Peter Djalaliev wrote: > The original TSS (Trusted Software Stack) implementation (libtcpa by > IBM) doesn't use PKCS#11 calls and this is the library that we are > using. Even though a PKCS#11-based implementation exists now > (TrouSers), I don't quite have the ability (time) to switch right now. > It would definitely be on my TODO list... When I get around to do it, I > can certainly provide feedback...
Well, you want to import a cert into "Your Certificates". In order to appear in "your certificates", NSS must be able to find the private key that goes with that cert. If it cannot, NSS will likely show the cert in "other people's certs". In the case of removable tokens, The tab in which a cert appears may change each time the token is inserted or removed. Now, I gather that you wanted to be able to use the cert with the private key (else why do you care if it is listed in "Your Certificates"?). And for NSS to be able to make any use of that private key, there must exist a PKCS#11 module for the device that holds the private key. so, I gather that you must have, and be using, a PKCS#11 module for your gizmo. Otherwise, what is the point of having this cert in "Your Certificates"? > The TPM provides some functionality that I am not sure is compatible > with PKCS#11... The PKCS11 module doesn't have to expose all the functions of the device. It need only expose the ones that NSS will use, signing, encryption, decryption, etc. > So, I was trying to import a non-PKCS#12 certificate in "Your > Certificates", but I guess I can't. If I import it in any of the other > tabs in the "View Certificates" section in FF, will I be able to access > it from NSS, e.g. using the FindCertByNickname() function? If you import it into "other people's certs", and then make the associated private key available to NSS, the cert should move into "Your Certificates". The requirements for a cert to appear in "Your Certificates" are very simple: a) the cert must have a nickname, and b) NSS must be able to find the corresponding private key for it. > If not, how can I import it using certutil, so that I can access it > inside FF? You seem to already know about certutil -A. Import the cert with a nickname (certutil -A -n "my nickname" ...). You must never use certutil on your FF profile DBs while FF is running. > An additional question is about the subject field of a certificate > imported into a NSS database. The TCG specification says that the > subject field of an attestation identity certificate is assigned the > value NULL. When I import this certificate then to a NSS database with > certutil -A, it imports the certificate with subject field value > !!!Invalid AVA!!!. Is this because the certificate imported had NULL > subject to begin with? Yes, No doubt. NSS assumes in many places that certs have non-NULL subject names. Nicknames map onto subject names. With a null subject name, I doubt a cert can have a nickname. But I'm sure we've never tried to have certs with NULL subject names before, so I'm just guessing about that. I encourage you to continue to "boldly go where no man ..." :-) > P.S. The TPM 1.2 specification uses zero-knowledge proofs instead of > attestation identity certificates. How do you envision this stuff integrating with browser functionality? What use has (say) SSL for attestation certs? Regards, /Nelson _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
