gmane.comp.mozilla.crypto

About NSS Confused.

chu wang — 2012-05-14T05:38:14

Hi all.
I want to by the NSS calls the P11 module.
So I have some quessions.
1.PKCS #11 Conformance Testing where download.
2.How to compile NSS,Which have detailed guidance document?
3.Other browsers, such as chorme also supports NAPI, how to call the
P11, but also through the NSS?
4.What are the advantages of the NSS call P11 NPAPI?

Thanks.
Firefox Chinese little information.
If there is something wrong, please forgive me.

NSS 3.12.5.0: Error '-8152' (SEC_ERROR_INVALID_KEY) when connectingto ssl-enabled servers

Bernhard Thalmayr — 2012-05-08T11:53:45

Hi experts, an OpenAM community member is using OpenAM policy agent to 
connect to an ssl-secured server.

The policy agent uses NSPR 4.8.2, NSS 3.12.5.0 optimized build for Linux 
(RHEL) 64bit.

If the agent tries to open a connection to a specific, ssl-enabled 
OpenAM server, error '-8152' is raised.

What might be the root-cause for this error?

Could I get some additional output from an optimized build or do I 
really need a 'DEBUG' build to leverage NSS environment variables 
(https://developer.mozilla.org/en/NSS_reference/NSS_environment_variables)?

Interestingly the same agent can connect to other ssl-enabled servers.

Unfortunately the community member will / can not provide a network 
trace showing the handshake messages.

TIA,
Bernhard

Provide own CA

Marc Patermann — 2012-05-07T16:20:13

Hi,

I posted my issue on Thunderbird-Enterprise before and Ludovic Hirlimann 
sent me here.

I created an own CA and put the cert in cert8.db by GUI in Thunderbird 
10 ESR.
As far as I understand it, the way to go is to put the corresponding 
cert8.db file in defaults/profile in the program directory. (Which works 
for mimetypes.rdf.)

For what I tested it does not work. On a blank profile cert8.db is 
always the original file, my CA is never included.
If I copy back cert8.db by hand, the CA is in there. So the file itself 
is fine, but it seams to be never used.

What did I do wrong?


Marc

Importing public and private keys into nss

VJ — 2012-04-30T09:22:59

Hi,
I've tested encryption, decryption, signing and verification with public (NSSLOWKEYPublicKey) and private keys (NSSLOWKEYPrivateKey) in low level.

However, Now I have a public/private keys in the below format:

-----BEGIN RSA PUBLIC KEY-----
MIGHAoGBAK12Da7PWjz1Yf01Hp2gaRxBWU2lXchh/lGaQI05JusLgI38DSN2ZPW5
x6Ff6ZOztEb9sc6oz7NdrZy68Veb+tcD/3A6qZRUUDAW0aFOJZIcl0U+IZXvguqa
TxSRDTvBwqCp44PaWYiwtdP5vnjfPXFgHLLMvM7yzOedRttDNpYDAgED
-----END RSA PUBLIC KEY-----


-----BEGIN RSA PRIVATE KEY-----
MIICWwIBAAKBgQCtdg2uz1o89WH9NR6doGkcQVlNpV3IYf5RmkCNOSbrC4CN/A0j
dmT1ucehX+mTs7RG/bHOqM+zXa2cuvFXm/rXA/9wOqmUVFAwFtGhTiWSHJdFPiGV
74Lqmk8UkQ07wcKgqeOD2lmIsLXT+b543z1xYByyzLzO8sznnUbbQzaWAwIBAwKB
gHOkCR805tNOQVN4vxPARhLWO4kY6TBBVDZm1bN7b0ddAF6oCMJO7fkmhRY/8Q0i
eC9Ty98bNSI+c73R9jpn/I4+dSXO3HvILYfmIsnrVnbDwQgKlr2+/LBHXYFW91XK
5DJzb3nI2yEF4Khxk5UiQEppI4QcYu4ndOPRoyq4cFUbAkEA4JjkWdHG4KaixLXW
TTkgo1GdvNcbseCi4R2IqjlzIhoLFxMwLFEB30BwkCzLEDhxW8Pr2dErkL57OWaJ
hkmcTwJBAMW20yqNE8dlQXjnnB/qv1OkG3FoXZ8nP04lSeRgx+9SSeWpHQC/1Uik
Zr80ThukkGajgMhXPibfFqlrkahEeg0CQQCVu0Lmi9nrGcHYeTmI0MBs4RPTOhJ2
lcHraQXG0PdsEVy6DMrINgE/gEsKyIdgJaDn1/KRNh0LKad7mbEEMRLfAkEAg883
cbNihO4rpe+9apx/jRgSS5rpFMTU3sOGmECFSjbb7nC+AH/jhcLvKiLevRhgRG0A
hY9+xJS5xke2cC2mswJAFDGCpvh9ChK1VAXjmDxDI6CZA0ekekTxqxmMe2dt2FyL
Rlb+yM60zguFxqR3h2O5uYa+NcntYztMjEeQP/386w==
-----END RSA PRIVATE KEY-----


My question is, Is there a way that I can make these suitable for NSSLOWKEYPublicKey and NSSLOWKEYPrivateKey structures?

Thanks,
Vejey

Trying to build CMS signed data message with no content

Jamil Nimeh — 2012-04-25T02:06:45

Hi all,

I'm stuck on a problem I'm hoping someone can help me out with.  I'm 
trying to create a CMS signed data message with the eContent omitted. 
When I pass zero-length data into NSS_CMSEncoder_Update() (null pointer, 
empty string, doesn't seem to matter) I end up getting 
SEC_ERROR_DIGEST_NOT_FOUND when NSS_CMSEncoder_Finish() is called.  If I 
include even 1 byte of data, then everything seems to work just fine.

Is there a way to get the encoder to honor the optional nature of 
eContent?  Am I just missing a step or call somewhere?

Any suggestions would be greatly appreciated.  I'm stumped.

Thank you,
Jamil

Deadlock in firefox when using pkcs#11 tokens of dffferent brands onthe same card readerr

2012-04-20T15:42:47

Hello,

First, please apologize if I am not posting this message to the corrrect mailing list. We found a problem on firefox 3.5.3 on Windows XP when using two tokens of different brands (namely Gemalto and Oberthur) one after the other on the same card reader, which is indeed a very special setup. After inserting the token of the second type, firefox gets completely frozen. We are perfectly aware that firefox 3.5.3 is rather old, but we're a very large organization 
with thousands of workstation and cannot upgrade that easily. Besides, we fouond that more recent 
versions actually had the same problem) 

We recompiled firefox3.5.3 in debug mode and got the following partial stack trace using WinDbg (attached) : 

We found that the problem was caused by locking the trust domain's cache in the add_cert_to_cache function in security/nss/lib/pki/tdcache.c and then again in nssTrustDomain_RemoveTokenCertsFromCache() (same source file). Unfortunately, the graph of function calls in this module is rather complex, so I did the following poor man's hack (patch attached) : 

We added a lock_owner field in the nssTDCertificateCacheStr structure. In add_cert_to_cache, just after the lock, we set the lock_owner to PR_getCurrentThread() just after the call to PZ_Lock() and then back to NULL just before the call to PZ_Unlock(). This allows to test in nssTrustDomain_RemoveTokenCertsFromCache if the lock is already taken by us. This patch is not clean at all because lock_owner should be set after every call PZ_Lock(), besides I am not a specialist of multi-thread programming, so I am not completely sure that there is not a huge flaw in that logic, but after this fix, our setup is working correctly.

Best Regards, 
Luke
nss3!nssTrustDomain_RemoveTokenCertsFromCache+0x60
nss3!nssToken_NotifyCertsNotVisible+0x13
nss3!nssSlot_IsTokenPresent+0x236
nss3!nssSlot_GetToken+0xc
nss3!nssTrustDomain_FindTrustForCertificate+0x63
nss3!nssTrust_GetCERTCertTrustForCert+0x22
nss3!fill_CERTCertificateFields+0x262
nss3!stan_GetCERTCertificate+0x15b
nss3!STAN_GetCERTCertificate+0xe
nss3!nssCertificate_GetDecoding+0x1d
nss3!nssCertificate_SubjectListSort+0x1b
nss3!nsslist_add_element+0x8b
nss3!nssList_AddUnique+0x62
nss3!add_subject_entry+0x5b
nss3!add_cert_to_cache+0x14f
nss3!nssTrustDomain_AddCertsToCache+0x3f
nss3!cert_createObject+0x2d
nss3!nssPKIObjectCollection_AddInstanceAsObject+0x40
nss3!collector+0x17
nss3!nssToken_TraverseCertificates+0x2bb
nss3!NSSTrustDomain_TraverseCertificates+0x124
nss3!CERT_GetCertNicknames+0xa9
nss3!CERT_FindUserCertsByUsage+0x44
pipnss!nsNSS_SSLGetClientAuthData+0x136
ssl3!ssl3_HandleCertificateRequest+0x3d3
ssl3!ssl3_HandleHandshakeMessage+0x473
ssl3!ssl3_HandleHandshake+0x1c8
ssl3!ssl3_HandleRecord+0x5f8
ssl3!ssl3_GatherCompleteHandshake+0xbb
ssl3!ssl_GatherRecord1stHandshake+0x7b
ssl3!ssl_Do1stHandshake+0x21d
ssl3!ssl_SecureSend+0x1c5
ssl3!ssl_SecureWrite+0x16
ssl3!ssl_Write+0xa3
pipnss!nsSSLThread::Run+0x161
nspr4!_PR_NativeRunThread+0xdb
nspr4!pr_root+0xd
MSVCR80D!beginthreadex+0x221
MSVCR80D!beginthreadex+0x1c7
kernel32!GetModuleFileNameA+0x1ba

JSS SSLTest.java hanging while reading response from server

praspa — 2012-04-10T19:52:23

I've been working with the SSLTest.java class found here connecting to a
tomcat5 application server:
http://mxr.mozilla.org/mozilla/source/security/jss/org/mozilla/jss/ssl/SSLTest.java

My issue is, my client seems to hang here on line 105 to read that the
server is done writing the response:
104         byte[] inbuf = new byte[256];
105         while( (numRead = is.read(inbuf)) != -1 ) {
106             System.out.print( new String(inbuf, 0, numRead, "UTF-8"));
107         }

The client hangs for almost exactly a minute before continuing. After the
hang, the client does receive the entire response from the server.

If I change line 105 to read only a fixed number of bytes (say the number of
bytes expected in the response from the server), the client receives the
response and proceeds instantaneously. A wireshark dump reveals that the
client is prematurely ending the session.

Is there configuration, on the SSLTest client or the tomcat server, that I
can tweak to make this transaction proceed elegantly?

Any insight would be great,
pwr

NSS 3.13.4

Kai Engert — 2012-04-06T15:56:15

The NSS team has released NSS 3.13.4

CVS tag: NSS_3_13_4_RTM
ftp://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_13_4_RTM/

Please refer to https://bugzilla.mozilla.org/show_bug.cgi?id=741135
for the list of changes contained in this update.

Kai

JSSMessageDigest

Paula Decker — 2012-04-03T20:15:35

Hello,

The Mozilla api documentation shows that org.mozilla.jss.crypto.JSSMessageDigest class has been deprecated.

How can I create a SHA1 hash using JSS?

Thanks.

-Paula

JSSMessageDigest

pdecker — 2012-04-03T20:13:59

Hello,

The Mozilla api documentation shows that
org.mozilla.jss.crypto.JSSMessageDigest class has been deprecated.

How can I create a SHA1 hash using JSS?

Thanks.

-Paula

Add other signed attributes in CMS

Jamil Nimeh — 2012-04-03T00:08:08

Hello all,

I was wondering if folks know the best way to add additional signed 
attributes to CMS signed data messages.  I see in cms.h there's a 
NSS_CMSSignerInfo_AddAutiAttr function, but it doesn't appear to be 
exported (at least, I get undefined reference errors when I try to use it).

I'm trying to add signed attributes for SCEP messages (like sender and 
recipient nonces, transaction IDs, etc.).

Any suggestions on the best way to accomplish this?

Thank you,
Jamil

CMS Message parsing/generation for SCEP

Jamil Nimeh — 2012-04-03T16:26:30

Hello NSS gurus,

I'm trying to write an application that can create and parse SCEP 
PKCSReq and CertRep SCEP messages.  I am running into two problems that 
I'm not sure how to tackle using the public interfaces.

1. How do I set other Signed Attributes in a signed-data object aside 
from the predefined attributes already provided in cms.h?  Specifically 
I'm trying to SCEP attributes (e.g. pkiStatus, messageType, senderNonce, 
etc.).  I see NSS_CMSSignerInfo_AddAuthAttr() but when I tried calling 
it it gave me an unresolved symbol error...is it an exported function? 
If not, are there any recommended ways to set custom Signed Attributes?

2. Is there a way to get CMS objects that come from self-signed sources 
to validate?  I get why normally one would not want to accept such a 
signature.  SCEP does allow for this case though during initial 
enrollment, so I'm trying to cover it.  I've tried adding the 
self-signed cert into the temp Cert DB) and while that alone worked, it 
didn't seem to validate no matter what I've tried (even tried changing 
trust settings and that didn't get me very far).  If I use a 
non-self-signed cert that chains to a CA that I have trusted in my 
certdb, things work...so I think I've got the general decoding correct. 
  I just can't get the weird self-signed case to fly.

I was hoping there was a way to get the signed object to validate 
similar to what can be done with OpenSSL on the command-line using the 
"-noverify" option.  The cert used to sign the object I'm taking in is 
pretty unremarkable; no extensions, 1 year validity, RSA/2048 bit 
key...all pretty standard stuff.

Any suggestions are welcome.

Thank you,
Jamil Nimeh

To NSS-Java or not to NSS-Java, thats the question.

helpcrypto helpcrypto — 2012-04-03T08:18:33

Hi all [Opening my pandora...].

A few months ago we started having problems with NSS (and OSX):

-Cannot load NSS libs from applet on Firefox 4 on MacOSX
    http://forums.mozillazine.org/viewtopic.php?f=38&t=2165273
-Firefox 4 bad initialize on Mac OSX 10.6.7 This cause wrong
java.library.path, user.dir and < at >executable_path for Java libraries
(NSS/JSS)
    https://bugzilla.mozilla.org/show_bug.cgi?id=654939
-Use < at >loader_path instead of < at >executable_path in internal name of
dylibs (Fix OSX support of Java-NSS)
    https://bugzilla.mozilla.org/show_bug.cgi?id=578751

IMHO, this is some that needs some clarification, as Mozilla *IS*
supporting it developing JSS but at the same time saying "we do not
support it", and other options dont work properly due to some bugs
that need to be fixed...or not. Google Chrome works well and is taking
some advantage on this feature (too).
If we want Firefox to be used widely on bussiness/enterprise, then it
will be necessary to take an "official position", so PLEASE answer or
discuss the following:

-Does mozilla *WANT* Java use certificates stored on NSS to do
document signning?
-What about Java applets?
-Is mozilla going to *AVOID* Java use certificates, or consider this
as an "undocumented/undesired behaviour"?
-What about Java applets?
-Supporting this (or document sign with XAdES or any other advanced
systems) is one of mozilla's targets?
-Will patches which fix this issues merged (if correct) in branch, or
will they become marked as WONTFIX?

We dont want to rely on "undocumented/undesired" behaviour, and will
like to discuss whats the "official opinion" on this.

Consider the following example:
    Signning a document with XAdES format with a certificate stored on NSS.
Can it be done? How should it be done?

NSS Secmod.db content ??? (maybe same for cert8.db/key3.kb)

helpcrypto helpcrypto — 2012-03-29T09:16:44

Hello, this is a question for the NSPR/NSS guys.

A few days ago, while having a problem parsing secmod.db contents we found:
    http://stackoverflow.com/questions/2873581/is-it-possible-to-access-a-bdb-from-pure-java
and also:
    http://sethi.org/tmp/ssh/src/com/mindbright/bdb/DBHash.java
which helped us a lot parsing the secmod.db file to get the modules
installed on Firefox.

As Secmod Java object is not running properly on OSX, this (parsing)
is what we are going to use by now.
According to this sources, this is how the secmod.db file is organized:

    /**
     * (from page.h in dbm)
     * page format:
     *          +------------------------------+
     * p| n | keyoff | datoff | keyoff |
     *          +------------+--------+--------+
     *          | datoff | free  |  ptr  | --> |
     *          +--------+---------------------+
     *          | F R E E A R E A       |
     *          +--------------+---------------+
     *          |  <---- - - - | data          |
     *          +--------+-----+----+----------+
     *          |  key   | data     | key      |
     *          +--------+----------+----------+
     *
     * Pointer to the free space is always:  p[p[0] + 2]
     * Amount of free space on the page is:  p[p[0] + 1]
     */

For example, running the program we got (more or less) this output:

magic: 398689
version: 2
lorder: 1234
nkeys: 2
key:
NSS Internal PKCS #11 Module
data:
060322-27100000000000075000100000100000287883833273110116101114110971083280756783323549493277111100117108101002-9399111110102105103100105114613967589292687967857769126499292656877737873126499292686584798368126499292771111221051081089792927010511410110211112092928011411110210510810111592927475668081861264946686970393299101114116801141011021051206139393210710112180114101102105120613939321151019910911110061391151019910911110046100983932102108971031156111111211610510910512210183112979910132117112100971161011001051146139393211711210097116101671011141168011410110210512061393932117112100971161017510112180114101102105120613939321171121009711610110510061393932117112100971161018411110710111068101115991141051121161051111106139393232109971101171029799116117114101114736861397711112210510810897461111141
 0339321081059811497114121681011159911410511211610511111061398310111411846329911410511211611110311497102-61-83973210511011610111411097328083773932991141211121161118411110710111068101115991141
 0511211610511111061398310111411846329911410511211611110311497102-61-839732103101110-61-871141059911111539321009884111107101110681011159911410511211610511111061396810511511246321151111021161199711410132100101321151011031171141051009710039329911412111211611183108111116681011159911410511211610511111061398310111411810599105111115321001013299105102114971001113210511011610111411011132808377393210098831081111166810111599114105112116105111110613967108971181011153211211410511897100971153210010110832808377393270738083831081111166810111599114105112116105111110613968105115112463211510110311711410510097100321151111021161199711410132407073808341393270738083841111071011106810111599114105112116105111110613983101114118105991051111153299114105112116111103114-61-951021059911111544321001013299108971181013212
 132991011141161051021059997100111327073808332495248393210910511080836148010001-96363610003000000000000000000000
data len: 775
key:
DNIe
data:
060320750000000000000500000000000000468787310103367589287737868798783921151211151161011095150928511511480107991154949461001081080000
data len: 77

But we haven't been able to find any doc about what is the
schema/organization for the internal values.

For example:
    060320750000000000000500000000000000468787310103367589287737868798783921151211151161011095150928511511480107991154949461001081080000
Can be matched to...
060320 = ???
750000000000000500000000000000 = ???
4 = length of name
687873101 0 = DNIe (\0?)
33 = length of path
6758928773786879878392115121115116101109515092851151148010799115494946100108108
0 =C:\Windows\...UsrPkcs11.dll (\0?)
0000 = ???

What are the bytes at the beginning or end?
Other PKCS#11 modules can have some extra bytes after the name...where
they came from?

And when reading "NSS Internal PKCS #11 Module" we get:
060322 = ???
-27100000000000075000100000100000 = ??? (negative must be overflow)
28 = length name
7883833273110116101114110971083280756783323549493277111100117108101 =
NSS Internal PKCS #11 Module
002-939911111010210... = ??? (Its configdir='C:\Documents..., but who
decides to store that in there? )

How is this stored?

Is there a better method (for java this time) to get the installed
PKCS#11 modules on Firefox, rather that parsing?
Is there a javascript code to get list of installed modules? (AFAIK,
only add or delete can be used)

Thanks a lot for your time (and reading until here)

Certificate verification regression in NSS 3.13.2

Wan-Teh Chang — 2012-03-28T20:34:00

If you maintain the NSS package in an OS distribution, please read this
announcement.

NSS 3.13.2 has a regression when we removed the support for Netscape
international step-up certificates.  The bug report for this regression
is NSS bug 737802 (https://bugzilla.mozilla.org/show_bug.cgi?id=737802).

This bug affects the CERT_PKIXVerifyCert function, which is based on
libpkix.  The "classic" NSS certificate verification functions, such
as CERT_VerifyCert and CERT_VerifyCertificate, are not affected unless
they have been configured to use libpkix internally by using either the
NSS_ENABLE_PKIX_VERIFY environment variable or the
CERT_SetUsePKIXForValidation function.

I will make an NSS 3.13.4 release soon to fix this regression.  In the
meantime, you can apply the patch in NSS bug 737802 to the NSS source
tree.  The URL for the patch is
https://bug737802.bugzilla.mozilla.org/attachment.cgi?id=608587

Thanks to Rob Stradling of Comodo for reporting the bug and providing a
patch.

Wan-Teh Chang

cert8.db rewrite reasons and exceptions?

helpcrypto helpcrypto — 2012-03-27T07:18:05

Hi all.

Due some problems using Thunderbird ESR, we have found the following,
and would like to ask the experts...

We have noticed Thunderbird 10.3 (probably older versions too)
"rewrites" cert8.db each time it closes. The file its the same, but
the modified date has changed.
 - Is this normal?
 - There is a technical/security reason?

More test have shown cert8.db is not modified/rewrited after adding
our PKCS#11 module in secmod.db. (!)
Our PKCS#11 is working OK for a long time without any problems, but
there must be something wrong in here to prevent the "default
behaviour", right?
Why is this happening?

Going to test on a debug environment to get some traces.

Alternative for SGN_DecodeDigestInfo

VJ — 2012-03-24T22:05:32

I'm trying to use RSA_HashCheckSign() function to verify the message.
I found that, its using SGN_DecodeDigestInfo() function to decode the
digest using SEC_QuickDERDecodeItem() function.
My understanding is that SEC_QuickDERDecodeItem() takes the
sgn_DigestInfoTemplate array, which is loaded from DLL (Is it right?)
If so, where can I find the source cod for that dll?

Is there any other alternative method in NSS to decode the digest /
RSA verification?

Regards,
Vejey

Java Applet NSS Secmod PKCS11 modules OSX 10.6 = FileNotFoundExceptionlibnss3.jnilib

helpcrypto helpcrypto — 2012-03-21T12:05:38

Hello all.

During a refactor of our crypto applet, we have found an issue on OSX
10.6 (more OS pending to try), and ill like to know if we're doing the
correct things.
Before this refactor, we were parsing secmod.db to get all pkcs11
modules configured on NSS (We did it, altough we got some which were
already removed !?).

Do you know a proper way of getting pkcs11 modules configured on firefox?
Theres is an "official" way in java?
There is any documentation on how the modules are stored on secmod, or
if theres any flag to mark enabled, or...? (to help parsing)

Before doing all that, we also used JSS, but was problematic and some
people suggested not to use it for Applets.

Anyway, we found sun.security.pkcs11.Secmod class and become very
happy at first. Quite soon, that happiness dissapeared, cause it
doesnt work as expected.

On OSX 10.6, this is what happends:

        nssDir="/Applications/Firefox.app/Contents/MacOS";
        profile="/Users/user/Library/Application Support";
        Secmod secmod = Secmod.getInstance();
        try {
            if (!secmod.isInitialized()) {
                secmod.initialize(profile, nssDir); //exception raised here
            }
            for (int i = 0; i < secmod.getModules().size(); i++) {
                Secmod.Module mod = secmod.getModules().get(i);
                System.out.println("Library: "+mod.getLibraryName());
        //...

java.io.FileNotFoundException:
/Applications/Firefox.app/Contents/MacOS/libnss3.jnilib
at sun.security.pkcs11.Secmod.initialize(Secmod.java:169)
at sun.security.pkcs11.Secmod.initialize(Secmod.java:143)

Looking a bit on the code at [1] we have noticed:
 -The System.mapLibraryName returns "libnss3.jnilib", altough it
doesnt exists. libnss3.dylib exists and a "file" command shows its a
i386+x86_64 valid library.
 -If a symlink is created, the code still fails with an "image not
found error", cause is not able to find < at >executable_name/libnss3.dylib
(Which exists). Why this is not set to < at >loader_path???

On Windows, for example, all this work, altought the Module class
seems badly implemented, cause the getLibraryName() returns
"D:\Users\User\Desktop\Mozilla
Firefox\C:\Windows\SysWOW64\ourpkcs11.dll"

Should we connect to NSS using slot+library...instead of nssModule =
keystore on our sunPKCS11 config files?
Should we parse the secmod file instead of using the Secmod class?
Does sunPKCS11 configs accept whitespaces?

Thanks a lot for your patience and help.

[1] http://www.docjar.com/html/api/sun/security/pkcs11/Secmod.java.html

Implementation of C_Encrypt function

VJ — 2012-03-10T20:23:24

Im porting all RSA encryption from the nss library.
Im a newbie, may I know where C_Encrypt function under
pk11_PubEncryptRaw() function is implemented.
Also, I would like to know if anyone has ever ported only RSA related
functions?

Regards,
Vejey

Problem with intermediate CAs

Helge Bragstad — 2012-03-09T10:15:24

Hello,

I bought a code signing certificate from DigiCert, but then stumbled over
this one:

https://bugzilla.mozilla.org/show_bug.cgi?id=321156

I can't be the first, so I wonder if there are any workarounds since this
problem has not been yet fixed?

Regards,
Helge Bragstad

fyi: initial draft of "Ciphers in Use in the Internet" is nowavailable

=JeffH — 2012-03-08T17:16:20

Of possible interest..

Subject: [Cfrg] Fwd: New Version Notification for
draft-irtf-cfrg-cipher-catalog-00.txt
From: David McGrew <mcgrew< at >cisco.com>
Date: Tue, 6 Mar 2012 07:05:24 -0500 (04:05 PST)
To: cfrg< at >irtf.org

Hi,

the initial version of "Ciphers in Use in the Internet" is now available at 
<http://tools.ietf.org/html/draft-irtf-cfrg-cipher-catalog-00>.   Sean and I 
ask for your review, constructive criticism, and input.    Some parts of the 
draft need more detail and organization, but it should be in sound enough shape 
for review.

If you have text to contribute, that would be appreciated, especially if you 
can supply citations for the more consequential statements.

regards,

David

Begin forwarded message:

 > From: internet-drafts< at >ietf.org
 > Subject: New Version Notification for draft-irtf-cfrg-cipher-catalog-00.txt
 > Date: March 5, 2012 8:35:57 PM EST
 > To: mcgrew< at >cisco.com
 > Cc: shenshuo< at >cnnic.cn
 >
 > A new version of I-D, draft-irtf-cfrg-cipher-catalog-00.txt has been
successfully submitted by David McGrew and posted to the IETF repository.
 >
 > Filename: draft-irtf-cfrg-cipher-catalog
 > Revision: 00
 > Title: Ciphers in Use in the Internet
 > Creation date: 2012-03-05
 > WG ID: Individual Submission
 > Number of pages: 63
 >
 > Abstract:
 >   This note catalogs the ciphers in use on the Internet, to guide users
 >   and standards processes.  It presents the security goals, security
 >   analysis and results, specification, intellectual property
 >   considerations, and publication dates of each cipher.  Background
 >   information and security guidance is provided as well.
 >
 > The IETF Secretariat