Re: ECC DER Signing

2010-01-14 Thread Kyle Hamilton
Are you certain that certutil is using the version of the NSS library that has ECC support compiled in? Most *nixes have a command called 'ldd' or such that will print the list of dynamic libraries that an executable depends on, as well as what files the system is using to match them. Windows has

Re: ECC DER Signing

2010-01-14 Thread Kai Chan
Correction: certutil -R -s "CN=ectest, O=ectest, L=ectest, ST=ectest, C=US" -p "123-456-7890" -o ectest.req -d . -k ec -q nistp256 -Z SHA256 During the parameter parsing in certutil_main() in cmd/certutil/certutil.c, the '-Z' option should call SECU_StringToSignatureAlgTag() in cmd/lib/secutil.c a

Re: ECC DER Signing

2010-01-14 Thread Kai Chan
Thank you both for your responses. Yes, you are correct. I've compiled NSS with "NSS_ENABLE_ECC" and I can make EC keys, but am having problems with CSRs. Perhaps I'm doing something wrong with this certutil command: certutil -R -s "CN=ectest, O=ectest, L=ectest, ST=ectest, C=US" -p "123-456-78

Re: ECC DER Signing

2010-01-14 Thread Robert Relyea
On 01/14/2010 01:36 PM, Kai Chan wrote: > Hi, > > NSS has ECDSA with SHA1 enabled in SEC_DERSignData() in secsign.c ( > http://mxr.mozilla.org/security/source/security/nss/lib/cryptohi/secsign.c), > but will ECDSA with SHA256 and higher be supported in the future? Or is > this something as simple

Re: ECC DER Signing

2010-01-14 Thread Wan-Teh Chang
2010/1/14 Kai Chan : > Hi, > > NSS has ECDSA with SHA1 enabled in SEC_DERSignData() in secsign.c > (http://mxr.mozilla.org/security/source/security/nss/lib/cryptohi/secsign.c), > but will ECDSA with SHA256 and higher be supported in the future?  Or is > this something as simple as adding to the swi

ECC DER Signing

2010-01-14 Thread Kai Chan
Hi, NSS has ECDSA with SHA1 enabled in SEC_DERSignData() in secsign.c ( http://mxr.mozilla.org/security/source/security/nss/lib/cryptohi/secsign.c), but will ECDSA with SHA256 and higher be supported in the future? Or is this something as simple as adding to the switch statement, since the other

Certificate Extensions

2010-01-14 Thread Kai Chan
Hi, I was looking over Tech Note 3 ( http://www.mozilla.org/projects/security/pki/nss/tech-notes/tn3.html) about certificate extensions. Could anyone comment on the new values in SECCertUsageEnum (certUsageUserCertImport, certUsageProtectedObjectSigner, certUsageAnyCA) and how they might affect k