Re: How do I convert org.mozilla.jss.pkix.cert to org.mozilla.jss.crypto.X509Certificate?

Try this: /** Convert an NSS certificate to a Java X509Certificate */ protected X509Certificate convertNssCertificate(org.mozilla.jss.crypto.X509Certificate cert) throws CertificateException { InputStream in = null; try { byte[]

Linker error from tstclnt

Hello - I'm trying to build NSS 3.30.2 on Windows 10, following the instructions at https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/Building. I get the following linker error: kernel32.lib(KERNEL32.dll) : error LNK2005: ReadFile already defined in tstclnt.obj WIN954.0_x86_64_64_O

Re: Are NSS bug fix releases still FIPS 140-2 certified?

Thanks, Julien. I went through the 'All' CMVP certificate list and, for every module tested on Windows, searched the security policy for "nss" and "softokn". Sadly, I didn't find any based on NSS. -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinf

Re: Are NSS bug fix releases still FIPS 140-2 certified?

Kyle Hamilton is right. The authoritative document is the NSS module's security policy, which is linked from their validation certificate (see above). That policy specifies how the module can be used in order to be FIPS 140-2 compliant. According to the NIST FIPS 140-2 Implementation Guide (htt

Re: Are NSS bug fix releases still FIPS 140-2 certified?

Red Hat validated their NSS cryptographic module again at the end of 2016, using NSS v3.16.2.3-13.el7_1. See cert# 2711 in the NIST validated modules list: http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/1401val2016.htm -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https

Are NSS bug fix releases still FIPS 140-2 certified?

Sorry, I'm not familiar with the rules governing FIPS 140-2 certification and I'd appreciate some help with the following question: I find NIST certification #1837 for version 3.12.9.1 from back in 2012.(http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140val-all.htm#1837) Have the changes

Re: Is the shared database intended for multiple users?

I think the solution to this is to open multiple databases... unfortunately that's not supported from Java. -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto

Is the shared database intended for multiple users?

Hello - We use NSS to provide FIPS-compliant encryption in a Java desktop application. Each user has a MDB database under their C:\Users\User.Name directory, in which they keep their certificates and public/private key pairs. But all users also get a few shared keys, which currently have to be

Re: JSS/NSS locks my smart card after 1 bad pin entry

Thanks for the reply, Robert! We're using OpenSC 0.16.0 and it's working well so far. The problem turned out to be exactly what you suggested. The JSS PK11Token login method takes a password callback handler. The handler has a getPasswordAgain method that's used for retries, and returning anyth

Re: JSS/NSS locks my smart card after 1 bad pin entry

On Friday, October 7, 2016 at 7:56:29 PM UTC-6, Ernie Kovak wrote: I replaced the OpenSC module with an ActivClient module (acpkcs211.dll) and that module does not lock the card. I've posted a query to the OpenSC forum asking about this. However, ActivClient displays its own PIN prompt d

JSS/NSS locks my smart card after 1 bad pin entry

Hello - We're using JSS4 and NSS 3.24 with an OpenSC module to interact with a DoD CAC. CACs will lock after 3 consecutive bad PIN entries. We're finding that if the user enters a bad PIN even once, that hard limit is exceeded and the card is locked. I've searched through NSS to see if there's

Re: NSS 3.20 SunPKCS11-nss-fips is missing the SunTls12RsaPremasterSecret algorithm

Others have run into this as well: http://stackoverflow.com/questions/28972574/does-tls1-2-work-with-nss-in-fips-mode-using-jsse-configured-with-sunpkcs11-nss -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto

Re: NSS 3.20 SunPKCS11-nss-fips is missing the SunTls12RsaPremasterSecret algorithm

I apologize, I was using SSL as a generic term... clearly not appropriate in this forum. Of course it's using TLS v1.2. That's why it wants the SunTls12RsaPremasterSecret algorithm. Ernie -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-t

Re: SSL connection problem: InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty

This turned out to be caused by incorrect certificate trust attributes. Using "CT" for the SSL attribute fixed it. Thanks! Ernie -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto

NSS 3.20 SunPKCS11-nss-fips is missing the SunTls12RsaPremasterSecret algorithm

Using NSS 3.20 built on Windows, using it with Java 8 for SSL connections from thick client to FIPS-enabled server. It fails to establish a connection, generating the following exception: Caused by: javax.net.ssl.SSLKeyException: RSA premaster secret error at sun.security.ssl.RSAClientK

SSL connection problem: InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty

Hi, all - I have NSS 3.19.2 built on Windows, using it with Java 8 for SSL connections from thick client to server. Fails to establish a connection with this error: Caused by: javax.net.ssl.SSLException: java.lang.RuntimeException: Unexpected error: java.security.InvalidAlgorithmParameterExcep