It would be nice if there was a high level function to do as you suggest and create a "dummy" self-signed certificate when a public/private key pair is needed. The use of public/private RSA/DSA keys is quite common in other applications, such as SSH, in which there is no real need for a certificate within that application. I acknowledge that a corresponding internal certificate is needed for many reasons, such as providing a user friendly method to lookup and identify the key pair by a nickname. It would also allow current user interfaces to be used to manage the keys.
I also acknowledge that the example programs, certcgi.c and certutil.c, could be used as a model by applications that had a need, however it appears to me that this would result in a lot of wasted time/effort and could result in many potential future problems whenever the API related to certificates changes. I encountered this when I used certcgi.c as a model to do as you suggested. It would also be very nice for such a high level API to have an option to allow for an optional certificate to be specified to sign the "dummy" certificate. Many companies make use of internal CA certificates to sign internal client certificates for use in such applications as a TLS based telnet client. Ken "Robert Relyea" <[EMAIL PROTECTED]> wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > Well first, you need to Initialize NSS with a read/write database. > NSS_NoDBInit specifically does not open any databases. If you are going > to do persistant cert and key operations, you need to use NSS_Init or > NSS_InitReadWrite (in your case you need the latter). > > Next, SECKEY_CreateRSAPrivateKey is used to create effemeral keypairs, > want you want is PK11_GenerateKeyPair(). This will create a persistant > keyPair in your database. > > Since the low level parts of NSS are primarily used to support higher > level functions like SSL and S/MIME, there really isn't a good way to > reference private keys outside of a certificate. The easiest thing to do > is create a certificate using the public key (if you want to make it > selfsigned, you can use the private key returned from the generate call > to sign it) and use PK11_ImportCertForKeyToSlot() to load the > certificate. From then on you can look up the key using the certificate > (PK11_FindKeyByAnyCert). A better way would be to create a cert request > and have a CA sign your user cert. You can find examples of all of these > functions in mozilla/security/nss/cmd/certutil > > bob > > Terry Matson wrote: > > I'm using the following code to create an RSA key pair. After > > creating the keys, I would like to store them in our application > > database. I will also need to retrieve those keys to sign and verify > > hash values. Can someone point me in the right direction regarding > > storage/retrieval of raw keys. > > > > Thanks, > > > > Terry > > > > > > ----- > > > > int main() > > { > > SECKEYPrivateKey *priv_key=NULL; > > SECKEYPublicKey *pub_key = NULL; > > > > NSS_NoDB_Init("/home/thm/KeyTest"); > > > > priv_key = SECKEY_CreateRSAPrivateKey(640, &pub_key, NULL); > > > > if (priv_key == NULL) { > > printf("priv_key == NULL\n"); > > } > > > > /* Need to save public and private keys to a db here */ > > > > NSS_Shutdown(); > > > > return(0); > > } > > >
