jayasree bhattacharya wrote: > Thanks Nelson for ur reply. My confusion is less but > still there. > The doubts are: > > a)When certutil generates keys, pvt key is stored in > keydb but where is pub key stored? I am not creating > any cert but just generating keys.
If I recall correctly, NSS does not store public keys in either DB file. Private keys are stored in key3.db. Certificates are stored in cert8.db. Public keys, which generally can be derived from private keys, are not stored separately in either DB, as I recall. The public keys may be accessible through the PKCS#11 API, and/or NSS's PK11wrap APIs. I'd imagine that the public keys accessed that way are reconstructed from the private keys. If I'm mis-remembering this, and the public keys ARE stored in the key DB, I invite correction on this point. (Bob :) > b)I want to see all the pub keys in keydb using certutil > How do I see them? I believe the answer is: they don't exist, so you can't see them. > mozilla webpage says ,use > keytool -L but keytool does not exist anymore! IIRC, keytool listed private keys. certutil now has an option (-K) to do that, but IMO it's not very useful, because it doesn't show much (if any) real information about the keys. IIRC, it shows the nicknames of the corresponding certificates, when such corresponding certs exist, and blank otherwise. You can see this for yourself with a pair of command like this pair: certutil -d DB -k ec -q nistp256 -n "EC Key" -G certutil -d DB -K or certutil -d DB -k ec -q nistp256 -n "EC Key" -R -a -s "CN=foobar" certutil -d DB -K > And,if certutil has taken keytool's role as well, then > cetutil -L -d dirname should give me that! No, certutil -L shows certificates. certutil -K shows keys. > But, it rather shows me the certs in certdb. Then? > > c)How are pvt keys indexed in keydb? The contents and schema of NSS's DBs is private to NSS. The public API by which the DBs are accessed is the PKCS#11 API. For each class of findable objects, (such as private keys, public keys, and certificates), the PKCS#11 API has a unique identifier attribute, symbolically named CKA_ID (CryptoKey Attribute: ID). By convention, the public key, private key, and certificate objects that correspond to each other all have the same CKA_ID value. So, once you have a private key object, you can find the corresponding public key or cert objects by searching for the objects with that same CKA_ID value. > d)When I use certutil to create a cert ,is pub key > stored in 2 places? One as a pub key itself in keydb > and another as a member of the cert, where the cert is > created in certdb? IIRC, the key is not stored, other than in the cert. > e)When,there is no keydb and certdb and I use certutil > -G -d dirname, to generate keys ,I see that a certdb > is built. What is stored there then? A private key. > If now I do a certutil -L -d dirname, i see no output! Because the command you cited doesn't create a certificate. > Does it mean > that even when I just generated keys(using certutil > -G), cert.db was created although it doesnot contain > any cert (and key) Yes. > and it is only in keydb that the > pub and pvt keys have been loaded. Is this right? The generated private keys are only in the key DB. Yes. > And yes,another similar question. How are pub keys > indexed in keydb(if they exist there)? Same answer as above for private keys. The key DB contents and schema are private to NSS. The public API by which the DBs are accessed is the PKCS#11 API. The CKA_ID attribute is what ties certs and keys to each other. > How do I use certutil to see them and find them based upon some index? I think the short answer is: you don't, unless you have certs for them. certutil has no facility to name keys by their binary CKA_IDs, IIRC. Now, this begs the obvious question: of what value is certutil -G ? AFAIK, the answer is: it is a QA unit test tool, providing a means to test key generation. > I am not asking how do i find certs and the pub > keys in them. I just generate keys,and then do > operations on them ,like finding,deleting keys and > all!! I understand pvt keys are hidden but then what > about pub keys? > > Thanks > -- Nelson B _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
