Eric,
Eric Irrgang wrote:
Is there a good way to determine what version or build a compiled binary is from? There doesn't seem to be a version flag and the version does not appear as an ASCII string in all of the tools.
There is no sure way to tell that I know of for Solaris. The main thing that tells you a binary requires a given higher version of NSS is that it will not run because of a missing symbol.
That said, old tools are supposed to work with the newer libraries. In general, the NSS libraries you are using determine what version of the database will be written, not the tool. Some tools may have problem if they hardcode filenames, but most don't. You just need to check with ldd that the tool is dynamically linked with NSS shared libraries (some tools are still statically linked).
Incidentally, the certutil that Sun is distributing these days claims to be from NSS 3.3.10. Is there such a thing or did they just go off on their own branch?
Yes, there is an NSS 3.3.10, it is a Sun-specific branch, but still open-source. You can pull NSS_3_3_BRANCH if interested. This branch should not live for too much longer in Sun products, however, as NSS 3.3 is being replaced with 3.9 .
$ strings /usr/sfw/bin/sparcv9/certutil |head -2 $Header: NSS 3.3.10 Mar 25 2004 01:04:11 $ @(#)NSS 3.3.10 Mar 25 2004 01:04:11
symkeyutil is built by default in the nss build, but doesn't seem to be currently working right.
How so ? What type of key were you trying to use with it ?
bash-2.05$ nss-3.9.2/mozilla/dist/SunOS5.9_64_DBG.OBJ/bin/certutil -N -d test Enter a password which will be used to encrypt your keys. The password should be at least 8 characters long, and should contain at least one non-alphabetic character.
Enter new password: Re-enter password: bash-2.05$ nss-3.9.2/mozilla/dist/SunOS5.9_64_DBG.OBJ/bin/certutil -G -n test -z /tmp/seed -d test Enter Password or Pin for "NSS Certificate DB":
Generating key. This may take a few moments...
bash-2.05$ nss-3.9.2/mozilla/dist/SunOS5.9_64_DBG.OBJ/bin/certutil -K -d test Enter Password or Pin for "NSS Certificate DB": <0>
Your key got generated. I believe the default is an RSA keypair.
I haven't used symkeyutil before, but I believe it's for symmetric keys, only, and therefore you can't export the RSA key with the -E command
I see in the code that there may be some defines to allow doing what you want anyway if you hack and recompile it.
Also, symkeyutil seems to look for libnssckbi.so in the directory specified by -d. I've never heard of such a thing...
libnssckbi.so is the root cert module . It's been the behavior of NSS since 3.2 to look for it in the database directory.
Export the cert and keys to PKCS#12 format, using the version of NSS and pk12util that support your original database.
Is there a way to examine a database to determine which version of the tools to use with it?
The key database format hasn't changed in years.
The major version of the cert database is essentially determined by the file naming - cert7 or cert8.db . There is some minor differences within versions.
In particular, I found that the Sun NSS 3.3.x versions didn't implement the full cert8 format. Therefore, you shouldn't manipulate DBs from Sun product with newer tools (eg. from NSS 3.9) which have the "full" cert8 format. If you do that, but try to use those databases with Sun products still running NSS 3.3.x, then you won't be able to use them. This is why Sun officially supports only NSS 3.3.x and recommends against using any tools not built by Sun to manipulate cert/key databases of Sun server products.
You should wait for the official release of Sun products with NSS 3.9, JES3, which should be in a couple of months. NSS 3.9 is also already in Solaris 10 in the early access builds if you have that.
_______________________________________________
mozilla-crypto mailing list
[EMAIL PROTECTED]
http://mail.mozilla.org/listinfo/mozilla-crypto
