+1 It's possible to sign a message with an S/MIME ECC cert, not encrypt it
with an ECC key though. Is there no plan to support elliptic curve
cryptography any time soon?
--
View this message in context:
http://mozilla.6506.n7.nabble.com/ECC-S-MIME-encryption-on-Thunderbird-tp353283p361985.html
On 30/05/14 19:55, Jonathan Schulze-Hewett wrote:
Another bit of oddness. I can put the PKCS#11 device into "read only" mode
where it only supports CKS_RO_PUBLIC_SESSION and CKS_RO_USER_FUNCTIONS
states and asserts the CKF_WRITE_PROTECTED flag. In this state Firefox
attempts to call C_CreateObjec
On 05/30/2014 11:55 AM, Jonathan Schulze-Hewett wrote:
> Another bit of oddness. I can put the PKCS#11 device into "read only" mode
> where it only supports CKS_RO_PUBLIC_SESSION and CKS_RO_USER_FUNCTIONS
> states and asserts the CKF_WRITE_PROTECTED flag. In this state Firefox
> attempts to call C_
Another bit of oddness. I can put the PKCS#11 device into "read only" mode
where it only supports CKS_RO_PUBLIC_SESSION and CKS_RO_USER_FUNCTIONS
states and asserts the CKF_WRITE_PROTECTED flag. In this state Firefox
attempts to call C_CreateObject to create an ECC public key on the device
which fa
Bob,
Thank you for the reply. We first noticed this in Firefox version 24.3.0 ESR
but we can duplicate the issue in the latest version (29.0.1) as well.
The curve involved in the TLS session is secp256r1. The token supports this
curve as well as the other NIST curves.
Sincerely,
Jonathan
On 05/30/2014 07:47 AM, Jonathan Schulze-Hewett wrote:
> To whom it may concern,
>
> I have a PKCS#11 device that supports ECC operations. In particular
> C_GetMechanismList includes the following items:
>
> CKM_ECDH1_DERIVE
> CKM_ECDH1_COFACTOR_DERIVE
> CKM_EC_KEY_PAIR_GEN
> CKM_ECDSA
>
> The mod
On Wed, 20 Jan 2010, Kaspar Brand wrote:
On 20.01.2010 02:11, Wan-Teh Chang wrote:
With the nss-3.12.5-with-nspr-4.8.2.tar.gz tarball that you downloaded from Mozilla, you
have to build "Extended ECC" using the complicated procedure described in
http://pki.fedoraproject.org/wiki/ECC_Capable_NS
On 20.01.2010 02:11, Wan-Teh Chang wrote:
> With the nss-3.12.5-with-nspr-4.8.2.tar.gz tarball that you
> downloaded from Mozilla, you have to build "Extended ECC"
> using the complicated procedure described in
> http://pki.fedoraproject.org/wiki/ECC_Capable_NSS, and
> you have to use a third-party
On Wed, 20 Jan 2010, Wan-Teh Chang wrote:
2010/1/18 Kai Chan :
With the nss-3.12.5-with-nspr-4.8.2.tar.gz tarball that you downloaded from Mozilla, you
have to build "Extended ECC" using the complicated procedure described in
http://pki.fedoraproject.org/wiki/ECC_Capable_NSS, and you have to u
2010/1/18 Kai Chan :
> When building with both "NSS_ENABLE_ECC" and "NSS_ECC_MORE_THAN_SUITE_B"
> enabled, the build fails because of lib/freebl/ecl/ecl-curve.h:
> #ifdef NSS_ECC_MORE_THAN_SUITE_B
> #error This source file is for Basic ECC only .
> #endif
>
> I guess this is the extent
Hi,
I'm building the 3.12.5 with NSPR .tgz from Mozilla FTP on a Fedora system.
Yeah, I noticed this was a problem before, but I was fine with just NISTP256
to 521 except you're saying the previous command won't work in Basic ECC
mode. Wait, you said RPM, as in not building from source from Mozil
On 1/15/2010 4:21 PM, Kai Chan wrote:
certutil -R -s "CN=ectest, O=ectest, L=ectest, ST=ectest, C=US" -p
"123-456-7890" -o ectest.req -d . -k ec -q nistp256 -Z SHA256
That command works for me. Are you trying this on a Red Hat or Fedora
system? If so, compiling NSS with extended ECC support
When building with both "NSS_ENABLE_ECC" and "NSS_ECC_MORE_THAN_SUITE_B"
enabled, the build fails because of lib/freebl/ecl/ecl-curve.h:
#ifdef NSS_ECC_MORE_THAN_SUITE_B
#error This source file is for Basic ECC only .
#endif
I guess this is the extent softoken can be used? Then the ce
Hi,
I take it "Extended ECC" is the additional option of
"NSS_ECC_MORE_THAN_SUITE_B"? I tried NSS 3.12.5 with NSPR 8.2 with only
that option and "NSS_ENABLE_ECC", so it's using softoken. Unfortunately,
still getting the same error. Here's the command again in case I made a
mistake:
certutil -R
Kai,
In NSS builds marked as "Basic ECC", ECC may be
used only for TLS/SSL. So it's possible that certutil cannot
generate CSRs when the "Basic ECC" version of NSS
is used.
In NSS builds marked as "Extended ECC", certutil
should be able to generate CSRs. If not, it's a bug.
You can read this w
Yes, it's pointing to the ECC-enabled NSS. I am able to generate EC keys
using:
certutil -G -d . -k ec -q nistp256
However, no luck with EC certificate requests with and without specifying
the hash.
Thanks,
Kai
On Thu, Jan 14, 2010 at 7:46 PM, Kyle Hamilton wrote:
> Are you certain that certu
Are you certain that certutil is using the version of the NSS library
that has ECC support compiled in? Most *nixes have a command called
'ldd' or such that will print the list of dynamic libraries that an
executable depends on, as well as what files the system is using to
match them.
Windows has
Correction: certutil -R -s "CN=ectest, O=ectest, L=ectest, ST=ectest, C=US"
-p "123-456-7890" -o ectest.req -d . -k ec -q nistp256 -Z SHA256
During the parameter parsing in certutil_main() in cmd/certutil/certutil.c,
the '-Z' option should call SECU_StringToSignatureAlgTag() in
cmd/lib/secutil.c a
Thank you both for your responses. Yes, you are correct. I've compiled NSS
with "NSS_ENABLE_ECC" and I can make EC keys, but am having problems with
CSRs. Perhaps I'm doing something wrong with this certutil command:
certutil -R -s "CN=ectest, O=ectest, L=ectest, ST=ectest, C=US" -p
"123-456-78
On 01/14/2010 01:36 PM, Kai Chan wrote:
> Hi,
>
> NSS has ECDSA with SHA1 enabled in SEC_DERSignData() in secsign.c (
> http://mxr.mozilla.org/security/source/security/nss/lib/cryptohi/secsign.c),
> but will ECDSA with SHA256 and higher be supported in the future? Or is
> this something as simple
2010/1/14 Kai Chan :
> Hi,
>
> NSS has ECDSA with SHA1 enabled in SEC_DERSignData() in secsign.c
> (http://mxr.mozilla.org/security/source/security/nss/lib/cryptohi/secsign.c),
> but will ECDSA with SHA256 and higher be supported in the future? Or is
> this something as simple as adding to the swi
On Mon, Sep 28, 2009 at 3:12 AM, Konstantin Andreev wrote:
> Hello.
>
> As repeatedly answered in this conference (see links below), EC singing is
> not supported by NSS because of patent issues.
> Specifically,
> http://mxr.mozilla.org/security/source/security/nss/lib/cryptohi/secsign.c#92
> :
>
Nelson B Bolyard wrote:
tstclnt is able to support protocols in which the client speaks first,
and protocols in which the server speaks first. By default, it supports
protocols in which the server speaks first. To make it support protocols
in which the client speaks first, use the -f command li
David Stutzman wrote, On 2009-02-23 08:00:
> Using NSS 3.12.2 RTM or NSS 3.11.4 RTM, I get:
> org.mozilla.jss.ssl.SSLSocketException: SSL_ForceHandshake failed:
> (-12286) Cannot communicate securely with peer: no common encryption
> algorithm(s).
> Stepping back and eliminating JSS, I get simi
ps_mitrofa...@mail.ru wrote:
Freebl3.dll works fine )
err. I highly suggest you do not go that route. NSS does not guarrentee
the freebl3 interface as a stable interface. Your app may break when new
versions of NSS are installed.
Let me make this perfectly, crystal-clear. Freebl3.dll is a
Freebl3.dll works fine )
___
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
ps_mitrofa...@mail.ru wrote:
Hi. I've got a problem.
I need to use NSS freebl3.dll ECC-functions (for ECDH).
The first and most obvious question... Why?
freebl3.dll is a private NSS DLL. NSS does not support applications
using it's functions directly, and doing so would be a good way to have
y
On Tue, Mar 11, 2008 at 10:33 AM, Rick Andrews <[EMAIL PROTECTED]> wrote:
>
> It appears that Suite B ECC was included in Firefox 2 (http://
> developer.mozilla.org/en/docs/Security_in_Firefox_2), but I haven't
> been able to find any indication that it will remain in Firefox 3. Can
> I safely
On Mar 5, 11:20 am, Jean-Marc Desperrier <[EMAIL PROTECTED]> wrote:
> Andrews, Rick wrote:
> > VeriSign has a number of root certificates (not just EV certs) pending
> > approval to be included in the trust store. It's pretty important to us
> > that all these roots make it into FF3.
>
> > Can anyo
29 matches
Mail list logo
