Removing #error from the NSS_ECC_MORE_THAN_SUITE_B results in a broken ECC build, according to another thread.
-Kyle H On Mon, Aug 25, 2008 at 11:40 PM, Momcilo Majic <[EMAIL PROTECTED]> wrote: > Hi, > > Hi you were correct, the trust was designated as Pu,Pu,Pu. Still > > - NSS is 3.12 built on Windows XP, VS2003 + MozillaBuild > - NSS_ENABLE_ECC + NSS_ECC_MORE_THAN_SUITE_B with patched ecl-curve.h > (removed #error) > > I will try to find the topic you mentioned. > > Best regards, > > Momcilo Majic > > Nelson B Bolyard wrote: >> Momcilo Majic wrote, On 2008-08-25 13:03: >> >>> I have created simple CA using ejbca. The root certificate is ECDSA based. >>> >>> 1. Than I've tried to create certificate request using certutil: >>> certutil -R -s "CN=TestECDSA" -o request.req -a -d database -k ec -q >>> nistp192 -a >>> 2. I've uploaded resulting request to the EJBCA, signing and got cert.pem >>> 3. I've imported the resulting certificate >>> 4. Listing the keys still designates only one ec key with status orphan >> >> What version of NSS did you use? >> >> I'm having Deja vu here. Did we discuss this a few weeks ago? >> >> As I recall, some versions of NSS had a bug in the certutil -K command >> that caused it to report keys as orphans that were not orphans. >> However, the certutil -L command properly reported whether the private >> key corresponding to each cert was found (in the key DB) or not. >> >> So, if you list your new cert with certutil -L, and you see the "u" trust >> flags (e.g. u,u,u) then you know that NSS has correctly matched up the >> key and the cert, and all is well, despite certutil -K's diagnosis. >> >> If you're having this result with NSS 3.12.x, please let us know. >> Also, if you don't get the "user" trust flags when you list that cert, >> then let us know. But the version of NSS is crucial. Also, if you >> got your NSS from some (any) Linux distribution, let us know what >> Linux distribution you got it from. >> >> Thanks. >> >>> Does anybody knows how to establish relationship between >>> request-key-certificate? >> >> It should be entirely automatic. You can't force it. > _______________________________________________ > dev-tech-crypto mailing list > dev-tech-crypto@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-tech-crypto > _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
