Re: Basic ECC in NSS 3.12.4 with NSPR 4.8

Tue, 03 Nov 2009 05:45:20 -0800 

Kashyap Chamarthy wrote:

    certutil -G -k ec -q nistp256 -d .
    Generating key.  This may take a few moments...

<snip>

    certutil: unable to generate key(s)
    : security library failure.



I guess, you need a third party ECC module?



I must admit that I am a bit puzzled by the current state of things at 
times.



Quoting http://dev.experimentalstuff.com:8082/#NSS_notes: "The ECC/TLS 
implementation in NSS  (Network Security Services) supports all of the 
twenty five curves defined in Section 5.1.1 of RFC 4492  and several 
other named curves standardized by NIST (including the three Suite B 
curves), SECG and ANSI."



Using NSS's ECC implementation for Java: 
http://blogs.sun.com/andreas/entry/elliptic_curve_cryptography_in_java


Same thing in Glassfish on the server side:
http://blogs.sun.com/swchan/entry/glassfish_with_ecc

Simple build instructions for ECC NSS:
http://dev.experimentalstuff.com:8082/compiling.html


Some linux distributions distribute NSS built without ECC support, like 
Fedora.  Red Hat, on the other hand, distributes NSS sort of how Java 
1.6 is.  It "suppports" ECC but itself has no ECC implementation and you 
must add in a third party PKCS#11 module to gain working ECC.  So Fedora 
ignores it, and RHEL makes it relatively easy to integrate it.



My copy of Firefox 3.5.4 running on win32 can connect to an ECC SSL web 
server just fine: 
https://ecc.fedora.redhat.com:8444/TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA/. 
 "Congratulations! You have successfully connected to the Fedora TLS 
test server using Eliptic Curve Cryptography."



I also just tested EC keygen using certutil and EC SSL on both Gentoo 
($Header: NSS 3.12.4.5 Basic ECC  Sep 28 2009 07:58:40 $) server and 
OpenSuse 11.1.  Both worked fine "out of the box".



So to tie all this gibberish to the thread, the OP *shouldn't* need a 
third party ECC library to do what he is attempting to do (as evidenced 
by the Windows, Gentoo and OpenSUSE builds of NSS).



I know I've had previous dealings with many of you before on this topic 
and don't take this as complaining...just trying to put the info out 
there and understand the what's and why's.  I appreciate all the hard 
work you do.


Dave


PS Nelson, I've been trying to email you directly and haven't been 
getting any responses.

--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto






















					Reply via email to