Nic James Ferrier wrote:
Bob Relyea <[EMAIL PROTECTED]> writes:You can do the one shot by having mozilla generate the key with the java-script crmf interface.(http://developer.mozilla.org/en/docs/JavaScript_crypto#Generating_Keys_and_issuing_User_Certificates)The example on this page is badly broken. I fixed it. Do you happen to know who I can send patches to?The interface allows you to optionally back up the user's private key as well.That's very interesting. Unfortunately, it generates CRMF and that seems pretty difficult to handle on the backend. openssl hasn't got any support for it. Neither does gnutls.So that means I'm stuck with NSS if I want to do one-shotregistration?
Or find a CRMF toolkit.
The keygen is fine if you don't need any of CRMF's features (like Proof Of Possesion, key archival, etc.).There is also the <keygen/> element which I note still works.
Once you have the key in the client, then x-x509-user-cert will work. You can pass it the binary cert (which all the toolkits should be able to give you or and Base-64 encoded cert (the body of the pem file).However, when I've generated a certificate with keygen how do I get it into firefox? Can I use importUserCertificates() with something that comes out of openssl or gnutls?
yes, The user will still be prompted for the password of the PKCS 12 file, and if he has more than one writable token, he will be prompted for where the cert and key should go.This is certainly the wrong mime-type for a PKCS #12 file. Unfortunately, looking at the code, there doesn't seem to be a content handler for pkcs12 in firefox (or any of xulrunner). sounds like a reasonable RFE. Assign the component to the bug to 'PSM'.I'm sending the PKCS12 from the webserver with the mime type: application/x-x509-user-certYes. I did try the pkcs12 mime type as well but with the result that it asked me if I wanted to save the file. If there was a handler in FF for pkcs12 is that what it should do: auto-import the certificate?
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ dev-tech-crypto mailing list [email protected] https://lists.mozilla.org/listinfo/dev-tech-crypto
