked in the .../nss/certdb/cert.h and .../nss/pk11wrap/pk11pub.h files -

Re: Erratic SSL client-cert-auth in FireFox

2008-04-01 Thread Robert Relyea
Anders Rundgren wrote: on the URL http://demo.webpki.org/mozkeygen you can get yourself a certificate by clicking a single button. What is a bit hard to understand is why the test-service at https://www.apache-ssl.org/cgi/cert-export often (but not always!) asks the user multiple times to OK

Re: Linking of code using NSS 3.11.9 on redhat9

2008-05-27 Thread Robert Relyea
Kai Engert wrote: D3|\||\|!$ wrote: Later on, I decided to test the code onto redhat9 Wow, you're really still using Red Hat Linux version 9? and now the code compiles properly but throws up linking error(undefined reference) with the following functions: SECU_DefaultSSLDir()

Re: Debian Weak Key Problem

2008-06-10 Thread Robert Relyea
Aren't the people who send their credit card number on an https connexion where the private key of the server is public knowledge already screwed ? Yes, of course. The question for this thread is: who is responsible for each screwedness? I beg to differ. The question is:

Re: Update on DigiNotar and Entrust

2008-06-23 Thread Robert Relyea
Frank Hecker wrote: 3. Find some other way to get NSS not to recognize DigiNotar certs for email, perhaps in combination with some action by Entrust and/or DigiNotar. For example, one idea is to have end users of DigiNotar certs reconfigure their email clients to have cert chains that

Re: Firefox 3 connection now results in ssl_error_bad_cert_domain

2008-07-02 Thread Robert Relyea
Bruce Keats wrote: Hi, I started using firefox 3 and I am now getting errors connecting to intra-net sites that were OK in firefox 2. We have our own intra-net and we have a CA that issues server certs and user certs. I have loaded the CA certs and the CA certs are visable under

Re: NSS PKCS#11 and CAPI

2008-07-03 Thread Robert Relyea
Nelson B Bolyard wrote: Chris Hills wrote, On 2008-07-03 10:47: From what I have read in this group, there is already some experimental code in NSS, but I have no idea as to its functionality or usability. The files are in

Re: RSA OAEP encryption support in NSS

2008-08-04 Thread Robert Relyea
Nelson Bolyard wrote: Yes, please. You can put this text into the bug report, if you'd like. I just walked through that code again more carefully. It's definitely a bug. It's really a flaw in the design of the private function pk11_ForceSlot. That function can have any of the following

Re: pkcs11 nss specific types

2008-08-04 Thread Robert Relyea
133mmx wrote: If you instead would tell us exactly what you want to know or perhaps what your specific problem is, perhaps someone might be able to actually help. I will try to summarize my problem. I am implementing pkcs#11 library to access our smart card. Currently i am testing ssl. I

Re: stand-alone PKCS#11 + soft token using NSS(?)

2008-08-04 Thread Robert Relyea
avih wrote: I'd really appreciate any answer or further pointers. I'm still interested in this stand alone implementation... I've described my latest experience earlier on this topic. Sorry I was away when you first asked your questions A good place to start in implementing a PKCS #11

Re: Comparison of OpenSSL and NSS

2008-08-04 Thread Robert Relyea
Nelson B Bolyard wrote: Joe Orton wrote, On 2008-07-28 16:09: On Sat, Jul 26, 2008 at 05:17:56PM -0700, Nelson Bolyard wrote: Daniel Stenberg wrote, On 2008-07-26 13:45: As a user of OpenSSL, NSS, yassl and GnuTLS I can certainly agree that GnuTLS has flaws in its API but NSS

Re: Problem with Content-type:application/x-x509-user-cert

2008-08-05 Thread Robert Relyea
Nelson B Bolyard wrote: [EMAIL PROTECTED] wrote, On 2008-08-04 23:23: I found this mime type(Content-type:application/x-x509-user-cert) is used for firefox 1.5. It just not have popup windows for notification. Is there any version of Firefox where it DOES have a dialog? I believe

Re: NSS PKCS#11 and CAPI

2008-08-05 Thread Robert Relyea
Subrata Mazumdar wrote: Hi Bob, I can neither generate key-pair nor use the private key to sign either a PKCS#10 CSR or another Cert. I remembered that I had that working at one point, but it may have attropied... It may actually be an issue in the NSS wrapper rather than the CAPI

Re: Creating detached PKCS#7 signature with cmsutil

2008-08-07 Thread Robert Relyea
Wan-Teh Chang wrote: On Thu, Aug 7, 2008 at 4:40 AM, Michael Ströder [EMAIL PROTECTED] wrote: Ok, I've extracted ftp://ftp.mozilla.org/pub/security/nss/releases/NSS_3_11_4_RTM/Linux2.6_x86_glibc_PTH_DBG.OBJ/nss-3.11.4.tar.gz and set LD_LIBRARY_PATH to the extracted lib/ dir (see output of

Re: Creating detached PKCS#7 signature with cmsutil

2008-08-07 Thread Robert Relyea
Wan-Teh Chang wrote: 2008/8/7 Robert Relyea [EMAIL PROTECTED]: signver was finally made to link with the dynamic NSS libraries in NSS 3.12.1 (not yet released), so pretty much any package will have static linked version of it. That's 'signtool', not 'signver'. Opps, my bad

Re: Comparison of OpenSSL and NSS

2008-08-12 Thread Robert Relyea
Nelson B Bolyard wrote: Howard Chu wrote, On 2008-08-11 20:07: Nelson B Bolyard wrote: Howard Chu wrote, On 2008-08-10 14:13: It would make it impossible to use in e.g. OpenLDAP/nss_ldap because applications would be unable to load their own configuration settings after

Re: NSS Support

2008-08-15 Thread Robert Relyea
Wan-Teh Chang wrote: 2008/8/15 Sam Laidler [EMAIL PROTECTED]: Hello, hope all is well. I was wondering if I might ask about hashing efficiency. I am reiteratively hashing values. Basic algorithm is: digestCntxt = PK11_CreateDigestContext(algorithm); while (counter

Re: Trusted CA issuing SSL server certs with unvetted FQDNs!

2008-08-20 Thread Robert Relyea
Nelson B Bolyard wrote: Thorsten Becker wrote: Nelson Bolyard wrote: On the other hand, it is possible that the domain validation was performed but that it was deceived through the use of DNS attacks. In his slides on the subject of DNS attacks, Dan Kaminsky did say that it was

Re: FireFox v3.0.1 of Windows uses SSLv2 Record Layer even when SSLv2 is disabled

2008-09-02 Thread Robert Relyea
Nelson B Bolyard wrote: Suresh Kumar J wrote, On 2008-09-02 10:55: Hi Nelson, You are correct that Apache Tomcat web-server(v6.0.13) choked with the full set of cipher suites implemented in the Windows FF3.0.1. When I disable the following cipher suites via the about:config option, the web

Re: NSS equivalent of OpenSSL's EVP_CipherUpdate

2008-09-02 Thread Robert Relyea
Graham Leggett wrote: Hi all, I am trying to port some symmetrical encryption / decryption code using OpenSSL's EVP_CipherUpdate function to NSS, and I am running into trouble trying to find the API documentation for NSS. So far, the closest to documentation that I have found is a list of

Re: Inclusion of the KeyGen tag in HTML5

2008-09-02 Thread Robert Relyea
Anders Rundgren wrote: Eddy Nigg wrote: The keygen tag is used widely and Mozilla supports smart cards with the associated PIN excellent. I'm sure about that! However... What I was referring to is the inability for an issuer specifying that generated keys should be PIN-protected

Re: NSS equivalent of OpenSSL's EVP_CipherUpdate

2008-09-03 Thread Robert Relyea
Graham Leggett wrote: Robert Relyea wrote: Newer applications should use more standard algorithms such as PKCS#5 v2.0 for key derivation. I am assuming NSS supports PKCS#5 v2, what functions should I be looking at to achieve this? Ah, It's a PBE algorithm. That is a perfectly acceptable

Re: NSS support for RFC2898 / PBKDF2

2008-09-03 Thread Robert Relyea
Graham Leggett wrote: Hi all, Does NSS support RFC2898 (derivation of keys from a passphrase), and if so, what set of functions should I be looking at to use this? Yes, The standard NSS PBE interface supports PBKDF2 automatically on reading if the algid specifying the PBE is PBEDKF2. On

Re: How do I reset a password of slot for soft-token after removing the token

2008-09-08 Thread Robert Relyea
Subrata Mazumdar wrote: nsCOMPtrnsIPK11Token softToken; rv = pkcs11Slot-GetToken(getter_AddRefs(softToken)); softToken-Login(PR_FALSE); // prompts for initializing password . . . softToken-Reset(); // expected that token/slot password would be in the uninitialized state

Re: How does PK11_GetPadMechanism work?

2008-09-08 Thread Robert Relyea
Graham Leggett wrote: Completeness I guess - xml-security's API allowed you to choose both CBC and ECB modes, so I was trying to emulate the same thing. The only mechanism that I cannot find an oid for is CKM_DES3_ECB - do you know which SEC_OID_* macro I should be using? The

Re: How does PK11_GetPadMechanism work?

2008-09-08 Thread Robert Relyea
Nelson B Bolyard wrote: Graham Leggett wrote, On 2008-09-06 12:51: I think a big source of confusion is that everything is an OID, or everything is a mechanism, but not all OID or mechanisms are relevant for every situation, and this isn't clear from each function call. I think this

Re: IPsec implementations using NSS?

2008-09-12 Thread Robert Relyea
Wan-Teh Chang wrote: On Thu, Sep 11, 2008 at 9:29 AM, Paul Hoffman [EMAIL PROTECTED] wrote: Greetings again. Are people aware of any IPsec implementations using NSS's crypto, even as a non-default build option? No, I don't know of any IPsec implementations using NSS's crypto. Since

Re: Beginner with NSS

2008-09-15 Thread Robert Relyea
Francisco Puentes wrote: Being a beginner with NSS, I need help :-( I am trying to generate a RSA pair of keys with this code: NSS_Init(./rsa.db); NSS_Init requires a pointer to a directory (which should already exist). You should check the error code coming back for NSS_Init. It's

Re: NSS and initialisation

2008-09-15 Thread Robert Relyea
Graham Leggett wrote: Hi all, I am having a dilemma that I am trying to find a solution for. In the httpd webserver, if the mod_nss module is loaded, the mod_nss module will try and initialise NSS. If mod_authnz_ldap is loaded into the same server, and mod_authnz_ldap depends on the Mozilla

Re: nssModule=keystore problem

2008-09-22 Thread Robert Relyea
Robert Relyea wrote: [ output deleted]. Which means that libnssckbi.so is used for obtaing trustanchors and i dont know why. In configuration I've set that i want only access to keystore. Any ideas? Yes, the trust anchors are stored in libnssckbi.so. NSS nssckbi is the NSS cryptoki Builtin

Re: Unable to read PKCS#8 file generated using OpenSSL command line tool

2008-09-29 Thread Robert Relyea
Subrata Mazumdar wrote: Nelson, thanks very much for the clear answer - I did not realize that the Mozilla NSS does not support PKCS#8. I also agree with you that PKCS#12 format is the right way to import/export keys. The problem is that a large number of OpenSSL based applications still use

Re: Unable to change password of FIPS enabled internal key token

2008-10-08 Thread Robert Relyea
Kyle Hamilton wrote: On Tue, Oct 7, 2008 at 5:22 PM, Subrata Mazumdar [EMAIL PROTECTED] wrote: I guess that the problem is in documentation and the PSM GUI. The PSM GUI should have clearly stated the password policy requirement in the password change dialog window. Also, NSS should have

Re: storing custom public key / private key pair securely in Firefox

2008-10-14 Thread Robert Relyea
Nelson B Bolyard wrote: [EMAIL PROTECTED] wrote, On 2008-10-13 13:52: I have a crypto library which I connect to a Firefox extension using Xpcom. The library generates custom size public and private key pairs which I would like to store securely in Firefox. How would this be done?

Re: MITM in the wild

2008-10-20 Thread Robert Relyea
Nelson B Bolyard wrote: b) some unmistakeable blatantly obvious way to show the user that this site is not using security that's good enough for banking but, well, is pretty good security theater. Flashing pink chrome? Empty wallet icon? The whistling sounds associated with falling things?

Re: revocation of roots

2008-10-23 Thread Robert Relyea
Julien R Pierre - Sun Microsystems wrote: How do we revoke Mozilla's root? By updating mozilla software :) Certainly not by issuing a CRL. Mozilla doesn't have the keys needed to issue a CRL to revoke any root. (CRL's must be signed by the issuer, or by an agent with the appropriate key

Re: revocation of roots

2008-10-24 Thread Robert Relyea
Paul Hoffman wrote: At 3:25 PM +0200 10/24/08, Ian G wrote: Robert Relyea wrote: The problem with this idea is that mozilla probably does not want to be in the CA business. The overhead of creating a mozilla root key in a safe and secure manner is quite involved (and more than doing

Re: multiple pkcs 12 files vs. firefox software pkcs 11 module...

2008-10-28 Thread Robert Relyea
[EMAIL PROTECTED] wrote: On Oct 28, 5:10 pm, Nelson B Bolyard [EMAIL PROTECTED] wrote: [EMAIL PROTECTED] wrote, On 2008-10-28 13:29: From what I have read, the internal pkcs 11 data store is protected by 1 master password. Is there a way to store my keys in the firefox pkcs 11 data

Re: Creating a cert. database at runtime?

2008-10-29 Thread Robert Relyea
Antonio wrote: Hi all, Is it possible to create a brand new certificate database at runtime for read/write purposes, without it being the default database? Thanks, Antonio Yes, The thread multiple pkcs 12 files vs. firefox software pkcs 11 module... has a link to two functions that allow

Re: Creating a cert. database at runtime?

2008-10-29 Thread Robert Relyea
, The CERTCertDBHandle is basically an historical dreg in our code. NSS always has a consoldiated view of all the databases. The only time they are distinguished is if you specify a particular token (PK11SlotInfo *). What is it you are trying to actually do? bob On Oct 29, 8:46 pm, Robert Relyea [EMAIL

Re: why nss has very little doc about usage of api

2008-11-04 Thread Robert Relyea
NZzi wrote: hi all: when i use nss to develop some cipher program(just for local, not internet), i.e. just perform miscellaneous cryptographic operations, the only reference i can use is the example code from MDC. when i want a detail parameter explanation, what i got is just this function's

Re: why nss has very little doc about usage of api

2008-11-05 Thread Robert Relyea
Ken wrote: 2008/11/5 Robert Relyea [EMAIL PROTECTED]: NZzi wrote: hi all: when i use nss to develop some cipher program(just for local, not internet), i.e. just perform miscellaneous cryptographic operations, the only reference i can use is the example code from MDC. when i want

Re: MITM in the wild

2008-11-07 Thread Robert Relyea
Bernie Sumption wrote: If we create an error display that says No kidding, this absolutely is an attack and we're stopping you cold to protect you from it. it seems unavoidable that users will learn to treat the absence of such an unbypassable error display as proof to the contrary, proof that

Re: Help to use PKCS 11 functions in firefox extension

2008-11-12 Thread Robert Relyea
Akkshayaa Venkatram wrote: Hi I am developing a Firefox extension that calls PKCS 11 functions like C_Encrypt, C_Sign, C_Decrypt and others.. We don't expose the direct C_ calls in NSS. NSS typically has the token open during the entire time, so applications making calls and changing states

Re: how to decrypt with pubkey without pkcs1 padding things

2008-11-13 Thread Robert Relyea
NZzi wrote: hi all: I want to use private key to encrypt a message, and decrypt with public key. Are you encrypting data or a symmetric Key? Most of the nss code that does these operations does so on actual symetric keys (which are then used to do additional encryption/decryption/macing).

Re: how to decrypt with pubkey without pkcs1 padding things

2008-11-14 Thread Robert Relyea
NZzi wrote: Robert Relyea wrote: NZzi wrote: hi all: I want to use private key to encrypt a message, and decrypt with public key. Are you encrypting data or a symmetric Key? Most of the nss code that does these operations does so on actual symetric keys (which are then used to do

Re: how to decrypt with pubkey without pkcs1 padding things

2008-11-17 Thread Robert Relyea
Ken wrote: 2008/11/15 Robert Relyea [EMAIL PROTECTED]: NZzi wrote: Robert Relyea wrote: NZzi wrote: hi all: I want to use private key to encrypt a message, and decrypt with public key. Are you encrypting data or a symmetric Key? Most of the nss code

Re: NSS DB migration problem

2008-11-17 Thread Robert Relyea
Hans Petter Jansson wrote: This works for some databases, but not others. It doesn't seem to matter which application created the database (I've tried with databases from Firefox and Evolution) - e.g. one user's database may fail while another user's database may migrate properly. When it

Re: How-to guide for email encryption

2008-11-18 Thread Robert Relyea
Anders Rundgren wrote: IM[NS]HO, S/MIME encryption using PKI is one of the biggest security farces ever. Even the use-case is often wrong. Please start your debate in another thread. S/MIME and PKI are a supported part on the NSS feature set, and supported in pretty much every email

Re: Firefox' password manager with sqlite based NSS

2008-11-18 Thread Robert Relyea
Wolfgang Rosenauer wrote: Nelson B Bolyard schrieb: Wolfgang Rosenauer wrote, On 2008-11-18 05:38: Hi, I'm trying to use Firefox with an sqlite based NSS. So far all the certificate stuff still works as expected as far as I can see but the password manager component is broken now:

Re: Slamming S/MIME. Re: How-to guide for email encryption

2008-11-18 Thread Robert Relyea
Anders Rundgren wrote: Robert, Pardon me. I did indeed not intended to slam Paul's guide. I changed the thread but I don't expect a fruitful debate since the difficulties are mostly unrelated to NSS. I feel sorry for those who feel that S/MIME encryption needs to become mainstream because

Re: Firefox' password manager with sqlite based NSS

2008-11-18 Thread Robert Relyea
Wolfgang Rosenauer wrote: Robert Relyea schrieb: This was a new profile actually. And yes, the database which reveals this issue isn't complete it seems. I removed it and created a new empty one using certutil -d sql:. -N and now Firefox works correctly. What I've used to create the shared

Re: Firefox' password manager with sqlite based NSS

2008-11-18 Thread Robert Relyea
Nelson Bolyard wrote: Robert Relyea wrote: Typically needsUserInit means there isn't a password record in your key database. Without this you can not store any keys. The difference between 'not initialized', 'doesn't have a master password', and 'has master a password' is as follows: 1

Re: How to use SECMOD_LoadUserModule and SECMOD_UnloadUserModule

2008-11-19 Thread Robert Relyea
Wan-Teh Chang wrote: The SECMOD_LoadUserModule and SECMOD_UnloadUserModule functions were added in https://bugzilla.mozilla.org/show_bug.cgi?id=132461, but no NSS utilities or test programs use these functions, so the only sample code for these functions that I can find is PSM. PSM uses these

  1   2   3   4   5   >