The original TSS (Trusted Software Stack) implementation (libtcpa by IBM) doesn't use PKCS#11 calls and this is the library that we are using. Even though a PKCS#11-based implementation exists now (TrouSers), I don't quite have the ability (time) to switch right now. It would definitely be on my TODO list... When I get around to do it, I can certainly provide feedback...
The TPM provides some functionality that I am not sure is compatible with PKCS#11... One is attestation, which signs the current PCR values, so that they can be sent to a remte host for verification. Another is sealing certain keys inside the TPM, so that they can be unsealed only in the presence of the same PCR values ( i.e. the same software loaded on the computer).
So, I was trying to import a non-PKCS#12 certificate in "Your Certificates", but I guess I can't. If I import it in any of the other tabs in the "View Certificates" section in FF, will I be able to access it from NSS, e.g. using the FindCertByNickname() function?
If not, how can I import it using certutil, so that I can access it inside FF?
An additional question is about the subject field of a certificate imported into a NSS database. The TCG specification says that the subject field of an attestation identity certificate is assigned the value NULL. When I import this certificate then to a NSS database with certutil -A, it imports the certificate with subject field value !!!Invalid AVA!!!. Is this because the certificate imported had NULL subject to begin with?
Regards,
Peter
P.S. The TPM 1.2 specification uses zero-knowledge proofs instead of attestation identity certificates.
_______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
