Hello.
As repeatedly answered in this conference (see links below), EC singing is not
supported by NSS because of patent issues.
Specifically,
http://mxr.mozilla.org/security/source/security/nss/lib/cryptohi/secsign.c#92 :
-----( begin @ SGN_NewContext )-----
#ifndef NSS_ECC_MORE_THAN_SUITE_B
if (key->keyType == ecKey) {
PORT_SetError(SEC_ERROR_INVALID_ALGORITHM);
return 0;
}
#endif
-----( end )-------
This disables ECC at NSS level. Users, which own 3rd-party PKCS#11 tokens with
licenced ECC, must build custom NSS with tricky process.
But, ... what's wrong in disabling ECC signing only at softoken level ? This
will allow using of stock NSS builds with 3rd party ECC-enabled PKCS#11 tokens.
Best regards,
--
Konstantin Andreev, software engineer.
Swemel JSC.
Here are some relevant discussions:
* Only require NSS_ENABLE_ECC to allow signing data with EC keys
http://bugzilla.mozilla.org/show_bug.cgi?id=367577
* failed to generate key using window.crypto.generateCRMFRequest() method
news://news.mozilla.org:119/[email protected]
* KEYGEN not generating EC keys
news://news.mozilla.org:119/95e757fc-a364-4b13-b5df-4105050cb...@q11g2000yqi.googlegroups.com
--
dev-tech-crypto mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-tech-crypto
