gmane.comp.mozilla.crypto

About NSS Confused.

chu wang — 2012-05-14T05:38:14

Hi all.
I want to by the NSS calls the P11 module.
So I have some quessions.
1.PKCS #11 Conformance Testing where download.
2.How to compile NSS,Which have detailed guidance document?
3.Other browsers, such as chorme also supports NAPI, how to call the
P11, but also through the NSS?
4.What are the advantages of the NSS call P11 NPAPI?

Thanks.
Firefox Chinese little information.
If there is something wrong, please forgive me.

NSS 3.12.5.0: Error '-8152' (SEC_ERROR_INVALID_KEY) when connectingto ssl-enabled servers

Bernhard Thalmayr — 2012-05-08T11:53:45

Hi experts, an OpenAM community member is using OpenAM policy agent to 
connect to an ssl-secured server.

The policy agent uses NSPR 4.8.2, NSS 3.12.5.0 optimized build for Linux 
(RHEL) 64bit.

If the agent tries to open a connection to a specific, ssl-enabled 
OpenAM server, error '-8152' is raised.

What might be the root-cause for this error?

Could I get some additional output from an optimized build or do I 
really need a 'DEBUG' build to leverage NSS environment variables 
(https://developer.mozilla.org/en/NSS_reference/NSS_environment_variables)?

Interestingly the same agent can connect to other ssl-enabled servers.

Unfortunately the community member will / can not provide a network 
trace showing the handshake messages.

TIA,
Bernhard

Provide own CA

Marc Patermann — 2012-05-07T16:20:13

Hi,

I posted my issue on Thunderbird-Enterprise before and Ludovic Hirlimann 
sent me here.

I created an own CA and put the cert in cert8.db by GUI in Thunderbird 
10 ESR.
As far as I understand it, the way to go is to put the corresponding 
cert8.db file in defaults/profile in the program directory. (Which works 
for mimetypes.rdf.)

For what I tested it does not work. On a blank profile cert8.db is 
always the original file, my CA is never included.
If I copy back cert8.db by hand, the CA is in there. So the file itself 
is fine, but it seams to be never used.

What did I do wrong?


Marc

Importing public and private keys into nss

VJ — 2012-04-30T09:22:59

Hi,
I've tested encryption, decryption, signing and verification with public (NSSLOWKEYPublicKey) and private keys (NSSLOWKEYPrivateKey) in low level.

However, Now I have a public/private keys in the below format:

-----BEGIN RSA PUBLIC KEY-----
MIGHAoGBAK12Da7PWjz1Yf01Hp2gaRxBWU2lXchh/lGaQI05JusLgI38DSN2ZPW5
x6Ff6ZOztEb9sc6oz7NdrZy68Veb+tcD/3A6qZRUUDAW0aFOJZIcl0U+IZXvguqa
TxSRDTvBwqCp44PaWYiwtdP5vnjfPXFgHLLMvM7yzOedRttDNpYDAgED
-----END RSA PUBLIC KEY-----


-----BEGIN RSA PRIVATE KEY-----
MIICWwIBAAKBgQCtdg2uz1o89WH9NR6doGkcQVlNpV3IYf5RmkCNOSbrC4CN/A0j
dmT1ucehX+mTs7RG/bHOqM+zXa2cuvFXm/rXA/9wOqmUVFAwFtGhTiWSHJdFPiGV
74Lqmk8UkQ07wcKgqeOD2lmIsLXT+b543z1xYByyzLzO8sznnUbbQzaWAwIBAwKB
gHOkCR805tNOQVN4vxPARhLWO4kY6TBBVDZm1bN7b0ddAF6oCMJO7fkmhRY/8Q0i
eC9Ty98bNSI+c73R9jpn/I4+dSXO3HvILYfmIsnrVnbDwQgKlr2+/LBHXYFW91XK
5DJzb3nI2yEF4Khxk5UiQEppI4QcYu4ndOPRoyq4cFUbAkEA4JjkWdHG4KaixLXW
TTkgo1GdvNcbseCi4R2IqjlzIhoLFxMwLFEB30BwkCzLEDhxW8Pr2dErkL57OWaJ
hkmcTwJBAMW20yqNE8dlQXjnnB/qv1OkG3FoXZ8nP04lSeRgx+9SSeWpHQC/1Uik
Zr80Th

Trying to build CMS signed data message with no content

Jamil Nimeh — 2012-04-25T02:06:45

Hi all,

I'm stuck on a problem I'm hoping someone can help me out with.  I'm 
trying to create a CMS signed data message with the eContent omitted. 
When I pass zero-length data into NSS_CMSEncoder_Update() (null pointer, 
empty string, doesn't seem to matter) I end up getting 
SEC_ERROR_DIGEST_NOT_FOUND when NSS_CMSEncoder_Finish() is called.  If I 
include even 1 byte of data, then everything seems to work just fine.

Is there a way to get the encoder to honor the optional nature of 
eContent?  Am I just missing a step or call somewhere?

Any suggestions would be greatly appreciated.  I'm stumped.

Thank you,
Jamil

Deadlock in firefox when using pkcs#11 tokens of dffferent brands onthe same card readerr

2012-04-20T15:42:47

Hello,

First, please apologize if I am not posting this message to the corrrect mailing list. We found a problem on firefox 3.5.3 on Windows XP when using two tokens of different brands (namely Gemalto and Oberthur) one after the other on the same card reader, which is indeed a very special setup. After inserting the token of the second type, firefox gets completely frozen. We are perfectly aware that firefox 3.5.3 is rather old, but we're a very large organization 
with thousands of workstation and cannot upgrade that easily. Besides, we fouond that more recent 
versions actually had the same problem) 

We recompiled firefox3.5.3 in debug mode and got the following partial stack trace using WinDbg (attached) : 

We found that the problem was caused by locking the trust domain's cache in the add_cert_to_cache function in security/nss/lib/pki/tdcache.c and then again in nssTrustDomain_RemoveTokenCertsFromCache() (same source file). Unfortunately, the graph of function calls in this module is rather complex,

JSS SSLTest.java hanging while reading response from server

praspa — 2012-04-10T19:52:23

I've been working with the SSLTest.java class found here connecting to a
tomcat5 application server:
http://mxr.mozilla.org/mozilla/source/security/jss/org/mozilla/jss/ssl/SSLTest.java

My issue is, my client seems to hang here on line 105 to read that the
server is done writing the response:
104         byte[] inbuf = new byte[256];
105         while( (numRead = is.read(inbuf)) != -1 ) {
106             System.out.print( new String(inbuf, 0, numRead, "UTF-8"));
107         }

The client hangs for almost exactly a minute before continuing. After the
hang, the client does receive the entire response from the server.

If I change line 105 to read only a fixed number of bytes (say the number of
bytes expected in the response from the server), the client receives the
response and proceeds instantaneously. A wireshark dump reveals that the
client is prematurely ending the session.

Is there configuration, on the SSLTest client or the tomcat server, that I
can tweak to make this transaction proceed elegantly?

An

NSS 3.13.4

Kai Engert — 2012-04-06T15:56:15

The NSS team has released NSS 3.13.4

CVS tag: NSS_3_13_4_RTM
ftp://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_13_4_RTM/

Please refer to https://bugzilla.mozilla.org/show_bug.cgi?id=741135
for the list of changes contained in this update.

Kai

JSSMessageDigest

Paula Decker — 2012-04-03T20:15:35

Hello,

The Mozilla api documentation shows that org.mozilla.jss.crypto.JSSMessageDigest class has been deprecated.

How can I create a SHA1 hash using JSS?

Thanks.

-Paula

JSSMessageDigest

pdecker — 2012-04-03T20:13:59

Hello,

The Mozilla api documentation shows that
org.mozilla.jss.crypto.JSSMessageDigest class has been deprecated.

How can I create a SHA1 hash using JSS?

Thanks.

-Paula

Add other signed attributes in CMS

Jamil Nimeh — 2012-04-03T00:08:08

Hello all,

I was wondering if folks know the best way to add additional signed 
attributes to CMS signed data messages.  I see in cms.h there's a 
NSS_CMSSignerInfo_AddAutiAttr function, but it doesn't appear to be 
exported (at least, I get undefined reference errors when I try to use it).

I'm trying to add signed attributes for SCEP messages (like sender and 
recipient nonces, transaction IDs, etc.).

Any suggestions on the best way to accomplish this?

Thank you,
Jamil

CMS Message parsing/generation for SCEP

Jamil Nimeh — 2012-04-03T16:26:30

Hello NSS gurus,

I'm trying to write an application that can create and parse SCEP 
PKCSReq and CertRep SCEP messages.  I am running into two problems that 
I'm not sure how to tackle using the public interfaces.

1. How do I set other Signed Attributes in a signed-data object aside 
from the predefined attributes already provided in cms.h?  Specifically 
I'm trying to SCEP attributes (e.g. pkiStatus, messageType, senderNonce, 
etc.).  I see NSS_CMSSignerInfo_AddAuthAttr() but when I tried calling 
it it gave me an unresolved symbol error...is it an exported function? 
If not, are there any recommended ways to set custom Signed Attributes?

2. Is there a way to get CMS objects that come from self-signed sources 
to validate?  I get why normally one would not want to accept such a 
signature.  SCEP does allow for this case though during initial 
enrollment, so I'm trying to cover it.  I've tried adding the 
self-signed cert into the temp Cert DB) and while that alone worked, it 
didn't seem to validate no ma

To NSS-Java or not to NSS-Java, thats the question.

helpcrypto helpcrypto — 2012-04-03T08:18:33

Hi all [Opening my pandora...].

A few months ago we started having problems with NSS (and OSX):

-Cannot load NSS libs from applet on Firefox 4 on MacOSX
    http://forums.mozillazine.org/viewtopic.php?f=38&t=2165273
-Firefox 4 bad initialize on Mac OSX 10.6.7 This cause wrong
java.library.path, user.dir and < at >executable_path for Java libraries
(NSS/JSS)
    https://bugzilla.mozilla.org/show_bug.cgi?id=654939
-Use < at >loader_path instead of < at >executable_path in internal name of
dylibs (Fix OSX support of Java-NSS)
    https://bugzilla.mozilla.org/show_bug.cgi?id=578751

IMHO, this is some that needs some clarification, as Mozilla *IS*
supporting it developing JSS but at the same time saying "we do not
support it", and other options dont work properly due to some bugs
that need to be fixed...or not. Google Chrome works well and is taking
some advantage on this feature (too).
If we want Firefox to be used widely on bussiness/enterprise, then it
will be necessary to take an "official position", so PLEASE answer or

NSS Secmod.db content ??? (maybe same for cert8.db/key3.kb)

helpcrypto helpcrypto — 2012-03-29T09:16:44

Hello, this is a question for the NSPR/NSS guys.

A few days ago, while having a problem parsing secmod.db contents we found:
    http://stackoverflow.com/questions/2873581/is-it-possible-to-access-a-bdb-from-pure-java
and also:
    http://sethi.org/tmp/ssh/src/com/mindbright/bdb/DBHash.java
which helped us a lot parsing the secmod.db file to get the modules
installed on Firefox.

As Secmod Java object is not running properly on OSX, this (parsing)
is what we are going to use by now.
According to this sources, this is how the secmod.db file is organized:

    /**
     * (from page.h in dbm)
     * page format:
     *          +------------------------------+
     * p| n | keyoff | datoff | keyoff |
     *          +------------+--------+--------+
     *          | datoff | free  |  ptr  | --> |
     *          +--------+---------------------+
     *          | F R E E A R E A       |
     *          +--------------+---------------+
     *          |  <---- - - - | data          |
     *          +--------+

Certificate verification regression in NSS 3.13.2

Wan-Teh Chang — 2012-03-28T20:34:00

If you maintain the NSS package in an OS distribution, please read this
announcement.

NSS 3.13.2 has a regression when we removed the support for Netscape
international step-up certificates.  The bug report for this regression
is NSS bug 737802 (https://bugzilla.mozilla.org/show_bug.cgi?id=737802).

This bug affects the CERT_PKIXVerifyCert function, which is based on
libpkix.  The "classic" NSS certificate verification functions, such
as CERT_VerifyCert and CERT_VerifyCertificate, are not affected unless
they have been configured to use libpkix internally by using either the
NSS_ENABLE_PKIX_VERIFY environment variable or the
CERT_SetUsePKIXForValidation function.

I will make an NSS 3.13.4 release soon to fix this regression.  In the
meantime, you can apply the patch in NSS bug 737802 to the NSS source
tree.  The URL for the patch is
https://bug737802.bugzilla.mozilla.org/attachment.cgi?id=608587

Thanks to Rob Stradling of Comodo for reporting the bug and providing a
patch.

Wan-Teh Chang

cert8.db rewrite reasons and exceptions?

helpcrypto helpcrypto — 2012-03-27T07:18:05

Hi all.

Due some problems using Thunderbird ESR, we have found the following,
and would like to ask the experts...

We have noticed Thunderbird 10.3 (probably older versions too)
"rewrites" cert8.db each time it closes. The file its the same, but
the modified date has changed.
 - Is this normal?
 - There is a technical/security reason?

More test have shown cert8.db is not modified/rewrited after adding
our PKCS#11 module in secmod.db. (!)
Our PKCS#11 is working OK for a long time without any problems, but
there must be something wrong in here to prevent the "default
behaviour", right?
Why is this happening?

Going to test on a debug environment to get some traces.

Alternative for SGN_DecodeDigestInfo

VJ — 2012-03-24T22:05:32

I'm trying to use RSA_HashCheckSign() function to verify the message.
I found that, its using SGN_DecodeDigestInfo() function to decode the
digest using SEC_QuickDERDecodeItem() function.
My understanding is that SEC_QuickDERDecodeItem() takes the
sgn_DigestInfoTemplate array, which is loaded from DLL (Is it right?)
If so, where can I find the source cod for that dll?

Is there any other alternative method in NSS to decode the digest /
RSA verification?

Regards,
Vejey

Java Applet NSS Secmod PKCS11 modules OSX 10.6 = FileNotFoundExceptionlibnss3.jnilib

helpcrypto helpcrypto — 2012-03-21T12:05:38

Hello all.

During a refactor of our crypto applet, we have found an issue on OSX
10.6 (more OS pending to try), and ill like to know if we're doing the
correct things.
Before this refactor, we were parsing secmod.db to get all pkcs11
modules configured on NSS (We did it, altough we got some which were
already removed !?).

Do you know a proper way of getting pkcs11 modules configured on firefox?
Theres is an "official" way in java?
There is any documentation on how the modules are stored on secmod, or
if theres any flag to mark enabled, or...? (to help parsing)

Before doing all that, we also used JSS, but was problematic and some
people suggested not to use it for Applets.

Anyway, we found sun.security.pkcs11.Secmod class and become very
happy at first. Quite soon, that happiness dissapeared, cause it
doesnt work as expected.

On OSX 10.6, this is what happends:

        nssDir="/Applications/Firefox.app/Contents/MacOS";
        profile="/Users/user/Library/Application Support";
        Secmod secmod = Se

Implementation of C_Encrypt function

VJ — 2012-03-10T20:23:24

Im porting all RSA encryption from the nss library.
Im a newbie, may I know where C_Encrypt function under
pk11_PubEncryptRaw() function is implemented.
Also, I would like to know if anyone has ever ported only RSA related
functions?

Regards,
Vejey

Problem with intermediate CAs

Helge Bragstad — 2012-03-09T10:15:24

Hello,

I bought a code signing certificate from DigiCert, but then stumbled over
this one:

https://bugzilla.mozilla.org/show_bug.cgi?id=321156

I can't be the first, so I wonder if there are any workarounds since this
problem has not been yet fixed?

Regards,
Helge Bragstad

fyi: initial draft of "Ciphers in Use in the Internet" is nowavailable

=JeffH — 2012-03-08T17:16:20

Of possible interest..

Subject: [Cfrg] Fwd: New Version Notification for
draft-irtf-cfrg-cipher-catalog-00.txt
From: David McGrew <mcgrew< at >cisco.com>
Date: Tue, 6 Mar 2012 07:05:24 -0500 (04:05 PST)
To: cfrg< at >irtf.org

Hi,

the initial version of "Ciphers in Use in the Internet" is now available at 
<http://tools.ietf.org/html/draft-irtf-cfrg-cipher-catalog-00>.   Sean and I 
ask for your review, constructive criticism, and input.    Some parts of the 
draft need more detail and organization, but it should be in sound enough shape 
for review.

If you have text to contribute, that would be appreciated, especially if you 
can supply citations for the more consequential statements.

regards,

David

Begin forwarded message:

 > From: internet-drafts< at >ietf.org
 > Subject: New Version Notification for draft-irtf-cfrg-cipher-catalog-00.txt
 > Date: March 5, 2012 8:35:57 PM EST
 > To: mcgrew< at >cisco.com
 > Cc: shenshuo< at >cnnic.cn
 >
 > A new version of I-D, draft-irtf-cfrg-cipher-catalog-00.txt has been
successfully s