Nelson B Bolyard wrote:
axi...@googlemail.com wrote, On 2009-02-03 04:09:
Is there a way to sign CRMF and create CMMF using JSS?
>
If there is, you'll find it somewhere in
http://mxr.mozilla.org/security/source/security/jss/org/mozilla/jss/pkix/crmf/
CRMF requests aren't signed. I think this is a change from PKCS#10,
which does get signed by the private key belonging to the public key in
the request, in order to support encryption-only keys and just be more
flexible in general. CRMF has a thing called proof of possession (POP)
and there are several different methods of creating a valid POP to go
into the CRMF message one of which is doing a signature.
The JSS CRMF package is easy enough to use. I recommend having a copy
of the CRMF RFC (4211: http://www.faqs.org/rfcs/rfc4211.html) handy for
reference. POP is in section 4. Also, for this and several other of
the ASN.1 based protocols, I can say that looking at the JSS source code
is very helpful. They all have decoding templates which basically show
you the reverse of the proper way to construct something and it has
helped me on several occasions. What also helped is an ASN.1 decoder
that you can inspect your constructed messages. I am more partial to
the output of Peter Gutmann's dumpasn1
(http://www.cs.auckland.ac.nz/~pgut001/dumpasn1.c), but NSS has (Nelson
please correct me if I'm wrong) the pp utility.
While I haven't specifically used the CMMF package, I have used most of
the others so I would imagine it's useful for you.
Dave
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
