Re: Default Password callback

On 10/1/20 5:37 AM, Daniel Gustafsson wrote: I'm implementing support for NSS into a codebase which already has OpenSSL support, and when looking at the passphrase callbacks I ran into a question. Is my understanding correctl that there is no default password callback like how OpenSSL has a fall

Re: No Post Quantum this week.

On 9/14/20 10:19 AM, Robert Relyea wrote: Bob has a dental appointment and will be out. See you in 2 weeks. bob Went to the wrong list. You can ignore this. bob -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto

No Post Quantum this week.

Bob has a dental appointment and will be out. See you in 2 weeks. bob -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto

Re: Regarding SQLite in NSS 3.44.4

On 8/7/20 1:27 AM, Rahul S wrote: Hi Team, Hope all are doing good! I would like to get some clarification about the SQLite version in NSS 3.44.4. From release notes of NSS 3.46, i see that the "Bug 1550636 - Upgrade SQLite in NSS to a 20

Re: [ANNOUNCE] NSS 3.53 release

uld be the best place to put it? nss/automation? bob On Thu, Jun 11, 2020 at 3:52 AM Robert Relyea wrote: On 6/1/20 5:18 PM, JC Jones wrote: The NSS team released Network Security Services (NSS) 3.53 on 29 May 2020. NSS 3.53 will be a long-term support release, supporting Firefox 78 ESR.

Re: [ANNOUNCE] NSS 3.53 release

On 6/1/20 5:18 PM, JC Jones wrote: The NSS team released Network Security Services (NSS) 3.53 on 29 May 2020. NSS 3.53 will be a long-term support release, supporting Firefox 78 ESR. Looks like we updated certdata.txt without updating the version number in nssckbi.h. This caused some problem

Re: Crypto team minutes 202-05-12

Please ignore this, it went to the wrong list. -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto

Crypto team minutes 202-05-12

Date: 2020-05-12 Chair: Ivan Minutes: Bob Participants: Alex, Standa, Jakub, Bob, Daiki, Toshi, Simo, Tomas, Sahana, Hubert, Ondrej, Ivan, Lucie Excused: Nikos Chair and minutes keeper update etherpad, after the meeting the minutes keeper sends minutes and prepares etherpad for next week - ht

Re: [key4.db] IV size for aes256-CBC

On 04/22/2020 01:21 AM, laurent.cl...@gmail.com wrote: On Monday, March 30, 2020 at 6:28:55 PM UTC+2, Robert Relyea wrote: On 03/27/2020 12:21 PM, Louis Abraham wrote: Hi Matthew, Awesome, thanks and sorry for contacting the wrong list! Since then, I found the answer to the 14 bytes question

Re: [key4.db] IV size for aes256-CBC

On 03/27/2020 12:21 PM, Louis Abraham wrote: Hi Matthew, Awesome, thanks and sorry for contacting the wrong list! Since then, I found the answer to the 14 bytes question: https://hg.mozilla.org/projects/nss/rev/fc636973ad06392d11597620b602779b4af312f6#l6.49 Basically the DER encoding is used i

NSS ESR release date.

Red Hat Planning would like to know the estimate for when the NSS targetted for ESR will be released. We are working on the theory it will be end of May (balancing time for PKCS #11 3.0 changes versus when ESR needs a new NSS). Planning wants me to confirm that with mozilla, particularly JC.

Re: [ANNOUNCE] NSS 3.44 Release

On 05/17/2019 08:54 AM, JC Jones wrote: On Thursday, May 16, 2019 at 9:28:39 AM UTC-7, Paul Wouters wrote: Wait, what? They need work to make them simpler and better support cross compiling for sure, but getting rid of them would really hamper our use of NSS on different platforms. How would y

Is there some problem with treeherder?

I've been trying to get an nss-try builds with nss-tools for a couple of days now, but it looks like both nss-try and nss are not properly running any tests. Is there an outage, or do we need someone to kick the try servers? bob -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.o

Re: Linker error from tstclnt

On 11/22/2017 07:24 AM, Kai Engert wrote: On 10.11.2017 10:16, muni.pra...@gmail.com wrote: USE_STATIC_RTL=1 I haven't seen this symbol before, maybe it's no longer supported. Does it work if you don't define it? The symbol means build the test binaries with static libraries. That hasn't be

Re: Are NSS bug fix releases still FIPS 140-2 certified?

On 04/10/2017 02:58 PM, Ernie Kovak wrote: Kyle Hamilton is right. The authoritative document is the NSS module's security policy, which is linked from their validation certificate (see above). That policy specifies how the module can be used in order to be FIPS 140-2 compliant. According to t

Re: How to get a list of SubjectAltNames of a cert in NSS

On 03/03/2017 02:48 PM, Robert Relyea wrote: On 03/03/2017 09:42 AM, Paul Wouters wrote: On Fri, 3 Mar 2017, Robert Relyea wrote: [offlist] redirected back to the list, since the item I was concerned about is not a concern. Thanks for the info. I looked at it and have two questions and

Re: How to get a list of SubjectAltNames of a cert in NSS

On 03/03/2017 09:42 AM, Paul Wouters wrote: On Fri, 3 Mar 2017, Robert Relyea wrote: [offlist] redirected back to the list, since the item I was concerned about is not a concern. Thanks for the info. I looked at it and have two questions and one concern (which is why this is offlist

Re: Should PK11_Derive() save the failure status?

On 02/22/2017 10:44 AM, Andrew Cagney wrote: Hi, I've got a PK11_Derive() call failing (presumably something silly on my part), but frustratingly, PORT_GetError() just returns 0. It seems that all variants of PK11_Derive() don't call: PORT_SetError(PK11_MapError(crv)); with the error sta

Re: xmlsec / ECDSA problem

On 02/14/2017 03:07 AM, Miklos Vajna wrote: Hi, xmlsec from is a library to verify XML signatures (and more). It has a number of backends, one of them being NSS. Currently only the openssl backend of xmlsec supports ECDSA, and I'm trying to add support for ECDSA

Re: NSS open multiple NSS-Databses at once?

On 01/10/2017 02:07 PM, Opa114 wrote: Am Dienstag, 10. Januar 2017 22:24:10 UTC+1 schrieb Robert Relyea: On 01/10/2017 10:18 AM, Opa114 wrote: thanks, but these facts i know. I don't want top let multiple applications open one Database, i want to open multiple different Mozilla database

Re: NSS open multiple NSS-Databses at once?

On 01/10/2017 01:40 PM, John Dennis wrote: On 01/10/2017 04:23 PM, Robert Relyea wrote: 2) To open additional databases you want to use SECMOD_OpenUserDB: Bob, is SECMOD_OpenUserDB new? No, it's been around for quite some time. bob -- dev-tech-crypto mailing list dev-tech-c

Re: NSS open multiple NSS-Databses at once?

On 01/10/2017 10:18 AM, Opa114 wrote: thanks, but these facts i know. I don't want top let multiple applications open one Database, i want to open multiple different Mozilla databases, in the old standard format, with one (my) application. I tried to use the NSS_Init functions. These works wit

Re: NSS open multiple NSS-Databses at once?

On 01/08/2017 05:34 AM, Opa114 wrote: Hi there, i have to use NSS in one of my applications and therefor i have to open multiple databases (for example Firefox and Thunderbird) at once to read and write into these. How can i do this programatically in C++? Some exmaple Code would be very help

Re: Fwd: debug PKCS11

On 11/18/2016 12:49 AM, Alexei Mayanov wrote: Hello! I'm developing PKCS11 library for my device. This library is based on pkcs11-proxy (https://github.com/SUNET/pkcs11-proxy). It work good with different apps but with Firefox I can't login with client certificate on to the test site. Firefox doe

Re: NSS_Context and FIPS

On 10/21/2016 01:59 PM, Rob Crittenden wrote: Robert Relyea wrote: On 10/21/2016 07:04 AM, Rob Crittenden wrote: I'm trying to figure out how to dynamically enable FIPS support for NSS Contexts. I started with multinit.c and initialize FIPS right after calling NSS_InitContext() using

Re: NSS_Context and FIPS

On 10/21/2016 07:04 AM, Rob Crittenden wrote: I'm trying to figure out how to dynamically enable FIPS support for NSS Contexts. I started with multinit.c and initialize FIPS right after calling NSS_InitContext() using this: So you can't change the state of an already open database. NSS will

Re: NSS db nicknames with NSS_InitContext()

On 10/18/2016 11:16 AM, Rob Crittenden wrote: It looks like when multiple NSS databases are initialized using NSS_InitContext() the nicknames can take multiple forms depending on order of initialization. Using the multinit program and three NSS certificate databases with identical nicknames I s

Re: JSS/NSS locks my smart card after 1 bad pin entry

On 10/07/2016 06:56 PM, Ernie Kovak wrote: Hello - We're using JSS4 and NSS 3.24 with an OpenSC module to interact with a DoD CAC. CACs will lock after 3 consecutive bad PIN entries. We're finding that if the user enters a bad PIN even once, that hard limit is exceeded and the card is locked.

Re: modutil add module "ActiveClient" gives error "error 193" (win10)

On 08/03/2016 12:30 AM, Marjan Savli wrote: I would like to simplify adding USB ActiveClient Reader into Firefox on win10. I already managed to make a batch file to simplify importing our 6 certificates into Firefox. Manually I would do this step by step after this manual: https://www. creaplus.

Re: Replacement for PK11_GetLowLevelKeyIDForCert etc

On 06/24/2016 06:29 PM, Andrew Cagney wrote: Hi, according to the NSS documentation, the functions for getting CKAIDs are deprecated vis: /** * New functions which are already deprecated *

Re: [ANNOUNCE] NSS 3.24 Release

On 05/22/2016 04:26 PM, Paul Wouters wrote: On Sun, 22 May 2016, Kai Engert wrote: Subject: [ANNOUNCE] NSS 3.24 Release * NSS softoken has been updated with the latest NIST guidance (as of 2015) What does this relate to? Do you have the specific FIPS publication? Is this perhaps the GCM IV

Re: RFC7512 PKCS#11 URI support

On 04/07/2016 05:13 PM, Julien Pierre wrote: David, On 4/7/2016 15:49, David Woodhouse wrote: On Thu, 2016-04-07 at 05:01 -0700, Julien Pierre wrote: The problem really stems from the design of NSS, specifically the CERTCertificate*, which maps to a unique DER encoded cert, but not to a single

Re: RFC7512 PKCS#11 URI support

On 04/07/2016 03:49 PM, David Woodhouse wrote: On Thu, 2016-04-07 at 05:01 -0700, Julien Pierre wrote: The problem really stems from the design of NSS, specifically the CERTCertificate*, which maps to a unique DER encoded cert, but not to a single PKCS#11 object in a single token. Since the same

Re: RFC7512 PKCS#11 URI support

On 04/04/2016 03:19 PM, Ryan Sleevi wrote: On Mon, Apr 4, 2016 at 12:39 PM, David Woodhouse wrote: We usually reserve the term "breaks the API" for when something *used* to work, and now doesn't. Not when a previously-failing call now actually does something useful. No, sorry David, that's not

Re: NSS_NoDB_Init(".") and FIPS mode

On 03/18/2016 01:55 PM, Wan-Teh Chang wrote: On Fri, Mar 18, 2016 at 10:49 AM, Robert Relyea wrote: Yes, SECMOD_DeleteInternalModule() is a toggle which switches NSS between FIPS and non-FIPS. If you don't have a database open, or the database is open readOnly, the change only affect

Re: Programmatically smartcard/token access with NSS

On 03/17/2016 06:17 AM, Túlio Gomes wrote: Hello, i need to access a smartcard for signing documents with the private key stored inside it. The idea is to create a c++ component that will be used with a pnacl module inside chrome's browser. So i decided to use NSS, but i'm confused about what

Re: NSS_NoDB_Init(".") and FIPS mode

On 03/18/2016 09:14 AM, Andrew Cagney wrote: Is it possible to put NSS (softtoken) in FIPS mode (PK11_IsFIPS()) without a "modutil -fips true" database? By FIPS mode I guess I really mean confirm that NSS has performed some sort of FIPS self-check. An earlier thread mentioned some way of toggli

Re: server-side OCSP stapling

On 03/01/2016 02:19 PM, Martin Thomson wrote: AIUI, support for stapling in NSS is pretty primitive. You are expected to make the OCSP query yourself and use the API to configure the server. IIRC the API to fetch the ocsp response is mostly application code. NSS has a simple http request func

Re: Using NSS in FIPS mode

On 01/22/2016 06:42 AM, jonetsu wrote: Robert Relyea wrote: The call PK11_IsFIPS() returns true if softoken is in FIPS mode. The dance to programatically is to call SECMOD_DeleteInternalModule(), which toggles the module between FIPS and non-FIPS modes. Thanks. I will try it. When are the

Re: Using NSS in FIPS mode

On 01/21/2016 07:33 AM, jonetsu wrote: Hello, Please let me know if this is not the right place to ask about the following... This is the right place. I am new to NSS and would like to use it in FIPS mode. I do know about OpenSSL and GnuTLS, both of them having explicit calls to enabled FIPS

Re: Algorithms supported in NSS 3.17, FIPS mode

On 12/14/2015 05:04 PM, Paul Wouters wrote: Don't know about DRBG, but everything else you asked for is supported. Sent from my iPhone On Dec 14, 2015, at 18:03, jonetsu wrote: Hello, I am trying to get a list of the algorithms and ciphers supported by NSS 3.17 in FIPS mode. Not easy. W

Re: AES-256 vs. AES-128

On 11/30/2015 12:07 PM, Julien Vehent wrote: On 2015-11-30 12:47, Robert Relyea wrote: I've always found the 128 bit prioritized over 256 a silly recommendation, I support reordering. Can you expand on why you think it is silly? The argument went that 128 bit was 'sufficient'

Re: AES-256 vs. AES-128

On 11/25/2015 02:01 PM, April King wrote: My colleague Julien Vehent and I are in the process of updating the Mozilla Server Side TLS documentation: https://wiki.mozilla.org/Security/Server_Side_TLS One of the topics of conversation was whether or not the Modern TLS configuration should prefe

Re: Add New OID to NSS

On 11/04/2015 11:21 AM, JBarry wrote: Hi Bob, Thank you for the helpful reply. I have looked at the files you have mentioned and am a little confused about something. For example (secoid.c lines 34-35): /* USGov algorithm OID space: { 2 16 840 1 101 } */ #define USGOV 0x60, 0x

Re: Add New OID to NSS

On 11/04/2015 08:57 AM, JBarry wrote: Hello, I'll apologize in advance if this question has already been asked/answered (I did look and found nothing that helped me out) or if the question seems trivial. I am a college intern currently working with NSS for the first time, so please forgive me if

Re: How to access certs in the Windows keystore from Java?

On 10/07/2015 10:45 AM, merlin.w.vinc...@gmail.com wrote: Maybe my googling skills are weak, but I found no information on how to get NSS to use keys from the Windows keystore. In the end, I decided it's probably a violation of the NSS paradigm anyway. It seems the intent is to use the NSS dat

Re: Prevent "proxyfying" PKCS#11

On 09/25/2015 09:13 AM, Erwann Abalea wrote: Le vendredi 25 septembre 2015 14:39:04 UTC+2, helpcrypto helpcrypto a écrit : On Fri, Sep 25, 2015 at 11:52 AM, Erwann Abalea wrote: [...] Although it won't solve my problem, this will make possible to kill signature applets forever, which indeed i

Re: Prevent "proxyfying" PKCS#11

On 09/25/2015 01:36 AM, helpcrypto helpcrypto wrote: Hi all I hope you can find a solution for my problem, cause I can't. (And perhaps it's impossible) Based on my knowledge of PKCS#11 standard, the spec is exposed to a MITM attack that steals the PIN when an application invokes C_Login again

Re: Can sign but cannot encrypt email using a valid S/MIME certificate

On 09/04/2015 05:06 AM, Thibault Derrien wrote: Dear all, I have obtained numerical certificates of national certification authority in Czech Republic (ICA). 1/ I have imported the certificate into Mozilla Thunderbird > Account Settings > Security > Digital Signing. - It shows Software Securit

Re: pk12util: Wrong certificate names in database

On 07/27/2015 12:54 AM, Trick, Daniel wrote: Thank you a lot for clarification, Kaspar! So, by design of NSS, all certificates with the same DN will end up with the same nickname. And the very first certificate with a specific DN will set the nickname for all other certificates (with that same

Re: placing NSS in fips mode using modutil is "forgotten" ?

On 06/10/2015 06:15 AM, Paul Wouters wrote: Hi, I'm trying to do various FIPS tests for libreswan. Our testing system using KVM is a little tricky to selectively boot with fips=1, so I did some scripting to get everything into faked FIPS mode. It basically comes down to first running a script

Re: NSS set extractable = no

On 05/18/2015 03:04 PM, Arthur Ramsey wrote: I have a requirement to disable key export on a key stored in a NSS DB in FIPS mode. I read through the documentation and found mention of the ability to do this, but not how. Where can I find information on how to disable key export? I will be us

Re: PK11SymKey in FIPS mode from nothing

On 05/12/2015 10:44 AM, Paul Wouters wrote: On Tue, 12 May 2015, Robert Relyea wrote: So, in FIPS mode, in a standalone test program, what is the correct way to turn g^ir into PK11SymKey. PK11SymKey *sym_key = PK11_ImportSymKey(slot, CKM_DH_PKCS_DERIVE, PK11_OriginUnwrap

Re: PK11SymKey in FIPS mode from nothing

On 05/12/2015 08:58 AM, Andrew Cagney wrote: Hi, I'm looking to clean up some test code (IKEv2, NISTs CAVP tests), so that they "work" in FIPS mode (what ever that means). So CAVS tests require hooking outside the FIPS mode boundary because CAVS tests access CSPs which aren't allowed outside t

Re: target parameter to PK11_Derive

On 05/07/2015 11:49 AM, Andrew Cagney wrote: [inline] On 5 May 2015 at 13:18, Robert Relyea wrote: The target Mechanism is the operation you are going to use the target key for, It shouldn't match the mechanism used to derive the key. It is basically used to set the appropriate key typ

Re: target parameter to PK11_Derive

On 05/05/2015 08:42 AM, Andrew Cagney wrote: Hi, I'm cleaning up some code (it has a long history) that, among other things, computes IKE's PRF (hmac) and PRF+ (key derivation function). The computation involves the use of PK11_Derive to perform lots of concatenation, padding, xoring, and hashi

Re: Problems with FF and internal certificates

On 05/04/2015 10:09 AM, Brian Smith wrote: On Fri, May 1, 2015 at 9:11 AM, Tanvi Vyas wrote: On Apr 27, 2015, at 2:03 PM, Michael Peterson < michaelpeterson...@gmail.com> wrote: Now, in the album I posted above (https://imgur.com/a/dmMdG), the last two screenshots show a packet capture from

Re: NSS support for RFC7512 PKCS#11 URIs

On 05/03/2015 02:17 AM, David Woodhouse wrote: On Sat, 2015-05-02 at 18:33 -0700, Jan Pechanec wrote: On Fri, 1 May 2015, David Woodhouse wrote: On Fri, 2015-05-01 at 11:35 +0100, Alan Braggins wrote: On 30/04/15 17:56, David Woodhouse wrote: Has anyone looked at implementing RFC7512 support

Re: Key zeroization in NSS DB

On 03/25/2015 04:30 AM, Jan Otte wrote: Hi, When finding out how to do key zeroization in NSS DB I stumbled upon https://bugzilla.mozilla.org/show_bug.cgi?id=347450 The last comment states that key zeroization is not needed for FIPS, which is in contrast with the initial description. What is

Re: Using JSS SSLSocket and and SSLServerSocket TLS 1.1 and 1.2

On 01/13/2015 09:18 AM, Christina Fu wrote: jss-4.2.6-35 can be found on koji for various supported fedora platforms. For rhel it's the same version number. Christina Are there any outside available builds, like windows? bob On 01/13/2015 09:09 AM, Robert Relyea wrote: Christina,

Re: Using JSS SSLSocket and and SSLServerSocket TLS 1.1 and 1.2

Christina, which version of JSS has TLS 1.1 and 1.2 support enabled? Bob On 01/12/2015 02:10 PM, deepr...@gmail.com wrote: Folks, Sorry for the totally newbie question but I've hunted high and low. I am supporting some Java code that uses JSS4, NSS to provide SSL Server side services. In res

Re: Accessing Firefox keystore

On 01/09/2015 08:03 AM, Opa114 wrote: i do. but i want to parse the cert8.db or maybe access this fle in an easier way with JAVA. i have to read the file and maybe i have to remove and/or add new certificate to it. While there is some documentation on the format of cert8.db, If you are accessi

Re: Accessing Firefox keystore

On 12/11/2014 12:33 AM, helpcrypto helpcrypto wrote: Hi again, sorry for delay. Yes, you can (SHOULD) use SunPKCS#11 to access directly the libraries/modules. You can do it two ways: - attack libraries directly - parse (legacy) secmod.db on Firefox profile to list modules/libraries. Actuall

Re: libnsssysinit

On 12/08/2014 08:59 AM, David Woodhouse wrote: I still maintain that the path to sanity involves killing /etc/pki/nssdb entirely, and then you can look at applying *correct* fixes to whatever's still not behaving correctly. The whole point of /etc/pki/nssdb is so you have one place to install

Re: libnsssysinit

On 12/08/2014 05:05 AM, David Woodhouse wrote: On Mon, 2014-12-08 at 10:15 +, Martinsson Patrik wrote: So, to summarize, $> sudo update-alternatives --install /usr/lib64/libnssckbi.so libnssckbi.so.x86_64 /usr/lib64/p11-kit-proxy.so 1000 $> cat /etc/pki/nssdb/pkcs11.txt library=/usr/lib64/p

Re: libnsssysinit

On 12/04/2014 02:00 PM, David Woodhouse wrote: On Thu, 2014-12-04 at 10:33 -0800, Robert Relyea wrote: That one. libnssckbi.so is what provides the default trust roots. It's *always* supposed to be loaded in an NSS system. You shouldn't need to add it manually. I don't. Huh? t

Re: libnsssysinit

On 12/04/2014 03:31 AM, David Woodhouse wrote: You say that this shouldn't be necessary (and probably a bug), just to clarify things for me, do you mean that, 1 ) "adding the libnssckbi.so to shouldn't be necessary since it should already be there from the beginning, and that the bug is that

Re: libnsssysinit

To level set everyone, here, Martinsson is clearly running on RHEL, so most of his questions and my answers where are RHEL specific. On 11/19/2014 12:17 PM, Martinsson Patrik wrote: Hi everyone, I Need some help understanding the usage of the libnsssysinit-library (or a recommended method in h

Re: Reducing NSS's allocation rate

On 11/11/2014 12:32 PM, Ryan Sleevi wrote: On Tue, November 11, 2014 10:26 am, Nicholas Nethercote wrote: On Mon, Nov 10, 2014 at 7:06 PM, Ryan Sleevi wrote: Not to be a pain and discourage someone from hacking on NSS My patches are in the following bugs: https://bugzilla.mozilla.org

Re: NSS modutil: Adding PKCS#11 module with PIN to nssdb

On 11/06/2014 04:08 PM, Mike Gerow wrote: Thanks for the quick reply! I can see how caching the PIN would have its issues, but I'm not interested in having NSS ask for the PIN once and save it, but in configuring it to just use a provided PIN in the first place. Still has the same issue, if you c

Re: NSS modutil: Adding PKCS#11 module with PIN to nssdb

On 11/06/2014 03:12 PM, Mike Gerow wrote: Apologies if a dupe of this shows up. I had posted my last question without _properly_ subscribing to list and so it is stuck in some kind of moderator queue. I'm trying to add the opencryptoki PKCS#11 module to Chrome/Firefox's nssdb, and it seems to ha

Re: When will TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 cipher suite be available?

On 09/28/2014 03:09 PM, Eric Rescorla wrote: Eventually, but it's not a very high priority. Is there some reason you can't use AES-128? Actually the issue is ths SHA384. We need to implement the new PKCS #11 spec to TLS key derive in softoken first. bob -Ekr On Mon, Sep 22, 2014 at 4:49 PM,

Re: issues with NSS 3.12.4

On 09/25/2014 04:22 AM, Sunil Raj wrote: Hi, Even I am facing the same issue. Were u able to find the problem? Java is trying to do something that isn't allowed in FIPS mode. It's trying to import a key in the clear. It should instead generate the key inside the token rather than import it.

Re: Adding local cryptographic algorithms to NSS library.

On 08/04/2014 05:43 AM, Andrey Askerko wrote: I want to add support of local cryptography algorithm into firefox. And I want to ask some questions: 1) I must modify only NSS module, or some firefox functions/definitions too? 2) Where I can find some manual, how I can add algorithm into NSS and

Re: modutil add softokn3.dll error

On 07/21/2014 05:48 AM, ramahmoo wrote: Hi, I am trying to add the newly built softtoken dll using the following command modutil -add "Softoken" -mechanisms RSA:DSA:RC4:DES -libfile C:\nss-3.16.1\dist\WIN954.0_OPT.OBJ\lib\softokn3.dll -dbdir c:\nssdb But i am getting the following error ERROR

Re: How to export private key in RSA format from NSS

On 07/15/2014 08:05 PM, Chuck Lee wrote: Yes, but it doesn't work because it also calls PK11_ExportPrivKeyInfo() to get the RSA private key info. Now I am trying to decrypt key exported by PK11_ExportEncryptedPrivKeyInfo() with method SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_40_BIT_RC4 directly,

Re: SSLKEYLOGFILE always enabled

On 07/16/2014 07:31 AM, Jonathan Schulze-Hewett wrote: Does having this enabled violate the FIPS 140 requirements on exposing key materials in the clear? No, because the key logging fails if you are in FIPS mode (It used the PK11_ExtractKeyValue() to get the key, which will return an error in

Re: NSS Custom Crypto Module

On 07/10/2014 01:53 PM, ramahmoo wrote: Thanks,i would ready the documentation. Can i extend/modify the NSS internal pkcs#11 source (softokn3.dll source) to achieve my requirement? It's probably not a good idea to try to create your own softokn3.dll to replace the mozilla one, you will be forev

Re: NSS Custom Crypto Module

On 07/10/2014 01:28 AM, ramahmoo wrote: I have a requirement where TLS client auth has to be done by client certificate which is provided by a web-service (which in turn has access to smart cards at central server location). To achieve this i want a custom pkcs#11 crypto module that calls web ser

Re: Other ECC Curves

On 06/10/2014 09:47 AM, Kurt Roeckx wrote: > On Mon, Jun 09, 2014 at 04:27:56PM -0700, Rick Andrews wrote: >> AFAIK, Symantec and other CAs have added ECC roots to Mozilla's root store >> using NIST curves. Are any other ECC curves supported by Mozilla, in case >> one wanted to use a different cu

Re: ECC, FIPS Mode, and PKCS#11 devices

On 05/30/2014 11:55 AM, Jonathan Schulze-Hewett wrote: > Another bit of oddness. I can put the PKCS#11 device into "read only" mode > where it only supports CKS_RO_PUBLIC_SESSION and CKS_RO_USER_FUNCTIONS > states and asserts the CKF_WRITE_PROTECTED flag. In this state Firefox > attempts to call C_

Re: ECC, FIPS Mode, and PKCS#11 devices

On 05/30/2014 07:47 AM, Jonathan Schulze-Hewett wrote: > To whom it may concern, > > I have a PKCS#11 device that supports ECC operations. In particular > C_GetMechanismList includes the following items: > > CKM_ECDH1_DERIVE > CKM_ECDH1_COFACTOR_DERIVE > CKM_EC_KEY_PAIR_GEN > CKM_ECDSA > > The mod

Re: NSS fails to compile on MIPS64 n32 platforms

On 05/15/2014 02:31 AM, Vicente Olivert Riera wrote: > On 05/15/2014 10:11 AM, Vicente Olivert Riera wrote: >>> We usually do cross compiles by creating a cross target .mk file >>> (MIPS_CROSS.mk for instance). You can include linux.mk and explicitly >>> set the CPU_ARCH inside there. (see android.

Re: NSS fails to compile on MIPS64 n32 platforms

On 05/14/2014 03:57 AM, Vicente Olivert Riera wrote: > On 05/13/2014 07:20 PM, Robert Relyea wrote: >> On 05/13/2014 03:42 AM, Vicente Olivert Riera wrote: >>> Hi Paul, >>> >>> I think I have fixed the problem. >>> >>> The failure comes from

Re: NSS fails to compile on MIPS64 n32 platforms

On 05/13/2014 03:42 AM, Vicente Olivert Riera wrote: > Hi Paul, > > I think I have fixed the problem. > > The failure comes from this file > "mozilla/security/nss/lib/freebl/drbg.c" on the line #512, which has > an assert of the size of "size_t": > > PR_STATIC_ASSERT(sizeof(size_t) > 4) > > That li

Re: TLS 1.2 / PR_Write

On 04/17/2014 04:46 PM, james brown wrote: > Hi > > I'm a little bit confused about the differences in implementation of SSL v3 > and TLS 1.2 > > In Firefox when you visit a website with SSL v3 the data sent through > PR_Write is in plaintext and later to be encrypted in Ssl_Write (as far as > I kn

Re: Chrome: From NSS to OpenSSL

On 04/08/2014 06:31 AM, Alan Braggins wrote: > On 08/04/14 13:11, Jean-Marc Desperrier wrote: >> Ryan Sleevi a écrit : >>> reliance on PKCS#11 means that there are non-trivial overheads when >>> doing something as "simple" as hashing with SHA-1. For something >>> that is >>> such a "simple" transfo

Re: Cryptoki interface to decrypt mail with thunderbird

On 03/18/2014 04:29 AM, Leon Brits wrote: > Robert, > > Thanks for your help. This discussion has helped me to find the error in our > padding implementation for symmetric ciphers using OpenSSL which defaults to > "always pad". > > Encryption and decryption via thunderbird now works just fine. g

Re: Cryptoki interface to decrypt mail with thunderbird

On 03/14/2014 04:42 AM, Leon Brits wrote: > Robert, > > Thanks for your time. > >> cmscipher does call DecryptUpdate, but for the symmetric portion, not the >> asymmetric portion. We were talking about key unwrapping/decrypt in RSA. >> This is clearly an symmetric operation (DES3 or AES or somethin

Re: Cryptoki interface to decrypt mail with thunderbird

On 03/13/2014 05:12 AM, Leon Brits wrote: > Robert, > > Attached is a log of the backtrace when I try to use Thunderbird to decrypt > an email. As you can see in the log it reaches C_DecryptUpdate(), but then > asserts at cmscipher.c:452. I don't see the attachment? did you forget or did the mai

Re: initializing the standalone nss soft token (libsoftokn3.so)

On 03/10/2014 08:50 PM, Dave wrote: > I'm having trouble initializing the nss soft token when linking against it > directly. The function _NSSUTIL_EvaluateConfigDir (utilpars.c) is > segfaulting when passing the following initialization arguments to > C_Initialize: > > CK_CHAR * configStr

Re: Cryptoki interface to decrypt mail with thunderbird

On 03/10/2014 12:48 AM, Leon Brits wrote: > Hi Robert, > > Thanks for the reply. > >> ...I'm assuming we are talking >> about an RSA operation here and not an symetric key operation like AES or >> DES. > Yes RSA. > >> Yes, I just checked. We we are unwrapping a key (which is what the logical >> fun

Re: Cryptoki interface to decrypt mail with thunderbird

On 03/07/2014 07:02 AM, Leon Brits wrote: > Hi, > > We have a security device which is used via cryptoki (PKCS#11) to perform > cryptographic operations such as sign/verify and en/decrypt of emails. > Sign works via our device while Verify and Encrypt is done by the PC. Our > problem is with Decr

Re: SSL objects and NSS code communicating with PKCS#11 module

On 03/05/2014 01:21 AM, Raad Bahmani wrote: > Hello Robert, > > thank your for your answer ! > > >>> 3) Which algorithm is used for login with SSL ? >> I'm not sure what you mean by 'login with

Re: NSS algorithm performance

On 03/04/2014 03:54 PM, Julien Pierre wrote: > Did anyone ever write a script that measures the performance of all > the low-level algorithms in freebl, and collects the data in a way > that's easy to compare ? This would probably be using bltest. > This is for the purpose of evaluating different c

Re: SSL objects and NSS code communicating with PKCS#11 module

On 03/03/2014 04:31 AM, Raad Bahmani wrote: > Hello together, > > I need to implement a PKCS11-library which simulates a smart-card and > responds to login attempts with SSL certificates. > > I have found out that SSL needs the following mechanisms, so the > "C_GetMechanismList" of my library speci

Re: Longterm crypto support

On 12/14/2013 06:28 PM, Brian Smith wrote: > Kurt, > > Thanks for your suggestions. > > On Sat, Dec 14, 2013 at 12:46 PM, Kurt Roeckx wrote: > >> I think we need to come up with a plan to improve security in the >> long run. I think what we would like to see in general is: >> - Only SHA256 or bet

Re: SHA-256 support

On 11/19/2013 10:40 AM, Wan-Teh Chang wrote: > Bob's answer is accurate. > > Note that CAs are more interested in SHA-2 based signature support > rather than plain SHA-2 support. So another way to track down the NSS > version is to look at the CVS history of the secvfy.c file: > > http://bonsai.moz

Re: SHA-256 support

-256, SHA-384 and SHA-512. Unsurprisingly, these 3 > functions from the SHA-2 family are what the Windows CryptoAPI > actually supports (since XP SP3). > My evaluation on when we supported SHA-2 covers all 3 hash functions. > On 19/11/13 02:20, Robert Relyea wrote: >> I thi

Re: SHA-256 support

On 11/18/2013 07:00 AM, Gervase Markham wrote: > Hi everyone, > > Following Microsoft's announcement re: SHA-1, some CAs are asking > browser and OS vendors about the ubiquity of SHA-256 support. It would > be a help to them if we could say: > > - Which version of NSS first supported SHA-256 I quic

  1   2   3   4   5   6   >