Dear dev-tech-crypto readers:
Today I have given up the position of list owner and moderator for the
dev-tech-crypto mailing list and mozilla.dev.tech.crypto news group, a
position I have held since the list was formed over 10 years ago.
The new owner/moderator is Kai Engert. Please join me in se
On 2012/05/21 05:21 PDT, Bernhard Thalmayr wrote:
>
> Hi Wan-Teh, Nelson, could it be that this error is also raised by the
> client if the client can not 'participate' in ssl client-auth?
>
> Unfortunately I only got a text-output of 'ssldump', not sure if this is
> would be helpful.
[snip]
On 2012/05/08 04:53 PDT, Bernhard Thalmayr wrote:
>
> Hi experts, an OpenAM community member is using OpenAM policy agent to
> connect to an ssl-secured server.
>
> The policy agent uses NSPR 4.8.2, NSS 3.12.5.0 optimized build for Linux
> (RHEL) 64bit.
>
> If the agent tries to open a connect
On 2012/02/27 09:47 PDT, VictorMiller wrote:
>
> On Feb 24, 7:57 pm, Nelson B Bolyard wrote:
>> On 2012/02/24 07:26 PDT, VictorMiller wrote:
>>
>>> I have a new PKI certificate as a .p12 file which I want to import
>>> into firefox and thunderbird on a RedHa
On 2012/02/24 07:26 PDT, VictorMiller wrote:
>
> I have a new PKI certificate as a .p12 file which I want to import
> into firefox and thunderbird on a RedHat system. However, every time
> I try an import I get the above error message. If I log onto an MS
> Windows machine I can get IE to import
On 2012/02/08 12:57 PDT, Kai Engert wrote:
>
> My criticism:
[snip]
> Won't the set of CRLs be too big for download?
[snip]
This is my question as well.
Will they really include the CRLs from all of mozilla's trusted CAs?
Won't the union of all those CRLs be huge, even if they strip off certain
r
On 2011/10/30 23:26 PDT, mallapadi niranjan wrote:
> Hi all
>
> I would like to know how to renew a self singed CA (RootCA) certificate
> through certutil.
[snip]
> In the case of SubCA's it seems to be fairly easy to renew the Certificates
> by using the same Private key in the nss database by s
On 2011/10/10 12:16 PDT, Wan-Teh Chang wrote:
> [...]
> The certdata.txt file in the NSS source tree
> (http://mxr.mozilla.org/security/source/security/nss/lib/ckfw/builtins/certdata.txt)
> is the master source of the NSS built-in trusted root CA list, so
> people have written scripts to extract th
On 2011/09/01 06:12 PDT, Sean Leonard wrote:
> Looks like there is some discussion on mozilla.dev.security; I wanted to
> respond from more of an NSS point of view.
>
> On 8/30/2011 9:46 AM, Boris Zbarsky wrote:
>> I was looking at our CA root list, and a lot of them seem like
>> "specialist" CAs
On 2011/09/07 09:38 PDT, praspa wrote:
>
> I'm trying to make two separate HTTPS requests to a remote host using two
> client sockets and two different client certificates respectively (client
> cert A and B). [...]
> From my host, I'm able to make two connections on two different sockets to
> th
On 2011/09/18 03:15 PDT, Ralph Holz (TUM) wrote:
> does NSS check the pathlength extension in an issuing certificate? I am
> particularly wondering if pathlen:0 is honoured.
Yes and Yes.
NSS 3.12 claims compliance with RFC 3280.
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
h
On 2011-08-03 02:22 PDT, Ludovic Hirlimann wrote:
> I know, by reading various bug comments, that NSS as some machines
> dedicated to testing somewhere. And from what I read It seems that these
> tests suites are started manually.
You have been misinformed.
For NSS, there is a collection of mach
On 2011-07-26 13:30 PDT, Brian Smith wrote:
> Mozilla would like to expose a secure PRNG (basically, a wrapper around
> PK11_GenerateRandom) to JavaScript content:
> https://bugzilla.mozilla.org/show_bug.cgi?id=440046
>
> There is some agreement that we should maintain separate PRNG state for
> e
On 2011-06-10 16:43 PDT, Crypto User wrote:
> On May 25, 11:33 am, Crypto User wrote:
>> Hi ,
>> I am trying to use this method to move my symmetric key to the key
>> for wrapping.
>> when I use this method , I get
>> undefined reference to `PK11_CopyToSlot' collect2: ld returned 1 exit
>> statu
On 2011/03/22 02:23 PDT, silent...@gmail.com wrote:
> Well, the reasons are at least obvious to us :) - the card is supposed
> to be in use for least 5 years. Card owners (Health Care Providers in
> our case) should be able to use various email providers for exchanging
> medical reports.
Nothing
On 2011/03/17 02:41 PDT, silent...@gmail.com wrote:
> It seems that Thunderbird refuses to use X.509 certificates for S/MIME
> encryption when these certificates do not contain email address of the
> subject. We want to use S/MIME with keys stored on smart cards and
> certificates distributed via L
Brian Smith wrote:
> "Ritmo2k" wrote:
>> Anyone know if its possible to configure Firefox to implicitly trust
>> all certificate authorities installed in the Windows Trusted Root
>> Certification Authorities Store?
>
> Firefox does not support this yet. See:
>
> https://bugzilla.mozilla.org/show_
On 2011/02/24 12:08 PDT, Datar, Raju wrote:
> Hi all:
>
> There are two very different issues in Firefox. If some kind person can
> reply with some information, that would be highly appreciated.
>
>
> ISSUE 1: The certificate name in the display is a hex value.
>
> We use client side certificat
On 2011-02-18 10:22 PDT, Wan-Teh Chang wrote:
> On Thu, Feb 17, 2011 at 7:10 AM, Stephen Hanna wrote:
>> Does Thunderbird support certification path building? If so, how
>> is it enabled and configured?
>
> Hi Steve,
>
> I am confused by your question. An S/MIME client obviously must
> support
On 2011-01-25 13:07 PDT, Michael H. Warfield wrote:
> [...] Instead of having a cert in the
> database with the name I specified in creating the .p12 file, I ended up
> with a cert in the database with the name of the E-Mail address in the
> cert. Not sure where that problem is (openssl or the pk
On 2011-02-05 13:28 PDT, Zack Weinberg wrote:
> On 2011-02-05 1:13 PM, Nelson B Bolyard wrote:
>> Zack, thanks for bringing this to this list/group. I think many of
>> us were caught by surprise by it, because it is a browser policy
>> proposal rather than a technical discus
On 2011-02-01 07:57 PDT, Zack Weinberg wrote:
> I've been following the mailing list for the IETF's "keyassure"
> working group, which plans to standardize a mechanism for putting
> application-layer server keys (or their hashes) in DNS, certified by
> DNSSEC. TLS/SSL is the first target, and of
On 2011-01-30 11:48 PDT, Wan-Teh Chang wrote:
> On Sun, Jan 30, 2011 at 1:32 AM, Nelson B Bolyard wrote:
>> Firefox doesn't send TLS client hellos to servers that fail to
>> complete ANY handshake with ANY version of SSL or TLS some number of
>> times in a row when it ha
Michael,
Can you make available to me the cert8.db file and the "nokey" p12 files
exactly as they were before you did the fateful certutil -D step?
If so, I'm interested in trying to track this down.
I have a test for you to try that *MAY* (or may not) prove to be a
solution for you. I believe yo
On 2011-01-29 06:06 PDT, Ambroz Bizjak wrote:
> Hello. I have a problem with NSS. Here's what I'm trying to achieve:
[ If I may paraphrase, system C sends a cert to systems A and B. ]
[ A forwards its copy to B. B must compare the two copies. ]
> Here's how I encoded the certificate (on
On 2011-01-30 02:30 PDT, Matej Kurpel wrote:
> On 30. 1. 2011 10:57, Nelson B Bolyard wrote:
>> Yes, the P7M holds all those encrypted copies of the key that
>> encrypts the main message, and of course, the ciphertext produced
>> with that key, And cert chains, and capabiliti
On 2011-01-29 06:41 PDT, Matej Kurpel wrote:
> Hello,
>
> as far as I know, Thunderbird sends encrypted e-mails as an attachment
> named "smime.p7m".
> Can anybody let me briefly know what this file contains?
Yes, it contains a message in the "Cryptographic Message Syntax" (CMS).
CMS is NOT SIM
On 2011-01-27 09:00 PDT, volkerk wrote:
> I am having the same problem with Firefox 3.0.15, which is suddenly
> unable to contact our Peoplesoft server and gets the no cypher error.
> After capturing the packet exchange with Wireshark, I found out the
> same as Suresh here - Firefox 3.0.15 (Windows
With my newsgroup/mailing list moderator hat on, I write:
PLEASE DO NOT reply to this list by multiple addresses.
Please reply to no more than one of the following addresses:
mozilla-dev-tech-cry...@lists.mozilla.org
dev-tech-crypto@lists.mozilla.org
mozilla.dev.tech.cr
On 2011-01-13 03:58 PDT, Irune Prado Alberdi wrote:
> I've tried the same test with Chromium and it worked correctly as
> Wan-Teh said. The database does not get locked.
[snip]
> I had to activate the FRIENDLY flag in order Chrome to correctly obtain
> the smartcard's certificate. I'm new to Chr
On 2011-01-11 04:48 PDT, Irune Prado Alberdi wrote:
> I'm trying to access a NSS shareable database (3.1.2 with
> NSS_DEFAULT_DB_TYPE=sql) while having a Firefox NSS session already
> initialized over the pkcs11 module of my smartcard.
>
> My test is really simple but I don't get to know why fire
On 2011-01-12 13:53 PDT, Bernhard Thalmayr wrote:
> Although I've only done a debug build I get an ssl-trace file starting
> with ..
>
> SSL: tracing set to 127
> SSL: debugging set to 127
> 12676: SSL: grow buffer from 0 to 18432
> 12676: SSL: grow buffer from 0 to 18432
> 12676: SSL[107778448]
Bernhard wrote:
> 331569088[1bd1610]: flags = 0x4
> 331569088[1bd1610]: pApplication = 0331569088331569088[1bd1610]:
> Notify = 0x13231f31569088[1bd1610]: phSession =
> 0x7fffc331569088[1bd1610]: phKey = 0x36c1618
> 331569088[1bd1610]: CKA_CLASS = CKO_SECRET_KEY [8]
Was that a c
On 2011-01-11 13:26 PDT, Bernhard Thalmayr wrote:
> Hi experts,
>
> https://developer.mozilla.org/en/NSS_reference/NSS_environment_variables
>
> tells me that I have to build NSS/NSPR with 'TRACE'.
>
> Unfortunatley I have not found how to make this build work.
>
> I've already search the archi
On 2011-01-12 13:18 PDT, Bernhard Thalmayr wrote:
> Hi Experts, where do I get the script 'modlogger.pl' mentioned in
> 'http://www.mozilla.org/projects/security/pki/nss/tech-notes/tn2.html'?
Sadly, it no longer exists. But IMO, you don't need it. The raw output
is equally readable without it,
On 2011-01-03 13:04 PDT, Anders Rundgren wrote:
> Hi,
>
> I'm in the starting phase upgrading Firefox so that it can provision
> credentials in a way that that banks and governments require which
> among many things include E2ES (End-to-End Security) and issuer-
> specified PIN-codes (or just poli
On 2010-12-27 10:39 PDT, Matej Kurpel wrote:
> Wow - I was able to "Attach To Process..." in VS2008 and then I caused
> the crash deliberately.
Bravo.
> It showed me the source code and call stack, which is great. But
> evaluating most of the variables returned "CXX0069: Error: variable
> nee
On 2010-12-27 01:44 PDT, Matej Kurpel wrote:
> If I only was able to load the source code of Thunderbird in Visual
> Studio, that would be great. I could debug it line-by-line as usual.
You can. Download and unpack the sources from
ftp://ftp.mozilla.org/pub/thunderbird/releases/latest-3.1/sou
On 2010-12-19 00:56 PDT, Marsh Ray wrote:
> On 12/19/2010 02:27 AM, Nelson Bolyard wrote:
>> Yes, Mozilla builds its own CRT, which is a modified version of the MSVC
>> CRT, whose sources come only with the pay (not free) versions of MSVC.
>> They do this in order to replace MSVC's normal heap code
Resending Matej's message, reduced to the essential stack.
On 2010-12-16 14:39 PDT, Matej Kurpel wrote:
> On 16. 12. 2010 21:59, Marsh Ray wrote:
>> Nelson may know more specifics, but if I were you I would configure
>> the debugger to break when C++ exceptions are thrown. (Debug menu ->
>> Eve
On 2010/12/13 15:44 PDT, Mads Kiilerich wrote:
> Ralph Holz (TUM) wrote, On 12/13/2010 02:38 PM:
>> Good day,
>>
>> I was wondering how wildcards in CNs are evaluated in nss
http://mxr.mozilla.org/security/source/security/nss/lib/certdb/certdb.c#1492
says:
> 1492 /* For a cn pattern to be consi
Matej,
Your message contains an obvious self-contradiction. Observe:
On 2010-12-10 09:57 PDT, Matej Kurpel wrote:
> CK_RV CK_ENTRY C_SignInit(CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR
> pMechanism, CK_OBJECT_HANDLE hKey)
> {
> return CKR_FUNCTION_CANCELED; <<
On 2010-12-10 03:45 PDT, David Stutzman wrote:
> On 12/9/2010 2:29 PM, Wan-Teh Chang wrote:
>
>> The "(-8157) Certificate extension not found" part
>> is most likely wrong (a stale error code). Please try to track that down
>> and fix it.
>
> I remember Nelson saying pretty much anytime that err
On 2010-11-26 13:20 PDT, ryan-mozdevtechcry...@sleevi.com wrote:
[snip]
> And to save you a bit of trouble/pain: for CryptoAPI, you cannot
> simply sign raw data - you can only sign previously hashed data. I
> understand this to mean that you cannot write a pure PKCS#11 ->
> CryptoAPI mapper, wheth
On 2010-11-24 11:17 PDT, passfree wrote:
> Speaking of firefox, I know it is not meant to be used as a server but
> it does provide server sockets through nsIServerSocket interface.
I'd say it's a BUG in PSM if it offers a way for XPCom users to use NSS
server sockets, but doesn't offer any way
On 2010/11/14 07:15 PDT, Matej Kurpel wrote:
> Hello, I am developing a PKCS#11 module and stumbled upon a confusion as
> how to manage multiple applications calling Cryptoki calls. I can't seem
> to get an answer by reading the PKCS#11 specification, nor by googling,
> so I am asking you :) Curren
On 2010/11/09 12:43 PDT, Nelson B Bolyard wrote:
> This morning, in the moderation queue for this list, I found a message
> that was different from others I'd seen before. It appeared to have
> originated as a newsgroup posting at google. I'm still not 100% sure if
>
On 2010-11-10 05:41 PDT, stephen.mocca...@gdc4s.com wrote:
> I am on a Linux system and I am trying to send a signed email message
> using cmsutil and the smime toolkit but it fails with the following
> error:
>
> cmsutil: the corresponding cert for key "(null)" does not exist:
> Certificate key u
This morning, in the moderation queue for this list, I found a message
that was different from others I'd seen before. It appeared to have
originated as a newsgroup posting at google. I'm still not 100% sure if
this was a moderated newsgroup posting, or if the poster merely sent it
both as a news
On 2010/10/29 01:44 PDT, Nelson B Bolyard wrote:
> No, passwords simply have NO PLACE in protecting the average user from
> phishing. And it doesn't matter whether the password is used to derive
> a session encryption key, or just as an authentication token. The user
> is j
On 2010/10/28 02:14 PDT, Jean-Marc Desperrier wrote:
> Nelson B Bolyard wrote:
>> Please don't file a bug without a stack trace showing the crash is in NSS.
>> [...]
>> If the back trace shows the crash is not in NSS, but in some other
>> library, please direct the
On 2010/10/28 03:12 PDT, Jean-Marc Desperrier wrote:
> Nelson B Bolyard wrote:
>> [...] It because none of them: J-PAKE, SPEKE, SRP, or for that
>> matter, good old CRAM-MD5 address the NUMBER ONE problem with passwords.
> >
>> PHI
On 2010-10-26 23:03 PDT, Kaspar Brand wrote:
> Microsoft's directory naming might actually confuse you here. On a
> 64-bit Windows system, %systemroot%\SysWOW64 has the *32*-bit DLLs,
> while the 64-bit versions can be found under %systemroot%\system32.
AAARRGGG!
>> What do you suggest ?
On 2010-10-25 10:49 PDT, Jean-Marc Desperrier wrote:
> Brian Smith wrote:
>> Nelson B Bolyard wrote:
>>
>>> [...]
>>> I'm talking about putting JBAKE (or whatever it is) into the base product.
>>> [...]
>> Is there something specific abo
On 2010-10-26 05:07 PDT, Jean-Marc Desperrier wrote:
> Matej Kurpel wrote:
>> However, how does a printable string differ from utf8string (and other
>> strings, particularly ia5string) when there are no non-ascii characters?
>> Do you think it's a bug in NSS...?
>
> printable string basically allo
On 2010-10-24 02:12 PDT, Matej Kurpel wrote:
[snip]
> You can clearly see both my CA and user certificates. Certutil has used
> my PKCS#11 module to obtain my user certificate. Then I launched the
> second commany you were suggesting:
>
> certutil -d . -L -n "HTC Touch HD T8282:Matej Kurpel"
>
Mozilla uses was capable of it, I would
filter messages to this list to catch legalese like that, and "bounce"
those messages back to their senders, but alas it does not. So, until
it does, I can only ask you all to please comply.
Thanks.
/Nelson B, moderator dev-tech-crypto
--
On 2010-10-21 13:31 PDT, Matej Kurpel wrote:
> This looks like Thunderbird cannot find the user certificate in its
> database. Well, it shouldn't anyway, since it resides on the token
> provided by a PKCS#11 module I am developing.
Right. It's not necessary for the cert to be in the database.
On 2010-10-22 11:35 PDT, Wan-Teh Chang wrote:
> On Thu, Oct 21, 2010 at 3:53 PM, Nelson B Bolyard wrote:
>> I'd say the interfaces to those functions (more precisely, their
>> signatures) are quite frozen. The mp_int bignum package API is so
>> frozen as to have become
This is a resend. Don't know why my previous copy went only to Marsh.
I intended it to go to the list as well.
On 2010-10-21 16:50 PDT, Marsh Ray wrote:
> On 10/21/2010 05:53 PM, Nelson B Bolyard wrote:
>> - Letting mozilla products become a playground for home-baked crypt
Gerv,
On 2010-10-22 01:25 PDT, Jan Huynh wrote:
> Click Here to Enter:
>
> >>> http://better-web-365.com/12/paramore-mp3 <<<
>
> .
>
> .
>
> Paramore Mp3
> Paramore Franklin Free Mp3
[Hundreds of lines beginning with the word Paramore deleted]
This is clearly a failure of the new newsgroup
On 2010-10-20 17:13 PDT, Brian Smith wrote:
> See https://bugzilla.mozilla.org/show_bug.cgi?id=601645.
>
> The following internal functions and data structures in FreeBL that
> would be used Firefox 4.0 Sync's J-PAKE implementation through JSCtypes
> (a mechanism for calling native code through Ja
On 2010-10-20 09:54 PDT, Matej Kurpel wrote:
> Hello,
> I have set up my own CA and issued one certificate signed by this CA.
> However, I cannot use this certificate to send signed e-mail from
> Thunderbird. It says "Could not verify this certificate for unknown
> reasons".
PSM's infamous "fo
On 2010-10-19 01:23 PDT, Gervase Markham wrote:
> At 11pm Pacific Time on Tuesday night (6am UTC on Wednesday morning) we
> are implementing[0] the new discussion forums anti-spam plan[1] on the
> following guinea pig groups:
>
> mozilla.community.philippines
> mozilla.governance.mpl-update
> mo
On 2010-10-16 11:39 PDT, Matej Kurpel wrote:
> On 16. 10. 2010 18:33, Nelson B Bolyard wrote:
>> The SignData method you're trying to use does all the above steps.
>> It wants the input to step 1. Since you're implementing CKM_RSA_PKCS,
>> the data you'
On 2010-10-16 06:25 PDT, Matej Kurpel wrote:
> Hello,
> I am developing a PKCS#11 module to be used with Thunderbird. However, I
> have trouble providing a valid signature for e-mails. The mechanism used
> is CKM_RSA_PKCS and I have a 1024bit private key along with the
> certificate, stored on
On 2010-10-08 10:58 PDT, al...@yahoo.com wrote:
> I noticed when moving a profile that secmod.db retains the old absolute
> profile path (configdir='...')
>
> Is the path used for anything? Does it need to be updated? How? Can
> secmod.db be deleted and regenerated? What are the consequences
On 2010-10-10 07:45 PDT, Matej Kurpel wrote:
> Never mind, solved it myself. What turned out to be the problem, was
> that the CK_BBOOL values were 4-bytes and not 1 byte in size.
Glad you figured it out. I think we could not have helped you
without a LOT of work and looking at your code.
--
On 2010-10-02 09:11 PDT, passfree wrote:
> The problem is within the write method of the component which fails
> for some unknown reasons. Here is the code I am using for testing:
>
> char b[] = { "12345" };
> int result = PR_Write(sfd, &b, 5);
>
> if (r
On 2010-09-16 00:54 PDT, Wolter Eldering wrote:
> Hi,
>
> I have configured a model file descriptor using
> SSL_SetTrustAnchors(PRFileDesc *fd, CERTCertList *list)
>
> The ssl3.ca_list information set in the model is not copied into the new
> file descriptor when calling PRFileDesc *SSL_ImportF
On 2010-09-09 03:37 PDT, Vincent Agriesti wrote:
> How do I get the CMS encoder in mozilla's NSS 3.12.7 to use definite
> encodings on constructed types as well as data [?]
[snip]
> Researching into the code, I've found (in secasn1e.c)
>
> /* The !isString test below is apparently intended to
(This is a repost. I posted this message earlier today, but it seems
not to have gone out. Please let me know if you get two copies.)
On 2010-09-07 06:20 PDT, Konstantin Andreev wrote:
> On 08/31/10 05:01, Nelson B Bolyard wrote:
>> On 2010/08/30 17:32 PDT, Wan-Teh Chang wrote:
>
On 2010/09/07 17:08 PDT, tedx wrote:
> I've hacked up something to try but I've now encountered a
> compilation error that I don't understand. Has anyone else seen this?
> nss_signing.c: In function ‘spl_nssVerifySignature’:
> nss_signing.c:172: error: storage size of ‘vfy_context’ isn’t known
>
On 2010-09-06 08:17 PDT, Xavier Toth wrote:
> I'm trying to verify the signature of a file I've signed but I don't
> understand where to get the sigAlgorithm and hash to pass to
> VFY_CreateContextWithAlgorithmID.
I presume you've read the description of these parameters in
http://mxr.mozilla.or
On 2010-09-07 06:20 PDT, Konstantin Andreev wrote:
> On 08/31/10 05:01, Nelson B Bolyard wrote:
>> On 2010/08/30 17:32 PDT, Wan-Teh Chang wrote:
>>> I propose that we remove SSL 2.0 support from the NSS trunk (NSS
>>> 3.13).
>> [... skip ...]
>>
>> It&
On 2010-08-30 11:04 PDT, Michael Smith wrote:
> On Aug 28, 10:08 am, Nelson Bolyard
> wrote:
>> What is the real underlying objective of this?
>> Is it to authenticate the individual user of the product to the servers?
>> Is it to ensure that the client applications of the network service are
>>
On 2010/08/30 17:32 PDT, Wan-Teh Chang wrote:
> On Mon, Aug 30, 2010 at 8:12 AM, Brian Smith wrote:
>> Wan-Teh Chang wrote:
>>> I propose that we remove SSL 2.0 support from the NSS trunk (NSS 3.13).
The entire "gather" logic, by which incoming records are received,
could be simplified enormously
On 2010/08/26 01:02 PDT, fishjohn wrote:
>
> Hi.
>
> Hope this forum is ok for such question.
Yes.
> We have simple "lists" implemented through /etc/aliases . basically
> I want to send encrypted mail to l...@example.com ( which is alias
> for person1, person2, ...)
A common desire.
> Is ther
On 2010-08-22 20:46 PDT, Nelson B Bolyard wrote:
> On 2010-08-22 16:44 PDT, Brian Smith wrote:
>> When NSS Softoken is in FIPS mode, it refuses to create keys with
>> C_CreateObject.
>
> What means that it refuses to import secret or private key material
Sorry, that sho
On 2010-08-22 16:44 PDT, Brian Smith wrote:
> When NSS Softoken is in FIPS mode, it refuses to create keys with
> C_CreateObject.
What means that it refuses to import secret or private key material
that is being kept "in the clear" outside of the security module boundary
into the security module,
On 2010-08-18 07:40 PDT, msm Li wrote:
> Hi,
> I've managed to build Mozilla's nss/jss on Android 2.2/API8/ndk-r4b at
> ubuntu 10.04.
> When I try to generate the testing certificates on the Android emulator,
> I got
> W/dalvikvm( 284): ReferenceTable overflow (max=512)
> W/dalvikvm( 284): Last 1
On 2010-08-18 03:47 PDT, David Stutzman wrote:
> The Sun^H^H^HOracle JCE "Standard Names Document" [0], which lays out
> what the all the algorithm names/permutations are, lists the EC
> Signature algorithms as such:
> NONEwithECDSA
> SHA1withECDSA
> SHA256withECDSA
> SHA384withECDSA
> SHA512wit
On 2010-07-31 14:23 PDT, Nelson B Bolyard wrote:
> So, I moved the XTRN flag up to the PointerTo template, and that
> didn't crash, but it failed. I'm debugging it now.
My mistake. It succeeded. I interpreted the returned pointer to the
output buffer as a non-zero result
On 2010-07-30 20:53 PDT, Wan-Teh Chang wrote:
> Here is Hanno's code modified to use a PointerTo template:
>
> SEC_ASN1_MKSUB(SECOID_AlgorithmIDTemplate)
>
> const SEC_ASN1Template MY_PointerToAlgorithmIDTemplate[] = {
> { SEC_ASN1_POINTER, 0, SEC_ASN1_SUB(SECOID_AlgorithmIDTemplate) }
> };
On 2010-07-30 20:53 PDT, Wan-Teh Chang wrote:
> On Fri, Jul 30, 2010 at 11:29 AM, Nelson B Bolyard wrote:
>> I think you're right. I filed
>> https://bugzilla.mozilla.org/show_bug.cgi?id=583308
>> with a patch to fix at least one problem.
>
> I ran Hanno&#x
On 2010-07-29 15:14 PDT, Hanno Böck wrote:
> After digging down deeper into the code, it seems it fails somewhere here:
> http://mxr.mozilla.org/security/source/security/nss/lib/util/secasn1e.c#897
>
> It gives state->theTemplate to the SEC_ASN1GetSubTemplate-function, while
> state->theTemplate
On 2010-07-29 18:35 PDT, Alexander V Vershilov wrote:
> Hello.
>
> I'm trying to build package pki-utils-1.3.1. And it fails on building
> cmsutils:
> pki-util-1.3.1/src/com/netscape/cmsutil/crypto/CryptoUtil.java
> at string:
> org.mozilla.jss.crypto.KeyPairGeneratorSp[2^i.Usage[
On 2010-07-26 06:07 PDT, Hanno Böck wrote:
> Hi,
>
> Just recently, the templates for decoding the RSA-PSS ASN1 parameters got
> added to cvs head (in cryptohi/seckey.c).
>
> Currently I'm working on implementing the creation of PSS signatures, so I
> need them also to encode. My naive thought
On 2010-07-23 13:48 PDT, Robert Relyea wrote:
> You may be stuck. I believe NES 3.63 ran using an older version of NSS
> that is available in the open source world (or even available as shared
^
NOT!
> libraries, for that matter). I'm not sure if anyone has access to that
> old so
On 2010-07-21 18:26 PDT, Amax Guan wrote:
> Thank you very much, this really help alot:) We won't let end-users
> use that tool, instead, we put it in a installer, and let the installer
> do the dirty work.
>
> btw, Since this certutil.exe is downloaded from microsoft.com
> I'm a little wor
On 2010-07-19 03:18 PDT, Konstantin Andreev wrote:
> Let assume, I have high-quality, conformant to all relevant standards
> (e.g. FIPS 140-1), hardware, true random numbers source - token "B".
> Token vendor intimately cares about standard API to the token, and
> provides PKCS#11 library.
>
> In
I wrote:
> FIPS 140 will not allow *any* hardware pure noise source to be used by
> itself as a random number/bit source. Instead, such a source MUST be
> fed into a DRBG from which any internal random data is taken.
To clarify,
by "pure noise source", I meant such as a forward biased silicon PN
On 2010-07-21 10:50 PDT, Ryan Sleevi wrote, quoting Gervase Markham:
>> On 21/07/10 07:26, Amax Guan wrote:
>>> But if you generate a user Certificate that's issued by a untrusted CA,
>>> there will be an alert popup.
>> Can some NSS or PSM hacker explain why this is?
>>
>> Gerv
>
> While neither
On 2010-07-20 02:21 PDT, Waldek wrote:
> Hi again,
> is there anybody who's been able to get such a setup working after
> upgrading to FF 3.6.x ??
> Is it a FF 3.6.x bug ??
> Could someone from Mozilla guys state anything in this case ??
> I've no other ideas so far but recommending my customers sw
On 2010-07-19 10:56 PDT, Caden.smith Smith wrote:
> Just for your information, here is the tree:
>
> JSS4.DLL
> NSPR4.DLL
> ADVAPI32.DLL
The factors under the control of the way in which JSS and NSPR are built
end here. Anything below this point has NOTHING to do with them.
Everything be
On 2010-07-12 02:18 PDT, Konstantin Andreev wrote:
> Hello.
>
> I am asking in this newsgroup, because I believe FIPS mode can affect the
> answer.
>
> Let assume
>
> -- Token A is software token, and able to make ECC signatures.
>
> -- Token B is hardware token providing TRUE random numbers.
>
On 2010-07-01 18:10 PDT, james07 wrote:
> I'm importing the key pair into the browser's soft token.
>
> I can see that the cert8.db and key3.db files in the profile directory are
> updated and I can also see the new certificate using certutil.exe -L.
>
> However when attempting to connect to a we
On 2010-06-21 17:57 PDT, Brian Smith wrote:
> From arcfour.c:
>
> http://mxr.mozilla.org/mozilla/source/security/nss/lib/freebl/arcfour.c#390
>
> My guess is that valgrind is considering malloc(5) to allocate 5 bytes,
> when really it allocates 8 bytes at least (because of alignment).
See the exp
On 2010-06-22 07:06 PDT, Konstantin Andreev wrote:
> At the moment, NSS softoken still return CKR_DATA_LEN_RANGE when CBC/ECB
> ciphers are updated with odd length.
>
> I wonder, are any chances for this aspect of NSS softoken to be more
> PKCS#11 compliant in the near future ?
Yes.
Step 1. Fi
On 2010-06-22 06:24 PDT, Logan Jones wrote:
> Whenever someone receives an email with a .p7m extension as an
> attachment, Thunderbird eats it.
I suppose you mean /attachment/ rather than /extension/.
> Normally it would be saved to the desktop and decrypted with the
> standalone entrust applica
1 - 100 of 1186 matches
Mail list logo
