On Wed, 20 Jan 2010, Kaspar Brand wrote:
On 20.01.2010 02:11, Wan-Teh Chang wrote:
With the nss-3.12.5-with-nspr-4.8.2.tar.gz tarball that you downloaded from Mozilla, you
have to build "Extended ECC" using the complicated procedure described in
http://pki.fedoraproject.org/wiki/ECC_Capable_NS
On 20.01.2010 02:11, Wan-Teh Chang wrote:
> With the nss-3.12.5-with-nspr-4.8.2.tar.gz tarball that you
> downloaded from Mozilla, you have to build "Extended ECC"
> using the complicated procedure described in
> http://pki.fedoraproject.org/wiki/ECC_Capable_NSS, and
> you have to use a third-party
On Wed, 20 Jan 2010, Wan-Teh Chang wrote:
2010/1/18 Kai Chan :
With the nss-3.12.5-with-nspr-4.8.2.tar.gz tarball that you downloaded from Mozilla, you
have to build "Extended ECC" using the complicated procedure described in
http://pki.fedoraproject.org/wiki/ECC_Capable_NSS, and you have to u
2010/1/18 Kai Chan :
> When building with both "NSS_ENABLE_ECC" and "NSS_ECC_MORE_THAN_SUITE_B"
> enabled, the build fails because of lib/freebl/ecl/ecl-curve.h:
> #ifdef NSS_ECC_MORE_THAN_SUITE_B
> #error This source file is for Basic ECC only .
> #endif
>
> I guess this is the extent
Hi,
I'm building the 3.12.5 with NSPR .tgz from Mozilla FTP on a Fedora system.
Yeah, I noticed this was a problem before, but I was fine with just NISTP256
to 521 except you're saying the previous command won't work in Basic ECC
mode. Wait, you said RPM, as in not building from source from Mozil
On 1/15/2010 4:21 PM, Kai Chan wrote:
certutil -R -s "CN=ectest, O=ectest, L=ectest, ST=ectest, C=US" -p
"123-456-7890" -o ectest.req -d . -k ec -q nistp256 -Z SHA256
That command works for me. Are you trying this on a Red Hat or Fedora
system? If so, compiling NSS with extended ECC support
When building with both "NSS_ENABLE_ECC" and "NSS_ECC_MORE_THAN_SUITE_B"
enabled, the build fails because of lib/freebl/ecl/ecl-curve.h:
#ifdef NSS_ECC_MORE_THAN_SUITE_B
#error This source file is for Basic ECC only .
#endif
I guess this is the extent softoken can be used? Then the ce
Hi,
I take it "Extended ECC" is the additional option of
"NSS_ECC_MORE_THAN_SUITE_B"? I tried NSS 3.12.5 with NSPR 8.2 with only
that option and "NSS_ENABLE_ECC", so it's using softoken. Unfortunately,
still getting the same error. Here's the command again in case I made a
mistake:
certutil -R
Kai,
In NSS builds marked as "Basic ECC", ECC may be
used only for TLS/SSL. So it's possible that certutil cannot
generate CSRs when the "Basic ECC" version of NSS
is used.
In NSS builds marked as "Extended ECC", certutil
should be able to generate CSRs. If not, it's a bug.
You can read this w
Yes, it's pointing to the ECC-enabled NSS. I am able to generate EC keys
using:
certutil -G -d . -k ec -q nistp256
However, no luck with EC certificate requests with and without specifying
the hash.
Thanks,
Kai
On Thu, Jan 14, 2010 at 7:46 PM, Kyle Hamilton wrote:
> Are you certain that certu
Are you certain that certutil is using the version of the NSS library
that has ECC support compiled in? Most *nixes have a command called
'ldd' or such that will print the list of dynamic libraries that an
executable depends on, as well as what files the system is using to
match them.
Windows has
Correction: certutil -R -s "CN=ectest, O=ectest, L=ectest, ST=ectest, C=US"
-p "123-456-7890" -o ectest.req -d . -k ec -q nistp256 -Z SHA256
During the parameter parsing in certutil_main() in cmd/certutil/certutil.c,
the '-Z' option should call SECU_StringToSignatureAlgTag() in
cmd/lib/secutil.c a
Thank you both for your responses. Yes, you are correct. I've compiled NSS
with "NSS_ENABLE_ECC" and I can make EC keys, but am having problems with
CSRs. Perhaps I'm doing something wrong with this certutil command:
certutil -R -s "CN=ectest, O=ectest, L=ectest, ST=ectest, C=US" -p
"123-456-78
On 01/14/2010 01:36 PM, Kai Chan wrote:
> Hi,
>
> NSS has ECDSA with SHA1 enabled in SEC_DERSignData() in secsign.c (
> http://mxr.mozilla.org/security/source/security/nss/lib/cryptohi/secsign.c),
> but will ECDSA with SHA256 and higher be supported in the future? Or is
> this something as simple
2010/1/14 Kai Chan :
> Hi,
>
> NSS has ECDSA with SHA1 enabled in SEC_DERSignData() in secsign.c
> (http://mxr.mozilla.org/security/source/security/nss/lib/cryptohi/secsign.c),
> but will ECDSA with SHA256 and higher be supported in the future? Or is
> this something as simple as adding to the swi
Hi,
NSS has ECDSA with SHA1 enabled in SEC_DERSignData() in secsign.c (
http://mxr.mozilla.org/security/source/security/nss/lib/cryptohi/secsign.c),
but will ECDSA with SHA256 and higher be supported in the future? Or is
this something as simple as adding to the switch statement, since the other
16 matches
Mail list logo
