On 2010-06-15 14:17 PDT, John Scott wrote: > I'm doing the following to create a signed Firefox plugin > > http://oyoy.eu/huh/firefox-extension-code-signed-with-spc-pvk/ > > However, I'm trying to automate the process, and the first step would be > removing the need for pvkimprt. .NET code can export a PKCS#12 key with > the private key from a PKCS#7 key, but it doesn't have the full chain of > CAs, so is invalid for signing the plugin.
What are you trying to automate? Are you trying to make it so that YOU can sign multiple plugins, or multiple versions of a plugin under development, easily (say with a batch file)? Are you trying to make it so that ANYONE can sign a plugin easily? Is there any reason the PKCS#12 file needs to be created more than once per user? Must the creation of the PKCS#12 file be "automated"? Microsoft's own "certificate manager" is quite capable of generating a PKCS#12 file with the whole cert chain and the requisite "friendly name". It's a fairly nice GUI program, so I wouldn't try to automate its use, which is why I ask if the automation needs to include that step. > Would using the NSS API be a practical approach? to do what? to create a PKCS#12 file from the certs and keys in MS proprietary format? > It seems that Firefox can export keys and it uses NSS to do that? Yes. > Have there been any attempts to do something like this in the past? Not sure what "like this" is yet. Once you've gotten the necessary keys and certs imported into an NSS DB pair, the rest of the signing process is easily automated because there's a command line program to do it. Seems like the challenge you're facing is to get the private key (which I gather is in a proprietary MS .pvk file) into some usable form. NSS doesn't handle pvk files. MS itself deprecated them over a decade ago. I'm not sure why they're still in use. Maybe there's some other tool on the internet that can create a PKCS12 file from a pvk file and some certs. Or maybe you can/should import the pvk file into your Windows system's key store, and then use Windows cert mgr to create a pkcs12 file. Good luck. -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
