I not sure about the current version (3.6) of FF, but earlier versions
(FF 2.0 and 3.0), the key/certificate DB did not support multiple write
interfaces i.e. DB write using one API does not get propagated to other
API. As a result, keys/certs added by JSS API are not picked by the PSM
XPCOM
Hi,
Can I add more than one e-mail addresses as subjAltName extionsion in
X.509 cert? Since, value type of subjAltName is GeneralNames, I know I
am allowed to do that syntactically.
My questions are :
- Does this fall within the best practices for X.509 based PKI?
- Are the NSS APIs des
Hi,
My experience so far is that PSM Certificate Manager is never launched
when PKCS#12 link is clicked. Not on Windows. Not on Linux (as described
by the bug filer). Do not remember for Mac OS X.
Here is what I think is the explanation for the behavior on windows:
On Windows PKCS#12 file ty
Hi Sudha,
Yes, you can check for existence of smart card by using the
nsIPK11Token.isHardwareToken() method.
(http://mxr.mozilla.org/mozilla-central/source/security/manager/ssl/public/nsIPK11Token.idl#88)
You can iterate of all the tokens, and check for existence of hard token
a follows:
f
Hi Sunny,
Here are some Cert-related utility code (in Javascript) using XPCOM API
for Mozilla PSM/NSS:
Note: Look into the IDL files for details about the attributes, methods,
and related comments.
// IDL file for nsIX509CertDB :
http://mxr.mozilla.org/mozilla-central/source/security/manage
Hi Stefan,
I am assuming that the signed XML file contains the X.509 certificate
data in base-64 format.
I also assume that you can extract the base-64 certificate data from the
XML file.
Given the base-64 X.509 certificate data, you can show the certificate
using the Firefox certificate viewe
Ububtu, I recommend that you do not use Firefox that
comes with Ubuntu distribution - download the Firefox from Mozilla.
--
Subrata
Marc Kaeser wrote:
Hello!
Thanks, I've seen the other thread, and I'm very interested in it :-)
I wonder how Subrata Mazumdar managed to load that modu
Aditya Ivaturi wrote:
If you know that it is a server cert, you can also use the
'nsNSSCertificateDB::ImportServerCertificate() method
(http://mxr.mozilla.org/mozilla-central/source/security/manager/ssl/sr...
).
You have to convert base64 data to DER format before using this method.
I h
Hi Aditya,
you can find trust related info in certutil documentation :
http://www.mozilla.org/projects/security/pki/nss/tools/certutil.html.
Look for the -t option for the trust arguments.
If you know that it is a server cert, you can also use the
'nsNSSCertificateDB::ImportServerCertificate
Mozilla NSS does not support any task with EC keys that require signing
with private
keys: create self-signed certificate, generate PKCS#10 CSR, enroll
certificate using
KEYGEN tag etc. The signing with EC keys is explicitly disabled in NSS
modules
of all Mozilla applications. BTW, actual key-g
Please see my inline responses.
Martin Schneider wrote:
Hello Subrata and others
Thanks for your reply. Unfortunately this doesn't work for me.
Here is a bash shell-script that I have used to start the Opencryptoki
PKCS#11 driver :
# BIOS Set up
# Step 1. Turn the computer off.
# Step 2.
Hi Martin,
last December I configured TPM in my Dell D820 to access from Firefox on
Linux.
I am guessing that you are lloking for info for Linux. For windows,
PKCS#11 drivers are
typically supplied by the TPM vendor like any another smart card vendor.
Initialization of TPM for PKCS#11 support
-token. But, I am not go to question
developer's decision because they have to live with the consequences.
--
Subrata
Wan-Teh Chang wrote:
On Thu, May 14, 2009 at 8:53 PM, Subrata Mazumdar
wrote:
I just have another question. According to the source code
(http://mxr.mozilla.org/sec
Nelson B Bolyard wrote:
Kaspar Brand wrote, On 2009-05-13 22:16:
Subrata Mazumdar wrote:
As I have said in the earlier message, I have no problem in generating
EC key-pair. I get error when I try to sign the request using the
private key.
Maybe you're falling prey to
Nelson B Bolyard wrote:
Subrata Mazumdar wrote, On 2009-05-13 06:45 PDT:
The key genartion now works for RSA and DSA key types but it still fails
for EC key type.
else if (keyType == "dsa") {
keyGenAlg = "dsa-sign-nonrepudiation";
David Stutzman wrote:
Subrata Mazumdar wrote:
On further testing and reading the description of
generateCRMFRequest() method doc, I figured out why the key
generation was failing.
I have to pass keySize as integer type not string type.
The key genartion now works for RSA and DSA key types but
ey types but it still fails
for EC key type.
Is key generation for EC type is supported on Firefox 3.0.10?
--
Subrata
Subrata Mazumdar wrote:
Hi,
I am not able generate key using window.crypto.generateCRMFRequest()
method. I have tried all there possible types : rsa, dsa, and ec.
I am at
Hi,
I am not able generate key using window.crypto.generateCRMFRequest()
method. I have tried all there possible types : rsa, dsa, and ec.
I am attached my test code fragment. I am running the test within an
add-on - on Firefox 3.0.10/Fedora8.
I am getting NS_ERROR_FAILURE in exception messa
Hi Arun,
You can follow the code in PSM that displays the server certificate when
you double-click on the lock icon in the status-bar :
http://mxr.mozilla.org/mozilla-central/source/browser/base/content/pageinfo/security.js#119
http://mxr.mozilla.org/mozilla-central/source/browser/base/content/p
A related question:
Is it possible to configure the NSS Soft-Token associated with the
internal slot
like smart-card based token so that the private key key cannot be
exported out of the token?
If not, would it be useful feature to support?
--
Subrata
Nelson B Bolyard wrote:
Kyle Hamilton w
Hi,
which Linux distros support NSS-enabled OpenSSH client?
I know that OpenSSH client in Fedora supports it.
Any other distro is planning to support NSS-based crypto consolidation
vision presented in
http://fedoraproject.org/wiki/FedoraCryptoConsolidation.
Thanks.
--
Subrata
___
[EMAIL PROTECTED] wrote:
NSS_Initialize will not add a new database, but there is a call that
will.:https://developer.mozilla.org/en/NSS_PKCS11_Functions#SECMOD_OpenUserDB
When you are through you can get rid of close the database
with:https://developer.mozilla.org/en/NSS_PKCS11
Wan-Teh Chang wrote:
> 2008/10/6 Kai Engert <[EMAIL PROTECTED]>:
>
>> Wan-Teh Chang wrote:
>>
>>> - The password must be at least seven characters long.
>>> - The password must consist of characters from three or more character
>>> classes (uppercase, lowercase, digits, etc.).
>>>
>>>
Hi,
I am using Firefox 3.0.3. I have FIPS enabled the software security
device using "Secuirty Devices" dialog window in PSM.
This step forced me to add password protect the internal Key token
(Software security device).
Then, I tried to change the password of the "internal key" token using
the
Robert Relyea wrote:
> Subrata Mazumdar wrote:
>> Bob,
>> I implemented the importing and exporting of private key from PKCS#8
>> file using NSS API.
>> Here is what I found based on my testing :
>>
>> Using Mozilla NSS API, I can only import/export privat
using the OpenSSL API
because NSS uses 16 byte salt for encryption but the OpenSSL API expects
8 byte salt.
--
Subrata
Robert Relyea wrote:
> Subrata Mazumdar wrote:
>> Nelson,
>> thanks very much for the clear answer - I did not realize that the
>> Mozilla NSS does not
Wan-Teh Chang wrote:
> On Sat, Sep 27, 2008 at 12:17 PM, Nelson B Bolyard <[EMAIL PROTECTED]> wrote:
>
>> Subrata Mazumdar wrote, On 2008-09-27 06:33:
>>
>>> Actually, the problem is even worse - some of the applications use
>>> unencrypted priva
private key and public key cert. Actually, the problem is even
worse - some of the applications
use unencrypted private key or OpenSSL specific encrypted PEM file
(generated using 'openssl rsa' command).
Any way, thanks once again.
--
Subrata
Nelson Bolyard wrote:
> Subrata Mazumdar w
Hi,
I am having problem in reading PKCS#8 file generated by OpenSSL command
line tool ("opnessl pkcs8").
OpenSSL supports a number of encryption algorithms with option v1 and v2
(http://www.openssl.org/docs/apps/pkcs8.html).
I can only successfully read the PKCS#8 file generated using enryption
SL sites. Is there any way
> to listen to the event of a SSL enabled site asking for the cert so I
> can request a password from the user at that point?
>
> Any suggestions or snippets?
>
> Thanks!
> Will.
>
>
>
> On Sep 25, 5:17 am, Subrata Mazumdar <[EMAIL PROTECTED
initialization,
I think that problem is with PSM. If I ignore the old-password field
and only provide new password, everything works fine.
Thanks once again for your help.
--
Subrata
Robert Relyea wrote:
> Subrata Mazumdar wrote:
>>nsCOMPtr softToken;
>>rv = pkcs11Slot->GetTo
Hi,
I am having problem in resetting the password of slot after removing the
soft-token associated with it.
Everything works fine for the first time. When I try to create a slot
second time, the new token is installed
in the previously created empty slot with the old token name and
protected by
Hi,
Apache XML Security C++ library
(http://xml.apache.org/security/c/index.html) provides single C++ based
cryptographic interface with multiple Crypto API (OpenSSL, NSS, MS-CAPI)
based implementation. The Apache XML Security C++ library implements
signing, encryption as well as decryption for
Thanks Nelson.
Please see my in-line responses.
Nelson Bolyard wrote:
> Subrata Mazumdar wrote, On 2008-08-12 20:30:
>
>
>> I have a certificate based mutually authenticated session between the
>> browser and a web server.
>> I would like to find out the certif
Hi,
I have a certificate based mutually authenticated session between the
browser and a web server.
I would like to find out the certificate used presented by the browser
using a programmatic API.
I can get the server certificate by clicking the icon at the status-bar
window.
How do I find out t
Thanks Nelson.
Your suggestion about using PK11_GetInternalKeySlot() solved the problem.
---
Subrata
Nelson B Bolyard wrote:
> Subrata Mazumdar wrote, On 2008-08-07 05:34:
>
> Subrata, I apologize for not responding sooner.
>
>
>> Is it possible to import the PKCS#8
Hi,
Is it possible to import the PKCS#8 file for private key together with
the related X.509 cert file using PK11_ImportEncryptedPrivateKeyInfo()?
I have tried and was not successful.
The PKCS#8 file was created using the
PK11_ExportEncryptedPrivateKeyInfo(). The PKCS#8 file is valid one - I
t
Hi,
I have created a self-signed cert using certutil. I want to export the
associated private key in Mozilla Cert/Key DB as an un-encrypted private
key to be used by an OpenSSL based App.
The requirement is to use Mozilla NSS API to export the key - not
OpenSSL API or OpenSSL
command line tools
Hi Bob,
here is my experience so far with the NSS PKCS#11 and CAPI.
I tried out the NSS PKCS#11 DLL for CAPI with Firefox3 security device
manager and I was able to load the DLL as PKCS#11 module.
Last time (a few months ago) I treid with Firefox2 and it did not work.
I was actually suprised t
Alex,
If I understood you correctly, you do not want users to import unknown
server certificates and disable this capability.
In Firefox2, this dialog was created by newserver.xul (
http://lxr.mozilla.org/mozilla1.8.0/source/security/manager/pki/resources/content/newserver.xul
)
dialog window.
.
>
> But i want the path to be the former one.
> I would appreciate your help, i have been stuck on this for more than
> 2 months..
>
> Thanks,
> Akkshayaa
>
> Subrata Mazumdar wrote:
>> Hi Akkshayaa,
>> The Device Manager in Mozilla PSM registers the PKCS#11 mo
r/pki/resources/content/device_manager.js#459
http://lxr.mozilla.org/mozilla/source/security/manager/ssl/src/nsCrypto.cpp#3017
BTW, once PKCS#11 module is registered, browser will automatically load
the module every time you open the browser.
Your add-on need not load it.
--
Subrata Maz
.
--
Subrata
Nelson Bolyard wrote:
> Robert Relyea wrote, On 2008-03-26 18:13:
>
>> Subrata Mazumdar wrote:
>>
>>> Hi,
>>> is there any way I can find the certificate associated with a public key
>>> using
>>> the SubjectPublicKeyInfo (CERTSubj
Thanks Robert.
I will follow your suggestion and iterate over the list and use the
context to filter
out cert before comparing the SPKIs.
--
Subrata
Robert Relyea wrote:
> Subrata Mazumdar wrote:
>> Hi,
>> is there any way I can find the certificate associated with a publi
Hi,
is there any way I can find the certificate associated with a public key
using
the SubjectPublicKeyInfo (CERTSubjectPublicKeyInfo)?
I am looking for public API and not too low level.
I looked in the .../nss/certdb/cert.h and .../nss/pk11wrap/pk11pub.h
files - couldn't find anything appropr
Please ignore this message. I did not realize that I have imported the
signing certificate and its trust bits were not set to true.
--
Subrata
Subrata Mazumdar wrote:
> HI,
> I have a signed XPI file that passes the signature verification during
> installation in FF2 but verification
HI,
I have a signed XPI file that passes the signature verification during
installation in FF2 but verification fails in FF3 (running on Fedora7
Linux).
The signing certificate is signed by our own CA and the CA cert's trust
flags are set to true. The XPI file is signed with NSS version of
sig
lib directory. Do I have build it manually?
Thanks.
---
Subrata
Robert Relyea wrote:
> Subrata Mazumdar wrote:
>> Thanks Nelson. My comments are inline.
>>
>> Nelson Bolyard wrote:
>>
>>> Subrata Mazumdar wrote, On 2008-02-28 17:18:
>>>
>>>
Thanks Nelson. My comments are inline.
Nelson Bolyard wrote:
> Subrata Mazumdar wrote, On 2008-02-28 17:18:
>
>
>> I have two question about configuartion of PKCS#11 module in Firefox 3:
>>
>> - is there any documentation on how to configure MS CAPI as PKCS#11
Hi,
I have two question about configuartion of PKCS#11 module in Firefox 3:
- is there any documentation on how to configure MS CAPI as PKCS#11
module in Firefox 3 and certutil?
- Also, is it possible to configure NSS softoken as PKCS#11 module
(like we do in Java to access NSS) within NSS?
Eddy,
I think that you can do it. Have you looked into nsIPK11Token interface
(http://lxr.mozilla.org/mozilla1.8.0/source/security/manager/ssl/public/nsIPK11Token.idl)
?
The nsIPK11Token interface would allow you to filter tokens based on a
number of attributes and
eventually you can determin
Michael Ströder wrote:
> Subrata Mazumdar wrote:
>>>
>> There is a new version of KeyManager available that supports
>> SeaMonkey.
>
> I'll give it a try.
>
> What I'm really missing are some simple functions like exporting a
> cert receiv
Robert Relyea wrote:
>
>>
>> I don't think neither the KEYGEN tag nor the window.crypto objects can
>> be used to generate keys in tokens
>> If yes...how can it be done
>> I just wanted to start a new thread..for the same.
>>
> If there is a token installed, Seamonkey/Firefox/Mozil
Yes, it works on SeaMonkey, Thunderbird, Flock, and Sunbird .
--
Subrata
Michael Ströder wrote:
> Subrata Mazumdar wrote:
>> try this add-on : https://addons.mozilla.org/en-US/firefox/addon/4471
>
> Interesting. Does it also work with Seamonkey?
&g
Arun,
try this add-on : https://addons.mozilla.org/en-US/firefox/addon/4471
In addition to GUI, it will also let you generate PKCS#10 CSR using
XPCOM if you so desire.
--
Subrata Mazumdar
[EMAIL PROTECTED] wrote:
> Hello people,
>
> I need to know how to generate key pair and corres
opinion it
is quite
difficult use JSS directly from Javascript API (all those
SecurityManager related problem shows up).
That is why we have defined the XPCOM API for PKCS#10 in our extension.
--
Subrata
Subrata Mazumdar wrote:
> Giacomo,
> you can try our FF extension :
> https://addons.mo
Giacomo,
you can try our FF extension :
https://addons.mozilla.org/en-US/firefox/addon/4471
for generation of PKCS#10 based CSR. The extension also provides XPCOM API
for using with an FF-based Javascript apps.
--
Subrata
Giacomo Pappagallo wrote:
> Browsers based on Mozilla use crypto.generateC
Assuming that you have an X.509 certificate in either Base64 or DER
format, you can use the nsIX509CertDB.importUserCertificate() method:
http://www.xulplanet.com/references/xpcomref/ifaces/nsIX509CertDB.html#method_importUserCertificate.
Notice that, this method expects that the private key for
ot know what that format is.
OpenSSL can work with PKCS#8 formatted key but it is not default format.
--
Subrata
Nelson Bolyard wrote:
> Subrata Mazumdar wrote:
>
>
>> I could only extract the private key in PKCS#8 format not in the
>> private key format expected by
I also wanted to ask the same question. It would be really nice to have
command line tool for mapping PKCS#12 to OpenSSL private key using NSS
library.
I could only extract the private key in PKCS#8 format not in the
private key format expected by OpenSSL.
BTW, unless the application specific
Hi Nelson,
No, it does not work on Seamonkey.
An old "contents.rdf" file (which I forgot to remove) also messes up the
browser's menu.
I should have tested it on Mozilla - sorry about that.
--
Subrata
Nelson Bolyard wrote:
> Subrata Mazumdar wrote:
>
>> Here is
Hi Anders,
Please take look at the following extension at (s:
https://addons.mozilla.org/en-US/firefox/addon/4522
I have mentioned this extension in response to your comments on my
KeyManager extension.
It my first effort in supporting XML based security protocols - XML
based signature process
I do not propose making the Netscape extension a PKIX
> standard but rather start discussing the road to a better
> support of credential life-cycles.
>
> Comments?
>
> Anders Rundgren
>
>
> - Original Message -
> From: "Subrata Mazumdar" <[EMAIL PROTECTED]>
>
.
--
Subrata
s
Kyle Hamilton wrote:
> Why is the binary code not available as source so that those of us who
> are on Macs can actually compile it? Is this intended to be
> proprietary?
>
> -Kyle H
>
> On 3/30/07, Subrata Mazumdar <[EMAIL PROTECTED]> wrote:
>> He
ou are not really keen on learning Mozilla-NSS command line
utilities, such as certutil, pk12util, signtool etc., if you can use
this extension to do the same tasks. It presents XUL based forms for
various parameters.
-
Thanks,
--
Subrata
Subrata Mazumdar wrote:
> Hi,
> I would li
You can use the following method :
void exportPKCS12File(in nsISupports aToken,
in nsILocalFile aFile,
in unsigned long count,
[array, size_is(count)] in nsIX509Cert aCerts);
of nsIX509CertDB interface to export the key-pair
ed for publicly available
extension.
Thanks.
--
Subrata Mazumdar
___
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
fox support SOAP API and SOAP requires XML based signature,
how is it done?
I have searched through the Firefox source code and couln't find anything.
Thanks for your help.
--
Subrata Mazumdar
___
dev-tech-crypto mailing list
dev-tech-crypto@lists.moz
68 matches
Mail list logo
