I've checked for ifdef on ifndef of NSS_ECC_MORE_THAN_SUITE_B. Ther are located in several .h and .c files: - sslimpl.h - sslcon.c - ssl3ecc.c - ssl3con.c - softkver.h - secsign.c - p7decode.c - nss.h - fipstest.c - ecl-curve.h - ecl.c - cmssiginfo.c - certutil.c
Manual patching of files of interest can make things build again, but can someone answer the following questions: - What is the reason for not defining all known-curves in ecl-curve.h ? - What is the reason for intentional breaking of build with NSS_ECC_MORE_THAN_SUITE_B ( #error)? (is it safe to override this?) - Is this file already updated in source control (I am using 3.12 release)? - What are the plans related to support of EC in future releases? - Is ec supported in 3.12 build shipped with Firefox 3.0.x? Regards, Momcilo Majic Kaspar Brand wrote: > [re-sent through different SMTP host, since the first one was rejected] > > Nelson B wrote: >>> In those, I get "certutil: signing of data failed: security library: >>> invalid algorithm.". For the rest, I get ": An I/O error occurred >>> during security authorization." >> Sounds like something isn't right. > > Since NSS doesn't currently compile with NSS_ECC_MORE_THAN_SUITE_B, I > guess this here should be changed > (http://lxr.mozilla.org/security/source/security/nss/lib/cryptohi/secsign.c#92): > >> 92 #ifndef NSS_ECC_MORE_THAN_SUITE_B >> 93 if (key->keyType == ecKey) { >> 94 PORT_SetError(SEC_ERROR_INVALID_ALGORITHM); >> 95 return 0; >> 96 } >> 97 #endif > > After applying the attached patch, > > certutil -R -o ecdsa.req -s "CN=ECDSA" -k ec -q nistp521 -s "CN=ECDSA" > > works as intended (as do -q nistp256 and -q nistp384). > > Kaspar > > > _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
