PKCS #7
How can we import a PKCS #7 certificate in Firefox? It is easy with IE just click on it and accept the next OK up to FINISH!!! ___ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: PKCS #7
Nelson B wrote: Bruno Boutteau wrote: How can we import a PKCS #7 certificate or .cer in Firefox? It is easy with IE just click on it and accept the next OKs up to FINISH!!! Thanks in advance (Certificate was delivered on crypto smart card) Bruno, why not use it on the smart card? NSS is quite happy to use your cert on a smart card, provided that you have the PKCS#11 software for that smart card installed. Do you know how to find and start the "certificate manager" dialog window from your mozilla/firefox/thunderbird/seamonkey product? You'll find an import button there, and other useful things, such as the ability to edit trust. My guess is that you want to edit trust in some issuer, and importing is unnecessary. But I'm guessing, because I don't know enough about what you're doing. Thanks for first answer Nelson. In certificate manager U can import your PKCS#12 certificate. In IE Import is able to import X509(.cer,.crt) certificate. I just want to declare one certificate of my cryto smart card to Firefox (Thunderbird too) but Firefox offers only PKCS#12 format for import and I have the certificate declaration in .cer and with Active Card manager I can make extraction of public information in PKCS#7 or .cer formats, Those formats than Firefox cant read! if I am right. Looking forward to reading U ___ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: PKCS #7
Nelson B wrote: Bruno Boutteau wrote: Nelson B wrote: Bruno Boutteau wrote: How can we import a PKCS #7 certificate or .cer in Firefox? It is easy with IE just click on it and accept the next OKs up to FINISH!!! Thanks in advance (Certificate was delivered on crypto smart card) Thanks for first answer Nelson. In certificate manager U can import your PKCS#12 certificate. In IE Import is able to import X509(.cer,.crt) certificate. Bruno, here's some background information you should know. When you use a certificate that identifies someone else (not you), you only need the certificate. When you use a certificate that identifies you, yourself, you need a certificate AND (most importantly) a PRIVATE KEY. The Private Key is the thing that you (your browser, your email program) uses to prove (to someone else) that you really are the rightful holder of your own certificate. You cannot effectively use your own personal certificate (that identifies you) without also having the private key for it. If you're trying to move your own personal certificate into your browser, you also need to move your private key with it, because your browser cannot do anything effective with your cert unless it also has your private key. You never want to send your private key to anyone else. It's private for you alone. A .der or .cer file contains a single certificate and nothing else. It cannot also contains a private key. It's useful for holding someone else's certificate. It's also useful for sending your certificate (without your private key) to someone else. It's useful for importing someone else's certificate into your browser. A PKCS#7 file is quite different from a .der or .cer file. It can contain any number of certificates, and a few other things, but like a .cer or .der file, it cannot contain any private keys. It is useful for transporting or importing more that one certificate at a time, but (again) you cannot import your private key from it. So, if you're looking to transport your own cert and private key, a PKCS#7 file is not what you want. A PKCS#12 file contains one or more certificates AND (most importantly) a private key. It's the way to transport your own personal cert and your own private key. It also can transport certs related to your cert, such as the cert belonging to the issuer (or "authority") who issued your cert. When you go into the certificate manager dialog, there are various tabs shown there for certs belonging to different types of folks. There's a tab for your own personal certs. There's a tag for other people's email certs. There's a tab for SSL server certs, etc. Each tab has an import button that attempts to import a cert for that type of entity. When you attempt to import YOUR PERSONAL cert, certificate manager tries to open a PKCS#12 file (also called a "pfx" file) to get your cert AND your private key. In that tag, cert manager will only be satisfied with a PKCS#12 file. When you attempt to import someone else's cert, certificate manager does not attempt to open a PKCS#12 file. It attempts to open a file of any of the other types (IIRC), including PKCS7, .cer, .der, etc. Now here are some questions for you to answer. Please answer all these questions: 1. If you have recceived a smart card with your personal certificate and private key on it, why do you want or need to import that cert into your browser? "importing" a cert is done when your browser has no other way to access your cert. Your browser should quite happily access your cert from your smart card, right where it is, without needing to "import" it. 2. If this is your own personal cert, why are you trying to import it without also importing the private key. I just want to declare one certificate of my cryto smart card to Firefox Why? When you have a certificate and private key in a smart card, you don't need to declare them or import them at all. FireFox is able to find your certs on your smart card (if it sees the smart card at all, which depends on having the proper software installed) and doesn't need any separate "importing" to use certs on a smart card. By the way, this is also true for IE. If your smart card software is working properly, and all the necessary software is installed, you don't need to import any certificate files for IE to work, either. (Thunderbird too) but Firefox offers only PKCS#12 format for import and I have the certificate declaration in .cer and with Active Card manager I can make extraction of public information in PKCS#7 or .cer formats, Those formats than Firefox cant read! if I am right. Extracting your certificate (without your private key) into a .der, .cer or PKCS7 file (none of which contain your private key) is (or may be) a useful way to send a copy of your certificate, alone, to someone else. It is not a useful way for you to get your cert and private key into your browser and email programs , because they also need your private key. I suspe
Importing CRL using NSS API
Hi! I'm trying to import a CRL (in DER format) using NSS API. Since 3.4 API does not have an import function available, I took the source code from the crlutil and massaged it to fit into our application. The crlutil code, however, uses method SECU_ReadDERFromFile, which is not exported as public, and I get a failure during linking stage trying to use sectool.lib. What's the easiest way to make this function publicly available? I tried modifying nss.def in nss/lib/nss, but I'm not sure how to link sectool during nss.lib build; it seems to be built separately at a later stage. I'd appreciate any hints. Thanks. ___ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: Mozilla CA Certificate Policy (Version 1.1) ammendment recommendations
Dear Moo, I pray this some how gets to you, and I hope it makes makes sense to you. As you know I'm still Novice and I'll be leaving here a Novice. One thing I know for sure you have a lot of followers that are Novices also. I can only speak for me, so many things a way above my head, so I do a lot of reading till I at least get the hang of it, not enough to be able to help but enough to know where your heading, enough to know a few of your people who had spoke with forked tongues. I'm now putting a work in for the other Novices. There a quite a few who want to help but a totally lost in the language of the development of Programs. I don't know if there is any way you and your teams can break the language down into laymen terms even if it's something simple that they can contribruite. As for me you know where I stand and it's not getting better, only worse. I want to thank you for everything I don't know what I would have done without you. As for that new Server I've been informed they don't forward my mail, and their bugging the heck out of me to place them as my home page. You know me I don't stick around long enough to give them an answer I sure hope you recieve this, it's been a while, but I lost every thing on mylast crash, including all my pictures. Well my friend I PRAY every thing works out for you and your great TEAMS my thoughts are always with you. Best Regards, Always *** C.J. Adams-Collier wrote: > As Eddy said, discussion of ammendments to the Policy are a bit off topic > for threads about certificate inclusion. > > 1) This policy does leave a loophole in regards to domain ownership. It > seems to me that the policy should make continued inclusion contingent on > continued domain ownership by the entity originally requesting inclusion. > > 1a) This loophole could be closed if domain (and thus, CA) ownership > transfer triggered a review of policy compliance or revoked inclusion > outright. > > 1b) Perhaps QA should add an automated "continued ownership verification" > step to its pre-release regression suite, if one does not already exist. > > 2) Since there is a period of public review before CA inclusion is > confirmed, it seems that the required documents should be required to be in > a format viewable by the public. > > 2a) I recommend that we advise applicants to review rfc2527 > > 2b) I do not consider ".doc" files generated by "Microsoft Office Word" to > fall into the category of "viewable by the public." This file format it is > proprietary, undocumented, and has historically varied when "open" document > readers are implemented. > > 2c) I recommend that we require that documents be presented in the current > "lingua franca," and that their content be encoded as utf8 > > 3) There is currently no definition of how recently an audit must have been > performed by a trusted third party, only that one must have been performed. > > 3a) I recommend that we place a reasonable limit on how recently an audit > must have been performed before accepting an application for certificate > inclusion. > > 3b) I recommend that CAs be required to provide proof of a successful audit > at reasonable intervals for continued inclusion. I leave it up to the list > to decide what "reasonable" means. For reference, W ashington State requires > that electrical licenses be renewed every two years. > > 3c) I recommend that if an application process exceeds a year prior to > approval, the applicant be required to provide proof of an additional > successful audit prior to the continuation of the approval process > > Thoughts? > > C.J. > ___ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Using the NSS API to create CMS/PKCS#7 signatures with multiple signers (co- signatures)
Hi everybody, I'm trying to use NSS for adding a new signer to a previously computed CMS signature, but i can't achieve that, and i have found examples nowhere. The first signature is made with the call sequence : NSS_CMSMessage_Create / NSS_CMSSignedData_Create / NSS_CMSSignerInfo_Create / NSS_CMSMessage_GetContentInfo / NSS_CMSSignedData_GetContentInfo / NSS_CMSSignerInfo_Create / NSS_CMSEncoder_Start / NSS_CMSEncoder_Update / NSS_CMSEncoder_Finish. I thought maybe i can decode the first CMS data with NSS_CMSDecoder_* functions to retrieve a NSSCMSMessage structure, and then create a new signer info with NSS_CMSSignerInfo_Create, but i don't know what to do next (and how to trigger the cryptographic operations with the certificate). Maybe somebody has already done something like that... Thanks a lot. Nate. -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
PK11_DigestBegin vs MD5_Begin()
For creating hash I found 2 sets of APIs .
There seem to be different APIs.
E.g CreateDigestContext(SECOidTag hashAlg) and PK11_DigestBegin
related APIs in
https://developer.mozilla.org/en/NSS/Cryptography_functions
or
MD5_Begin() and related hash API from ("hash"_Begin etc)
http://mxr.mozilla.org/security/source/security/nss/lib/freebl/md5.c
and other hashing alg files.
Which one should be used ?
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
Hashing function in NSS
Hi , I am trying to create APIS which will provide Hashing functionality to end user. I am using NSS to provide this on Linux. I was trying to find the correct APIs in NSS to provide this functionality and I was confused. There seem to be different APIs. E.g CreateDigestContext(SECOidTag hashAlg) and related APIs in https://developer.mozilla.org/en/NSS/Cryptography_functions or MD5_Begin() and related hash API from http://mxr.mozilla.org/security/source/security/nss/lib/freebl/md5.c and other hashing alg files. Which one should be used ? Thanks -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: Hashing function in NSS
On Mar 23, 12:05 pm, Honza Bambas wrote: > On 3/22/2011 10:29 PM, Crypto User wrote:> Hi , > > I am trying to create APIS which will provide Hashing functionality > > to end user. I am using NSS to provide this on Linux. > > I was trying to find the correct APIs in NSS to provide this > > functionality and I was confused. > > There seem to be different APIs. > > E.g CreateDigestContext(SECOidTag hashAlg) and related APIs in > >https://developer.mozilla.org/en/NSS/Cryptography_functions > > or > > MD5_Begin() and related hash API from > >http://mxr.mozilla.org/security/source/security/nss/lib/freebl/md5.c > > and other hashing alg files. > > Which one should be used ? > > Thanks > > Probably a good example of how to use NSS api is to look at the XPCOM > wrappers > here:http://mxr.mozilla.org/mozilla-central/source/security/manager/ssl/sr... > > Just check HASH_* function calls. > > Also this header might tell you what you > need:http://mxr.mozilla.org/mozilla-central/source/security/nss/lib/freebl... > > -hb- But the document on the mozilla website httpp://www.mozilla.org/projects/security/pki/nss/tech-notes/tn5.html talks about using pk11_digest* APIs. Are they uoutdated/not to be used? Should we use freebl library instead? Thanks -A -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
undefined reference to `PK11_CopyToSlot'
Hi , I am trying to use this method to move my symmetric key to the key for wrapping. when I use this method , I get undefined reference to `PK11_CopyToSlot' collect2: ld returned 1 exit status which is linker error. I am including the pk11priv.h file. I have the latest nss library after using su -c 'yum update nss' on my fedora linux. What Can I do to get rid of this error? Thanks -A -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: undefined reference to `PK11_CopyToSlot'
On May 25, 11:33 am, Crypto User wrote: > Hi , > I am trying to use this method to move my symmetric key to the key > for wrapping. > when I use this method , I get > undefined reference to `PK11_CopyToSlot' collect2: ld returned 1 exit > status > which is linker error. > I am including the pk11priv.h file. > I have the latest nss library after using > su -c 'yum update nss' on my fedora linux. > What Can I do to get rid of this error? > Thanks > -A Hi , Can somebody pl shed some light on why this might be happening. I am using Ubuntu and fedora core. Both give me the same issue. This is a very critical function for moving around keys for wrapping and unwrapping and I am stuck . Thanks -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: undefined reference to `PK11_CopyToSlot'
On May 25, 11:33 am, Crypto User wrote: > Hi , > I am trying to use this method to move my symmetric key to the key > for wrapping. > when I use this method , I get > undefined reference to `PK11_CopyToSlot' collect2: ld returned 1 exit > status > which is linker error. > I am including the pk11priv.h file. > I have the latest nss library after using > su -c 'yum update nss' on my fedora linux. > What Can I do to get rid of this error? > Thanks > -A Is this function not exportedin the libnss3.so files. I did nm -D libnss*.so |grep PK11_CopyToSlot , which returned nothinfg. Which version of .so files will contain this function? -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: undefined reference to `PK11_CopyToSlot'
On Jun 11, 5:57 am, Nelson B Bolyard wrote: > On 2011-06-10 16:43 PDT, Crypto User wrote: > > > > > On May 25, 11:33 am, Crypto User wrote: > >> Hi , > >> I am trying to use this method to move my symmetric key to the key > >> for wrapping. > >> when I use this method , I get > >> undefined reference to `PK11_CopyToSlot' collect2: ld returned 1 exit > >> status > >> which is linker error. > >> I am including the pk11priv.h file. > >> I have the latest nss library after using > >> su -c 'yum update nss' on my fedora linux. > >> What Can I do to get rid of this error? > >> Thanks > >> -A > > > Is this function not exportedin the libnss3.so files. > > I did nm -D libnss*.so |grep PK11_CopyToSlot , which returned > > nothinfg. > > Which version of .so files will contain this function? > > I see no function by that name in the NSS source files. > > http://mxr.mozilla.org/security/search?string=PK11_CopyToSlot&case=on > > shows nothing. On the other hand, there is a function named > pk11_CopyToSlot (notice the difference in capitalization). As the > capitalization suggests, it is a private function of pk11wrap, not > exported. See > > http://mxr.mozilla.org/security/search?string=PK11_CopyToSlot > > -- > /Nelson Bolyard In that case is there any alternative to moving a key to different slot. THe doc at http://www.mozilla.org/projects/security/pki/nss/tech-notes/tn5.html tells -To move a Symmetric key PK11SymKey *destSymKey = pk11_CopyToSlot(destslot, wrapMech, CKA_UNWRAP?, origSymKey); Thanks -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
PK11_pubEncrypt/decryptRaw and PK11PubEncrypt/privdecryptPKCS1
Hi , I have a couple of questions regarding the RSa encrypt/decrypt operations. 1. PK11PubencryptRaw does not support any padding , So it will Encrypt data only = to the modulus length .is that correct? So what happens if data is less than modulus length? It does not seem to fail if you give the modulus_len to the PK11_PubEncryptRaw. But not always it creates the right results while decrypting. So , should the length of the data being encrypted and decrypted should be exactly the same as modulus length ? 2. If I use PK11_pubEncryptPKCS1 to encrypt the data (no matter what length, data which is successful iusing PK11_PubEncrypt/decryptRaw) I get error -8023. How can I use PKCS1 padding encrypt/decrypt in NSS? Thanks -A -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
PK11_pubEncrypt/decryptRaw and PK11PubEncrypt/privdecryptPKCS1
Hi , I have a couple of questions regarding the RSa encrypt/decrypt operations. 1. PK11PubencryptRaw does not support any padding , So it will Encrypt data only = to the modulus length .is that correct? So what happens if data is less than modulus length? It does not seem to fail if you give the modulus_len to the PK11_PubEncryptRaw. But not always it creates the right results while decrypting. So , should the length of the data being encrypted and decrypted should be exactly the same as modulus length ? 2. If I use PK11_pubEncryptPKCS1 to encrypt the data (no matter what length, data which is successful iusing PK11_PubEncrypt/decryptRaw) I get error -8023. How can I use PKCS1 padding encrypt/decrypt in NSS? Thanks -A -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: PK11_pubEncrypt/decryptRaw and PK11PubEncrypt/privdecryptPKCS1
Ok. So I got it that Encrypt and decrypt Raw supports no padding . So the data has to be exactly the length of modulus. Correct? But , PK11_pubEncryptPKCS1/ PK11_PrivDecryptPKCS1 gives error -8023. Can anybody pl. provide any pointer. Thanks -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: PK11_pubEncrypt/decryptRaw and PK11PubEncrypt/privdecryptPKCS1
On Jun 22, 11:56 am, Robert Relyea wrote:
> On 06/22/2011 10:54 AM, Crypto User wrote:> Ok. So I got it that Encrypt and
> decrypt Raw supports no padding . So
> > the data has to be exactly the length of modulus. Correct?
>
> Right. If you try to encrypt something smaller than the modulus, it will
> assume it's zero padded.> But , PK11_pubEncryptPKCS1/ PK11_PrivDecryptPKCS1
> gives error -8023.
>
> yeah, I wanted to respond to this last night, but I was on my way out
> and didn't have time to convert the error number. We have a utility
> function that prints out the error in a more human readable format, but
> not all nss packages include it (it's in a static library used the the
> NSS tools). The function is :
>
> const char *SECU_Strerror(PRErrorCode errNum)
>
> and can be found in mozilla/security/nss/cmd/lib/secerror.c
>
> -8023 is PKCS#11 Device error. Softoken returns this when the
> underlying freebl engine returns an error.
>
> This could be because: 1) There is something wrong with the key, 2)
> There is something wrong with the data you passed to Decrypt (the result
> was not PKCS #1 wrapped and therefor invalid, or 3) you are trying to
> encrypt too much data (you can't encrypt more than modulus length - 11
> bytes).
>
> So some more questions for you:
>
> Is both PK11_PubEncryptPKCS1 and PK11_PrivDecryptPKCS1 returning this
> error? Using the exact same keys as the Raw case? What is the data you
> are trying to encrypt?
>
> Having a sample of the failing code would probably be more helpful.
>
> bob
>
> > Can anybody pl. provide any pointer.
> > Thanks
The PubEncryptPKCS1 works but the PrivDecryptPKCS1 does not work. It
still gives error -8023.
The same keys work for pubencrypy/decryptRaw with the changes in the
data length. (128 for 1024 RSA) for PKCS1 I have 111 bytes of data.
I encrypt the data and write out to a file and then read it from the
file for decryption again.
I follow the same technique for symmetric encrypt/decrypt and it
works.So I know my writting out routines do not add any extra stuff.
My code is part of a bigger scheme of code but here are the snippets -
Let me know if it is illegible.
signed int AsymmetricDecrypt(CCS_Context *ccsContext,
CCS_CryptParameters *decryptionParams,
CCS_Stream_Input *cipherText,
unsigned int cipherTextLength,
CCS_Stream_Output *plainText,
unsigned int *plainTextLength) {
signed int err =
CCS_Success;
SECKEYPrivateKey*privateKey = NULL;
int modulus_length = 0;
int offset = 0;/* seek position in the
stream */
int numBytesToRead = 0; /* numBytes to
read from the stream at a time */
unsigned char *dataBuffer = 0;
size_t numBytesRead = 0;/* num bytes read
from the stream */
unsigned char *decryptedText = NULL;
unsigned intdecryptedTextLen = 0;
unsigned intisLastBlock = 0;
int blockNum = 0;
if ((err = getUnWrappedPrivateKey(decryptionParams->key,
&(decryptionParams-
>keyWrapParams),
&privateKey)) != CCS_Success)
{
CCS_DebugOut(CCS_DEBUG_LEVEL_ERROR,
"import of SymmetricKey failed with error code %d %s %d
\n",
err, __FILE__, __LINE__);
goto cleanup;
}
modulus_length = PK11_GetPrivateModulusLen(privateKey);
if ((dataBuffer = (unsigned char*)malloc(cipherTextLength *
sizeof(unsigned char))) ==
NULL) {
err = CCS_OutOfMemoryError;
goto cleanup;
}
if ((decryptedText = (unsigned char*)malloc(modulus_length *
sizeof(unsigned
char))) == NULL) {
err = CCS_OutOfMemoryError;
goto cleanup;
}
/* Position the stream offset at 0 to start.*/
if ((err = CCS_Stream_Input_seek(cipherText,
offset,CCS_Stream_SeekBeg) )
!= CCS_Success) {
CCS_DebugOut(CCS_DEBUG_LEVEL_ERROR,
" CCS_Stream_Input_seek() call failed with error
code %d %s %d\n",
err, __FILE__, __LINE__);
goto cleanup;
}
while (!isLastBlock) {
/* Read data in blocks of modulus_length */
numBytesToRead = (cipherTextLength > modulus_length) ?
modulus_length :
cipherTextLength;
if ((err = CCS_Stream_Input_rea
