On Mon, Sep 28, 2009 at 3:12 AM, Konstantin Andreev <[email protected]> wrote:
> Hello.
>
> As repeatedly answered in this conference (see links below), EC singing is
> not supported by NSS because of patent issues.
> Specifically,
> http://mxr.mozilla.org/security/source/security/nss/lib/cryptohi/secsign.c#92
> :
>
> -----( begin @ SGN_NewContext )-----
> #ifndef NSS_ECC_MORE_THAN_SUITE_B
> if (key->keyType == ecKey) {
> PORT_SetError(SEC_ERROR_INVALID_ALGORITHM);
> return 0;
> }
> #endif
> -----( end )-------
>
> This disables ECC at NSS level. Users, which own 3rd-party PKCS#11 tokens
> with licenced ECC, must build custom NSS with tricky process.
>
> But, ... what's wrong in disabling ECC signing only at softoken level ? This
> will allow using of stock NSS builds with 3rd party ECC-enabled PKCS#11
> tokens.
That seems to be how NSS was built in Red Hat Enterprise Linux
because a CentOS 5.3 user told me that ident /usr/lib/libnss3.so gives:
$Header: NSS 3.12.4.1 Extended ECC Beta Jul 27 2009 11:00:25 $
I don't have a good answer to your question.
Wan-Teh
--
dev-tech-crypto mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-tech-crypto
