Dave Townsend wrote:
You really only want to store and retrieve the private keys if you you need to transport them (or back them up). Doing the latter needs to be handled carefully, and can be a source of errors in your protocol.Nelson Bolyard wrote:Dave Townsend wrote:I've spent much of the afternoon delving through the NSS APIs trying to figure out how to achieve my goals. I'm basicaly working on signing and verifying data with public and private keys. I've figured that SGN_SignData and VFY_VerifyData are my friends (or should I be using the PK11_Sign/Verify functions or even what are the sign and verify stuff in security/nss/lib/freebl about?)Anyway basic issue is that I need a SECKEYPublicKey and SECKEYPrivateKey. I can see how to create them in NSS for use, I've also found a technical note which suggests how to bring a public key into NSS, however I don't see anything about serializing/restoring a private key or how to get a created public key out of NSS. Can anyone point me in the right direction?Dave, NSS has a pretty large number of test programs. One of them may already do what you want. If not, they should serve as good sample source for you to figure out what you need. It would help if we knew what you're trying to sign. A Jar/XPI file ? (signtool does that) A mail message ? (cmsutil does that) Other?It's actually other. Essentially I'm just looking for signing of some plain text. Though this actually comes out of an rdf datasource. I intend to take the relevant set properties that I need to sign into a text string then sign that and then add the signature into the rdf.I think Robert's response has got me most of the way to what I want, I think the only thing I'm a bit fuzzy on is storing and retrieving the private key in the nss database. However if you have any pointers for sample code that I can take from then that would be very useful.
A better way to handle it (if you absolutely must use bare keys), is store your private keys as persistant keys. You can use the KeyID and the slot the key is stored in to find the key again (PK11_FindKeyByID to find it PK11_GetLowLevelKeyIDForPrivatekey() to get the KeyID).
Usually NSS uses the certificate. There are functions to help you find the most appropriate certificate, and then from that certificate find the private key that is associated with it.
bob
Dave _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
