Peter Djalaliev wrote:
Found it. Thanks anyway.
___
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
Go again and post what you found. I'm sure others may trip over the same
issue.
Frank Hecker wrote:
Wan-Teh Chang wrote:
Gervase Markham wrote:
I am interested in investigating with the NSS developers whether it
would be possible to restrict a particular root certificate to
signing end entity certificates only for domains with a particular TLD.
In this context Gerv
Nic James Ferrier wrote:
If there was a handler in FF for pkcs12 is that what it should do:
auto-import the certificate?
yes, The user will still be prompted for the password of the PKCS 12
file, and if he has more than one writable token, he will be prompted
for where the cert and ke
Nic James Ferrier wrote:
Bob Relyea <[EMAIL PROTECTED]> writes:
You can do the one shot by having mozilla generate the key with the
java-script crmf interface.
(http://developer.mozilla.org/en/docs/JavaScript_crypto#Generating_Keys_and_issuing_User_Certificates)
The example o
Nic James Ferrier wrote:
I'm trying to do one shot key registration and import.
The idea is that people enter some data in an HTML form, press submit,
server side code recieves the form, generates a private key and a
certificate, generates pkcs12 and sends it back to the user, causing
the user t
David Stutzman wrote:
We're using NSS/NSPR and JSS in different products we are currently
developing.
We're not making any proprietary/private changes to NSS/NSPR or JSS.
We're strictly using the "libraries". In the case of NSS/NSPR what we
plan on distributing are the shared libraries compi
Paul Hoffman wrote:
At 6:55 AM -0500 1/18/07, David Stutzman wrote:
The libs aren't in your system's libpath. You can either move all
the .so's into /usr/lib, or another location already in the libpath,
or add the directories with the nss and nspr shared libs to
/etc/ld.so.conf and then run l
Wolfgang Eibner wrote:
"Bob Relyea" <[EMAIL PROTECTED]> wrote:
Just to get this straight:
1. You have a CD with *encrypted* content (the content is already
encrypted on the CD).
2. You wish to browse to that content using the file:// url to read the
content.
3. The cont
Wan-Teh Chang wrote:
Also could someone tell me where the regress and reporter source is
available to download, I read on the mozilla website "The Netscape
PKCS #11 test suites make use of two testing tools whose source is
available with the source for the test suites "
I have the source c
Wolfgang Eibner wrote:
"dolphinling" <[EMAIL PROTECTED]> wrote:
Wolfgang Eibner wrote:
Hi!
I would like to have an Firefox (Portable) started from a CD and showing
HTML files from the CD. The html files on the cd should be encrypted
because so the can't be copied from the CD easily.
Honzab wrote:
Hi, I am developing an extension for Firefox that uses NSS for
cryptography. I would like to use RNG_SystemRNG function to gain random
noise from OS. This seems to be the best way to initialize my own
secured random generator. Problem is that this function is declared in
private hea
prodizy wrote:
Hi,
Is it possible to access NSS methods from an XPCOM DLL(of my
extension)? I mean, methods that are used by Firefox for hashing the
master password, encrypting the private key that is used to encrypt the
data etc(HashPassword(), SHA1_Update() etc). Or should I look for a
third
Biswatosh wrote:
So, when you say that I should put one in nss/cmd/lib, can it access
mpi functions from there?
No, the only place that can access mpi is freebl (not even softoken has
access to mpi). That would make any mpi printing routines useless for
anything but mpi debugging.
Or, is it
Biswatosh wrote:
Hi,
Does there exist any utility to print a SECItem in any radix format
and the
inverse utilty? That is, given any array of hexas.,octets or of any
radix, I should
be able to convert it to a SECItem?
There should be some utilities for this under nss/cmd/lib, but not the
ge
e) at
SmimeDecoder.cpp:111
#8 0x0804dfbe in smime::SmimeDecoder::PutCipherText (this=0x862a7a8,
buffer=0x862a060, lenght=1857, isFinal=true) at SmimeDecoder.cpp:76
#9 0x0804c609 in main (argc=1, argv=0xbff93444) at nss.cpp:171
Bob Relyea wrote:
Bob Relyea wrote:
sh wrote:
Hi there, I n
Bob Relyea wrote:
sh wrote:
Hi there, I need a little CMS wraper. I need decode S/MIME message
chunk by chunk. I start make it based on cmsutil. But I receive
"segmentation fault" every time on call NSS_CMSDecoder_Update. What's
wrong?
2) (most likely) you are passing a C+
sh wrote:
Hi there, I need a little CMS wraper. I need decode S/MIME message
chunk by chunk. I start make it based on cmsutil. But I receive
"segmentation fault" every time on call NSS_CMSDecoder_Update. What's
wrong?
Without review your code, I would guess your problem may fall in one of
2 a
Jim Spring wrote:
I've checked the PKCS11 FAQ and it doesn't list all of them,
so I was curious if there is a definitive list of the hard
coded mechanisms that Firefox (and Thunderbird) use? For
instance, KeyGen uses CKM_RSA_PKCS. I'm looking for a short
cut to trudging through the source :)
T
Matt England wrote:
Mozilla-NSS community-
We have some questions regarding the usage of your NSS/NSPR libraries
with our (Cleversafe's) software. I collected these questions (from
Jason Resch and Wesley Leggette) below. Please let me know if this is
not an appropriate forum for these quest
Nelson B wrote:
jayasree bhattacharya wrote:
Thanks Nelson for ur reply. My confusion is less but
still there.
The doubts are:
a)When certutil generates keys, pvt key is stored in
keydb but where is pub key stored? I am not creating
any cert but just generating keys.
If I recall corre
Biswatosh wrote:
As a sequel to the earlier mail about the way to extract infos from a
Cert Req file,
I have this to discuss.
As I understand, CertReq is a PKCS 10 structure and so the min.
members would be
1)Name and 2)SubjectPublicKeyInfo ,at least.
Now, do we need to identify an orphan key
Christian Bongiorno wrote:
I am currently writing a PKCS11 module for a new card that is required
by policy to have 3 certs for 3 different uses (I have no idea why).
There is 1 for client authentication, 1 for signing emails, and 1 for
encryption. When I go to use firefox for client authentica
Wei Shao wrote:
Hi,
if I need to populate a OCTET_STRING for DER encoding, how shall I
prepare the SECItem structure?
I need to call this method,
SECStatus
DER_Encode(PRArenaPool *arena, SECItem *dest, DERTemplate *dtemplate,
void *src)
where src is a pointer to SECItem structure. How shall
Wei Shao wrote:
Hi,
I used a self-signed CA to sign another user certificate. Then I run
certutil -V for verification of the signed cert.
I get this error,
"certificate is invalid: Peer's certificate has been marked as not
trusted by the user."
how did you import the certs? (what does the tr
ben wrote:
Hi there,
I'd like to know does the call a local PKCS11 module, and how
does it store the key pair into the local key store and how I can know
which PKCS11 module will be used if there are more than two?
PSM looks up all the writable tokens that are capable of handling the
partic
Christian Bongiorno wrote:
I am currently trying to sign some data in tbird and the signature is
not valid.
The incoming data I get (C_Sign()) is an ASN1_STRING of the SHA1 hash
of the message. Currently, I am encrypting the whole thing and
returning raw data back.
Should I be decoding the
Christian Bongiorno wrote:
Ok, I have spent over a week tweaking and toying with things and,
although I believe I am dead on, for some reason, thunderbird will not
accept the certificate on my card as valid.
What does this mean? Does your cert not show up in the certificate
viewer, does your ce
Wan-Teh Chang wrote:
The first LXR link shows that ulMaxSessionCount=1 is handled as a
special case.
Thats correct. If a token is rw and only has one session, NSS will open
that session up rw so it doesn't end up closing and opening that session
every time it needs to write an object.
bob
Sideswipe wrote:
I am currently developing a PKCS11 module for the PIV card and for some
reason, the NSS subsytem in thunderbird infinintely loops on 7 startup
calls -- you know, all the 'getInfo' functions as well as the
C_OpenSession. Inlined is my spylisting using the opensc spy tool. The
modu
Anders Rundgren wrote:
Both your root.cert and cacert.cert seem to have same serial number and
issuer. That is forbidden.
AFAIK each CA has its own serial number space. This should make it OK
to reuse a serial number even within a CA hierachy. I would be an error if
I let the root sign
NSS (and therefor mozilla products) do not do automatic fetching of
certificates at this point in time.
Currently all protocols have a way of transmitting the necessary
intermediate certificates, and mozilla products depends on these protocols.
Automatic fetching is a PKIX feature, and is tar
[EMAIL PROTECTED] wrote:
[EMAIL PROTECTED] wrote:
Wan-Teh Chang wrote:
[EMAIL PROTECTED] wrote:
Wan-Teh Chang wrote:
Why would you like to use the CFB mode?
Because that's what the current (non-NSS) code does. I'd rather just
port, not change, the code.
shinigami wrote:
Are you two working together, by any chance?
Yes, in the same project. Sorry for duplicated post. A communication
mistake.
Now I will go to try explain my situation.
I�m developing a java aplication. My aplication already list the tokens and
modules when they are inserted bef
David Stutzman wrote:
In FIPS mode, the NSS cryptographic module imposes the following
requirements on the password.
* The password must be at least seven characters long.
* The password must consist of characters from three or more
character classes. We define five character classes:
Passwords are encrypted with a Fix 3DES key stored in the key3.db. That
key is wrapped with a PBE (your master password). You can access this
key from an application using NSS's SDR interface (Secret Decoder Ring).
Example applications that can read and decode these passwords can be
find in moz
Matthew Gertner wrote:
We want our extension to have its own certificate database, separate
from the one used by Firefox. Apparently this will be possible with
NSS 3.11, but I was told that there might be an issue with the
internal data structures. If PSM handles global initialization, will
ou
Anders Rundgren wrote:
Have I gotten this right?
1. Mozilla PKI client support (FF's TLS-client-auth, FF's signText and
TB's S/MIME), requires that the CA certificate is known and trusted
by the local client software?
No, TLS-client-auth only requires enough of the chain to recognize the
CA
David Stutzman wrote:
I created a new security database with modutil, added a root module to
it and then attempted to generate a key using certutil and received an
I/O error:
# certutil -G -k rsa -g 1024 -d .
certutil: unable to generate key(s)
: An I/O error occurred during security authoriza
Hi Oscar.
Thanks,
So yes, the failure to find your token is a failure in firefox (psm in
this case) to find a token that can do CKM_RSA_PKCS. Firefox looks for
tokens that are writable that can to the PKCS mechanism since pretty
much all it's operations is done with PKCS.
Oscar So wrote:
Nelson Bolyard wrote:
Frank Hecker wrote:
From Slashdot I found this New York Times story
http://www.nytimes.com/2006/08/21/technology/21storage.html
on Cleversafe, an open source project to develop a dispersed data
storage system to store data in encrypted form using an "m of n"
recovery t
Oscar So wrote:
Hi,
If my PKCS#11 module only supports CKM_RSA_PKCS_PSS padding
(not even PKCS#1 padding), in C_GetMechanismList,
should it just return the following CKMs:
CKM_RSA_PKCS_KEY_PAIR_GEN
CKM_RSA_PKCS_PSS
CKM_RSA_X_509
CKM_SHA_1
Since I am only return these CKMs, FireFox does not rec
prodizy wrote:
Hi,
If the key3.db is deleted, all the forms & passwords remembered by
Firefox are lost? Isn't it a bad thing?
Actually should should only loose the passwords. That is because the
passwords are encrypted with a key stored in key3.db and protected by
your password.
If you st
Balint Balogh wrote:
Hello
In general, this cannot be done. It is possible to put "name constraints"
on CAs that are subordinate to a root CA, but not generally on root CAs.
I was afraid of getting an answer like this but thanks for replying anyway. :)
This is the general problem P
Michiel van Meersbergen wrote:
Hello list,
I'm running into some trouble with the SEC_PKCS7DecodeItem function. The input for this function is a PKCS#7 EnvelopedData object, which contains just one recipient, a session key (encrypted with the recipients' public key) and the encrypted content
Dave Pinn wrote:
Is there a Mozilla utility with which I can attempt to import a
certificate *into* my PKCS#11 module?
___
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
If you are talk
Rich Raffenetti wrote:
Does that mean it's a DIY solution?
At this point, yes, though it's a pretty small level of work to install
and run it.
bob
"Robert Relyea" <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]
On Mon, 2006-07-31 at 21:52 -0500, Rich Raffenetti wrote:
Dan M wrote:
Re-read my initial post, and I asked the wrong question. It was written in
haste, my apologies. Let me clarify...
We're actually not looking to replace the SSL engine in Firefox, but just
use a different crypto provider (I was thinking OpenSSL crypto "engine" when
I wrote the m
[EMAIL PROTECTED] wrote:
Thanks again Nelson for so rich and detailed information.
I try to answer your questions :
Now here are some questions for you to answer. Please answer all these
> questions:
>
> 1. If you have recceived a smart card with your personal certificate
and private key on
David Stutzman wrote:
Hello again,
First off, thanks for the help on the previous issue Nelson.
I'm playing around here just trying to do some simple things to ramp
up my knowledge of NSS and C in general. I have read through as much
of the docs that are on the mozilla.org site as seem appli
Hi Alon,
First, I appreciate your enthusiasm for extending the reach of the PKCS
#11 standard. I think there may be some areas that you may be able to
contribute to make NSS a better platform in the respect of PKCS #11. If
that is to happen, however, you will need to understand about PKCS #11.
The assumption in NSS in the past has been that certUsageEmailSigner
implied non-repudiation, while certUsageSSLClientAuth did not.
That being said, NSS does not currently filter either of those based on
the non-repudiation bit (IIRC). Also, there is a growing suspicion that
email should be s
Alon Bar-Lev wrote:
Hello,
I am using Mozilla applications for a long time I enjoy it, but the
PKCS#11 implementation always worried me.
1. It prompts for PIN every time the token is accessed (Does not use
the public objects if exists).
This is probably because the token does not keep it's l
Nelson B wrote:
Umesh Bywar wrote:
Hi all:
Welcome to the list, Umesh.
I am working on writing an xpcom component that checks which ciphers
work with a given target. So basically, I have a component which acts as
a SSL client and performs a handshake by setting a given cipher.
Nelson B Bolyard wrote:
Venkata Udaybhaskar Nori wrote:
I need to build nss for a 64 bit machine.
I was able to build it on most of the 32 bit machines.
Now I need it to build it on a 64 bit RHEL machine.
Curious to know if it makes any difference.
Please help me out.
NSS 3.11 should
Paul Santapau Nebot wrote:
First of all thank you for your help Bob, I've read reference you told
me but
I have already had two problems that I think are in relation. The first one is
that when I install my pkcs11 module from a JavaScript with
PKCS11_PUB_READABLE_CERT_FLAG flag, the certificate
If your token is a RW token, and the token only supports one session,
NSS (the Mozilla code that manages security) will open the general
session RW, not ReadOnly at startup. In that case PK22_GetRWSession will
return the that global session.
So, the likely problem is your token is not claiming
Paul Santapau Nebot wrote:
Ok, I have found the flag, I've seen that setting the slot flag 0x0005
Mozilla Firefox avoid asking password for each https connection, but
by the time, i don't know how to avoid password asking when doing
Edit->Preferences->Security->View Certificates.
I would
Julien Pierre wrote:
Vivek,
Vivek Kumar wrote:
Hi,
I am currently working with a PKCS#11 library, have modified it to
support generation of public keys on the token.
When i try to delete the certificate from Mozilla
(Options->Advanced->Manage certificates), C_DestroyObject is getting
calle
Mark Hobbs wrote:
Thanks for this Bob, unfortunately the behaviour still remains
unchanged, as
soon as I go to the login page of my Yahoo account I get a smartcard PIN
request screen, which is strange as the Yahoo login is not even SSL.
I am not convinces the behaviour was the same with FireFox
If the SSL site is not requesting client auth, then the prompts for your
token pin during SSL may have to do with how the token was installed. If
the token was installed as 'the default RSA device', then NSS assumes
the token is a hardware accelerator and will try to use the token to
verify RSA
60 matches
Mail list logo
