On Sep 7, 6:55 am, Konstantin Andreev <andr...@swemel.ru> wrote: > On 08/28/10 02:36, Michael Smith wrote: > > > Rather than the normal case of a client certificate belonging to the user, > > and just added to the certificate store, we want to have a certificate that > > nominally belongs to the application, and is secret from the user (strange, > > but that's what I'm stuck with). > > > The specific requirements are that we not store it unencrypted in the > > filesystem - and simply setting a password on the key db isn't an option, > > as that would interfere with the _user's_ use of the key db for any of > > their certificates, and that it must not be available in the UI (so we want > > to somehow hide it from the 'View Certificates' UI - or at least not be > > exportable from there). > > Hello, Michael. > > Would this work ? > > 1) hardcode the cert. and the priv. key into your app. binary (maybe > hidden/masked/...) > > 2) at run time, import them into NSS softoken as ephemeral (session) > objects.
Konstantin, That looks like pretty much what I want to do - but I've been unable to figure out how to do part (2) there. Many of the NSS APIs are not terribly well documented. Any pointers to sample code or even just to the relevant functions would be very helpful. Mike -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto