On Wed, 2012-11-14 at 14:21 +0000, Gustavo Homem wrote: > Hi, > > I am able to progamatically create key3.db from a script, using > > certutil -N -d ...
Hi Gustavo, this simply prepares an empty database that you need for future operations. > However this initalization does not add to this file a private key to encrypt > the usernames and passwords that will be present on signons.sqlite. File signons.sqlite is not managed by code at the NSS C library level. It looks like the file is managed by Mozilla's toolkit code, "mozilla/toolkit/components/passwordmgr". In order to manage the contents of such files, you should probably make use of that code. Some additional background: In my understanding the passwords stored by Mozilla are encrypted, and the crypto operations are performed with the help of NSS. In order to limit the exposure of the lowlevel NSS APIs, most Mozilla code uses an interface layer on top of NSS, and that interface layer is implemented in mozilla/security/manager (also named the PSM module). The interface used by Mozilla's password manager for encrypting or decrypting information is called nsISecretDecoderRing, implemented in PSM, which handles the appropriate calls into NSS. Mozilla's password manager uses nsISecretDecoderRing to process the contents stored in signons.sqlite. So, NSS is being used to process the contents of file signons.sqlite - but the management of signons.sqlite is not done by NSS. > Question: how can I insert such a key from the command line? You probably have to create your own little wrapper application around Mozilla, maybe using XulRunner, and call the appropriate APIs from Mozilla's password manager. > Context: we are working on thunderbird a auto-configuration script that > configures all the necessary prefs and pre-inserts the password on several > signons.sqlite entries (ldap, smtp, caldav, carddav). Everything is working > except the initializaion of key3.db. > > Unless I am misreading this: > http://www.mozilla.org/projects/security/pki/nss/tools/certutil.html > certutil should be the tool to handle the key database In should be clear by now that you don't want to insert into key3.db, but additional background: key3.db is a low level storage file managed by NSS. Only NSS APIs are used to manipulate it. Mozilla's application passwords aren't stored in key3.db. Rather, key3.db contains a symmetric key for symmetric encryption. Mozilla's password manager, with the help of nsISecretDecoderRing, makes use of the symmetric key to encrypt or decrypt passwords. This architecture allows the use of a Master Password. If a user sets (or changes) a Master Password, the Master Password will protect all keys in key3.db - including the symmetric key used by Password Manager - without having to adjust application storage files like signons.sqlite. Regards Kai
smime.p7s
Description: S/MIME cryptographic signature
-- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
