Re: Generation of key pair and CSR
Hi, I would like to create a plug-in for Firefox that, when invoked, generates a new key in the Firefox key/certificate store. Is it possible to generate a new keypair in using NSS from the plug-in, or do I need to somehow call crypto.generateCRMF() via javascript from the plug-in? Thanks in advance, James Subrata Mazumdar-2 wrote: > > > > Michael Ströder wrote: >> Subrata Mazumdar wrote: >>> There is a new version of KeyManager available that supports >>> SeaMonkey. >> >> I'll give it a try. >> >> What I'm really missing are some simple functions like exporting a >> cert received in an e-mail S/MIME signature. Things that are really >> easy with Outlook but with Mozilla-based MUAs I had to use openssl >> smime to extract the certs. >> >> Ciao, Michael. > Yes, KeyManager supports exporting of any certificate in your Cert-DB > and importing of temporary certs as permanent cert. > If the cert is in your CertDB (either temporarily or permanently) and > you can view it using Certificate Viewer of PSM, then you can either > export the cert or import it permanently. Use the preference window to > enable the exporting of certificate option - by default it is disabled. > > BTW, I have noticed that Mozilla PSM in FF3 (Beta) added support for > exporting any certificates in your CertDB. > -- > Subrata > > > > ___ > dev-tech-crypto mailing list > dev-tech-crypto@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-tech-crypto > > -- View this message in context: http://old.nabble.com/Generation-of-key-pair-and-CSR-tp15012279p28800556.html Sent from the Mozilla - Cryptography mailing list archive at Nabble.com. -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
How to refresh Firefox keystore
Hi,
I have an applet that uses JSS to import an RSA keypair into Firefox's
keystore, as per the following code.
CryptoManager.initialize("C:\Users\James\AppData\Roaming\Mozilla\Firefox\Profiles\y78kp7l6.default");
CryptoManager manager = CryptoManager.getInstance();
CryptoToken token = manager.getInternalKeyStorageToken();
manager.setThreadToken(token);
CryptoStore store = token.getCryptoStore();
store.importPrivateKey(privateKey.getEncoded(),
org.mozilla.jss.crypto.PrivateKey.RSA);
X509Certificate cert = manager.importCertPackage(pkcs7, "My Cert");
The import is successful but the new certificate is not listed in
Certificate Manager until Firefox is restarted.
Is there any way of refreshing the keystore without having to restart
Firefox?
Basically I like to be able to use the new certificate immediately in a
client authentication SSL session.
Many thanks.
James
--
View this message in context:
http://old.nabble.com/How-to-refresh-Firefox-keystore-tp29042183p29042183.html
Sent from the Mozilla - Cryptography mailing list archive at Nabble.com.
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: How to refresh Firefox keystore
I'm importing the key pair into the browser's soft token. I can see that the cert8.db and key3.db files in the profile directory are updated and I can also see the new certificate using certutil.exe -L. However when attempting to connect to a website that requires client SSL authentication in the same browser session (immediately following the import of the keypair), the browser does not seem to detect the new certificate. It is only after restarting Firefox that I can establish the mutual SSL session (and the imported certificate appears in Certificate Manager > Your Certificates) Is it possible to refresh the PSM cache while the browser is running? Thanks, James -- View this message in context: http://old.nabble.com/How-to-refresh-Firefox-keystore-tp29042183p29051752.html Sent from the Mozilla - Cryptography mailing list archive at Nabble.com. -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: How to refresh Firefox keystore
I notice the cert8.db and key3.db files get updated only when the JVM shuts down. That may explain why the new certificate doesn't show up. Is this (update of the db files) the expected behavior? It seems strange. Is there a way to commit the change? Also, in addition to importing the generated key and certificate into the active profile, I want to import the key and certificate into another profile directory. What is the best way to achieve this? It seems JSS doesn't allow access to more than one profile in the same process, i.e. calling CryptoManager.initialize() again pointing to a different profile directory results in an AlreadyInitializedException. Would using NSS directly solve the above problems (update of db files and access to more than one profiles)? Thanks for the tip on ssltap. Sounds like a handy tool... will try to set it up. Cheers, James Nelson B Bolyard-2 wrote: > > On 2010-07-01 18:10 PDT, james07 wrote: >> I'm importing the key pair into the browser's soft token. >> >> I can see that the cert8.db and key3.db files in the profile directory >> are >> updated and I can also see the new certificate using certutil.exe -L. >> >> However when attempting to connect to a website that requires client SSL >> authentication in the same browser session (immediately following the >> import >> of the keypair), the browser does not seem to detect the new certificate. >> It >> is only after restarting Firefox that I can establish the mutual SSL >> session >> (and the imported certificate appears in Certificate Manager > Your >> Certificates) >> >> Is it possible to refresh the PSM cache while the browser is running? > > I suspect that there may be another explanation for this behavior. > It *may* (or may not) be that FF is establishing a TLS session with the > server that is not client authenticated, and thereafter the server is > merely content to use that same session over and over, and it never > attempts to force the client to renegotiate a new SSL/TLS session. > > A tool like ssltap would tell you if that is the explanation. There's > another way to tell as a diagnostic step. There is a way to get the > browser > to completely flush its TLS/SSL session cache. If you would > establish the TLS session without a client cert, then import your client > cert, and then flush all your TLS sessions, that would force the next TLS > connection to start a new TLS session. You could do that test, manually > flushing your TLS session cache. If that caused the client cert to be > used in a client authentication, then you would know that the server is > not continuing to demand client auth after the first time it negotiates > a TLS session with only server auth. > > In the event that this test positively shows that continued reuse of old > TLS > sessions that were established without client authentication explains the > behavior you see, I do NOT mean to suggest that additional flushing of the > client's TLS session cache is the solution. It is only a diagnostic step. > If we know the cause of the problem, then we can discuss the NUMEROUS > different possible solutions. > -- > dev-tech-crypto mailing list > dev-tech-crypto@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-tech-crypto > > -- View this message in context: http://old.nabble.com/How-to-refresh-Firefox-keystore-tp29042183p29080574.html Sent from the Mozilla - Cryptography mailing list archive at Nabble.com. -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: How to refresh Firefox keystore
Thanks, the new database format indeed did the trick. I'm able to see the new certificate in Certificates Manager following the import. However I'm now getting a strange connection error when attempting to access a test web site which requires SSL client authentication. If I unset the environment variable NSS_DEFAULT_DB_TYPE (and manually import the key pair into the old key/certificate database) then I am able to connect to the web site. Are there any additional setting required to allow SSL client authentication to work when setting NSS_DEFAULT_DB_TYPE=sql? James wolfoftheair wrote: > > Wasn't a new version of NSS released (and thus JSS) that had a cert9.db > and key4.db? Those are SQLite3 databases, and are the only versions that > actively support multiple processes writing to them. > > -Kyle H > -- View this message in context: http://old.nabble.com/How-to-refresh-Firefox-keystore-tp29042183p29092158.html Sent from the Mozilla - Cryptography mailing list archive at Nabble.com. -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: How to refresh Firefox keystore
Apologies. The connection error was due to sec_error_invalid_key. Setting the right key usage when importing the private key fixed it. Thanks again everyone for your help and suggestions. Truly appreciated. James -- View this message in context: http://old.nabble.com/How-to-refresh-Firefox-keystore-tp29042183p29093680.html Sent from the Mozilla - Cryptography mailing list archive at Nabble.com. -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Link error on CERT_AddExtensionByOID
Hi, I wish to call CERT_AddExtensionByOID() in my application. However I get "error LNK2019: unresolved external symbol _CERT_AddExtensionByOID" when building the application. Calling CERT_AddExtension() is okay. I'm using the NSS-3.12.6_NSPR-4.8.4 package. Am I missing something? Many thanks. -- View this message in context: http://old.nabble.com/Link-error-on-CERT_AddExtensionByOID-tp31361453p31361453.html Sent from the Mozilla - Cryptography mailing list archive at Nabble.com. -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: Link error on CERT_AddExtensionByOID
Thanks, guess I have to implement a similar function in my code then? Bit of a shame it is not being exported for public consumption. I imagine its usage would be quite common, no? Cheers, James Konstantin Andreev-2 wrote: > > This is an ancient [bug 294538], six years (sic!) old. > > CERT_AddExtensionByOID, as many other functions, is declared in the public > header (here: cert.h), but is not exported by the library. > > Keep well, > Konstantin > -- View this message in context: http://old.nabble.com/Link-error-on-CERT_AddExtensionByOID-tp31361453p31363430.html Sent from the Mozilla - Cryptography mailing list archive at Nabble.com. -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Importing client SSL certificate onto external PKCS#11 token
Hi, I have added an external PKCS#11 token via Device Manager in Firefox 3.6.15. I then import a PKCS#12 file containing a client SSL key and certificate signed by a trusted CA, specifying the external token as the key and certificate store. The import is successful however when I attempt to access a website over mutual SSL with the newly imported certificate I get an authorized error. If I restart the browser then the connection is successful. Are SSL certs being cached by the browser? If so, is it possible to refresh the cache to include a newly imported certificate on an external PKCS#11 device without having to restart the browser? Thanks, James -- View this message in context: http://old.nabble.com/Importing-client-SSL-certificate-onto-external-PKCS-11-token-tp31441028p31441028.html Sent from the Mozilla - Cryptography mailing list archive at Nabble.com. -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: Importing client SSL certificate onto external PKCS#11 token
> There used to be a 'logout all' button somewhere in the browser. I don't > know if it still exists. That button would flush all our SSL caches and > force full handshakes. Thanks... logoutAndDropAuthenticatedResources() did it for me. -- View this message in context: http://old.nabble.com/Importing-client-SSL-certificate-onto-external-PKCS-11-token-tp31441028p31487084.html Sent from the Mozilla - Cryptography mailing list archive at Nabble.com. -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Detect SSL client authentication
The nsIWebProgressListener interface includes the onSecurityChange method which indicates whether a connection is secured. However it doesn't distinguish between server authentication and client authentication. Is there a way to check whether client authentication was performed? Thanks in advance. -- View this message in context: http://old.nabble.com/Detect-SSL-client-authentication-tp32642873p32642873.html Sent from the Mozilla - Cryptography mailing list archive at Nabble.com. -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
