Re: Why do we need JSS?

[Nelson B Bolyard]

On 2009-08-11 18:43 PDT, JamesH wrote:
> I have some confusion with regard to JSS due to the lack of proper
> documentation. Looks like JDK 6 can talk to NSS natively with this
> configuration:
> 
> http://java.sun.com/developer/technicalArticles/J2SE/security/#2
> 
> If that's the case, why do I need JSS?
> 
> Your comments are appreciated.

The answer, of course, depends on entirely on what you're trying to
accomplish and why you want to bridge Java to NSS.

That's what JSS is: a bridge between Java and NSS.

JSS has numerous components that can bridge Java to NSS at several different
levels.

JSS offers a implementation of Java SSL sockets that uses NSS's SSL/TLS
implementation rather than Sun's JSSE implementation.  You might want to
use that if you want to use some of the capabilities found in NSS's SSL/TLS
library but not found in JSSE.

JSS offers a JCE provider that typically operates beneath JSSE, and
interfaces to NSS at a layer above the PKCS#11 API, the so-called
PKCS#11 wrapper layer.  That wrapper layer is able to combine the
capabilities of multiple PKCS#11 modules and slots.  If you have (say)
a hardware PKCS#11 module that does RSA crypto acceleration and also
have NSS's FIPS validated software module that does symmetric encryption,
you might use JSS's JCE provider to marry those together into a single
JCE provider, If I'm not mistaken.

Sun now has a JCE provider that is a direct bridge to PKCS#11, and
(as I understand it) appears to be a JCE provider with the capabilities of
any single PKCS#11 module, including NSS's FIPS-validated PKCS#11 module,
with is very complete and "all inclusive".  If you were just using JSS's
JCE provider as a bridge to NSS's FIPS validated PKCS#11 module, then
the JCE PKCS#11 provider may do all that you need, and you may indeed not
need JSS any longer.

I was under the impression that the PKCS#11 JCE provider was only part
of JDK 1.6, but I may be mistaken about that.  Also, there have been some
bugs in that provider that have been problematic for some users, e.g. with
AES 256.  I'm sure they'll get fixed eventually.  AFAIK, JSS just works.
-- 
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto

Re: Why do we need JSS?

[William L. Hartzell]

JamesH wrote:

I have some confusion with regard to JSS due to the lack of proper
documentation. Looks like JDK 6 can talk to NSS natively with this
configuration:

http://java.sun.com/developer/technicalArticles/J2SE/security/#2

If that's the case, why do I need JSS?

Your comments are appreciated.
Even JDK5 can use this interface according to the link article. 
However, not all platforms have either Java 1.5 or Java 1.6.  So do YOU 
want to support these other platforms or not is the real question.

--
Bill

--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto

Why do we need JSS?

[JamesH]

I have some confusion with regard to JSS due to the lack of proper
documentation. Looks like JDK 6 can talk to NSS natively with this
configuration:

http://java.sun.com/developer/technicalArticles/J2SE/security/#2

If that's the case, why do I need JSS?

Your comments are appreciated.
-- 
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto

Re: Signed scripting

[Nelson B Bolyard]

Adrian wrote:


I've tried the whole procedure to create root, distributors and
signing certificates at : http://books.mozdev.org/chapters/ch12.html#77079
and succeeded in it.



When I first read and replied to this message, I failed to notice the infamous 
URL cited above.  Sorry.


The author of that book later repudiated his chapter 12.  See his statement at
http://certs.mozdev.org/
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto

Re: Signed scripting

[Nelson Bolyard]

On 2009-08-11 05:42 PDT, Adrian wrote:
> Hi everyone,
> 
> Please tell me if I'm not posting on the right forum and where I can
> find the right place.

> When I call it using jar:file:///...myjar.jar!/secure.html 
> the browser opens it, asks for privileges, etc, no problem... 
> BUT  jar:HTTP://localhost/...myjar.jar!/secure.html doesn't. 

That difference of behavior in the jar: scheme is a question for the
mozilla.dev.platform newsgroup, I believe.
-- 
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto

Re: "SSL input filter read failed" error for apache with mod_nss

[Nelson B Bolyard]

On 2009-08-11 07:11 PDT, Rishi Renjith wrote:
> Hello, 
> The issue with the dummy DB was that some permissions to some files in
> it were not given. I did a chmod 777 to all files and now the dummy DB
> seems to be working fine. 

I still don't know what a dummy DB is, but I'm glad you got past it.

> I configured the NSS database with the crypto card(sun sca6000) as follows. 
> mkdir /opt/SMC/Apache2/nsscertdb
> 
> cd /opt/SMC/Apache2/nsscertdb
> 
> certutil -N -d /opt/SMC/Apache2/nsscertdb
> 
> modutil -dbdir . -nocertdb -force -add "Sun Crypto Accelerator"
> -libfile /usr/lib/libpkcs11.so -mechanisms RSA:DSA:RC4:DES

Ah!  You're trying to use a Sun Crypto Accelerator!  You didn't mention
that in your previous message.

>  modutil -list -dbdir /opt/SMC/Apache2/nssdb
> Using database directory /opt/SMC/Apache2/nssdb...
> 
> Listing of PKCS #11 Modules
> ---
>   1. NSS Internal PKCS #11 Module
>  slots: 2 slots attached
> status: loaded
> 
>  slot: NSS Internal Cryptographic Services
> token: NSS Generic Crypto Services
> 
>  slot: NSS User Private Key and Certificate Services
> token: NSS Certificate DB
> 
>   2. Sun Crypto Accelerator
> library name: /usr/lib/libpkcs11.so
>  slots: 2 slots attached
> status: loaded
> 
>  slot: Sun Metaslot
> token: Sun Metaslot
> 
>  slot: Sun Crypto Softtoken
> token: Sun Software PKCS#11 softtoken
> ---

No crypto accelerator there!  It should show up as a slot.

Sun's Metaslot is a special software slot that redistributes the tasks
it is asked to do to the other slots.  Its other slots actually come
from other PKCS#11 modules that plug into it.  In this case, it shows
only one other slot, one belonging to Sun's pure-software PKCS#11 module,
Sun's "softtoken" (note: two t's, unlike NSS's pure-software softoken
which has only one t :).  That tells us that Sun's Metaslot has not been
configured to know about the Sun Crypto Accelerator you want to use.
In other words, your Sun Crypto Accelerator has not been "plugged in" to
your Metaslot.  So, when you did various operations, such as generating
a key pair and a CSR in the "metaslot", the Metaslot redistributed that
task to the only other slot it could fine, Sun's Softtoken.  That's not
what you expected, I see.

> certutil -R  -s "C=IN, O=NSN, OU=SPA2, CN=sandeeprc.eu.org
> " -h "Sun Metaslot" -o ismc.csr -d . -a  -n
> ismc_cert

> (Got the CSR signed from CA Cert)
> certutil -A  -d . -n "ismc_cert" -a -t "CT,," -i cert2.csr -h "Sun Metaslot"
> 
> certutil -A  -d . -n "CACERT CA" -a -t "CTu,CTu,CTu" -i ca.txt -h "Sun
> Metaslot"
> 
> certutil -V -u V -d . -n "ismc_cert" -h "Sun Metaslot"
> 
> The certificate is verified corrrectly. 

I think you will find that all those certs appear to be in two slots,
the Metaslot and also in the softoken.  Try listing the certs in all
slots, e.g.
  certutil -L -d . -h all

> In nss.conf, i gave the following directives to use this database
> 
> Now in NSS.conf I added the following lines to use the hardware accelarator
> NSSNickname "Sun Metaslot:ismc_cert"
> NSSCertificateDatabase /opt/SMC/Apache2/nssdb
> 
> Now everything is working fine, the requests are getting processed
> correctly. But the issue is that the rsaprivate value is not getting
> incremented in the kstat -n mca0 output. Which means that it is not
> using the hardware accelerator card. 

Right. Not surprising, given that the SCA doesn't show up among the slots
known to the metaslot.

> I have also given cryptoadm enable metaslot token= so as to
> use the hardware accelerator. 
> 
> Any suggestions? 
> 
> (When we try to use mod_ssl using the pkcs patch, it s correctly
> incrementing the rsaprivate values.)

Now, your question is a Sun configuration question, namely, how do you
configure Sun's Metaslot so that it knows about the SCA-6000?  You'll
have to get the answer to that question from Sun.

If/when you get an answer, please share it with us here.  Thanks.
-- 
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto

Re: "SSL input filter read failed" error for apache with mod_nss

[Robert Relyea]

On 08/11/2009 07:11 AM, Rishi Renjith wrote:
Now in NSS.conf I added the following lines to use the hardware 
accelarator

NSSNickname "Sun Metaslot:ismc_cert"
NSSCertificateDatabase /opt/SMC/Apache2/nssdb

Now everything is working fine, the requests are getting processed 
correctly. But the issue is that the rsaprivate value is not getting 
incremented in the kstat -n mca0 output. Which means that it is not 
using the hardware accelerator card.
If everything is connecting correctly, then there is only a few 
possibilities:


1) You are not using an RSA cipher (possible, but unlikely -- not 
possible if you have not other key and cert types).
2) You have a copy of the private key in the softoken.- NSS should 
prefer the HW token if the exact cert and key is in both. If the key is 
only in one or the other then NSS will use the token that contains that 
private key (it has not choice).  If NSS is using the softoken key it's 
likely because:
2a) There is a second cert with the same subject as the one in your 
token with a valid public key, and NSS is prefering that cert (probably 
because of issuance or key usage reasons).
2b) You don't have the private key in the token (I noted that your 
setup did not import any private keys, you used certutil to import your 
cert -- which just imports certs, not private keys. You'll want to use 
pk12util to import a PKCS #12 package with both the cert and the key).
NOTE: you can solve 2a by deleting the private key in softoken --- 
however if your problem is 2b) that means you will loose your private 
key. You may want to use pk12util to back it up first.
3) If you are using RSA, and you have not RSA private keys in the 
softoken database, and you are connecting correctly -- then you *MUST* 
be using the token (or some token) as NSS could never do the private key 
operation without the private key. In that case I would suspect your 
counter.


bob


-- 
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto

Re: "SSL input filter read failed" error for apache with mod_nss

[Nelson B Bolyard]

On 2009-08-10 04:47 PDT, Rishi wrote:
> Hello,
> We are trying to make apache work with mod_nss in Solaris10 x86
> platform in our project, which currently uses mod_ssl. For that we did
> the following.
> 1) Compiled and installed NSS with NSPR.
> 2) Installed Apache compiled with mod_ssl
> 3) Compiled and installed mod_nss for this Apache
> 4) Created the dummy DB using gencert.sh fie in mod_nss

mod_nss is a plug-in for Apache that uses NSS.  It was developed by
someone who does not participate in this discussion forum (as far as I
know) and the people in this forum may not be able to help you with
mod_nss.  We can help you with NSS, but not mod_nss.  I appreciate that
you may not know where the boundaries are between them.

The mod_nss people hang out somewhere in Red Hat discussion areas.
Sorry, I can't be more specific.

I don't know what a "dummy DB" is.  I'm not aware that NSS ever has any
dummy DBs.  Maybe this dummy DB is not an NSS DB?  I'm curious to know
what documentation advises you about a "dummy DB".

> 5) Changed permissions for DB so that we can use it.
> The issue we are getting is that the browser(Firefox) says
> "SSL_Disabled", when trying to run in FIPS mode. 

Firefox reports "SSL Disabled" when it has tried and failed to complete
a TLS and/or SSL handshake with the same server 2-3 times in a row.
It's actually a bug that it reports SSL disabled, and not something else,
but regardless of the words of the report, the point is that the handshakes
are failing.  There are potentially many reasons why.

> When I checked the server logs, it says "SSL Input filter read failed."
> "Cannot connect, SSL is disabled".  error.

That's not an NSS error.  It's likely a server configuration issue.

> Is there any setting that we are missing?
> nss.conf and httpd.conf files.

NSS doesn't have any files named nss.conf or httpd.conf.  Those must be
mod_nss files and/or Apache files.  You'll have to ask the mod_nss people
about that.

> 
> Versions used:
> Mod_nss: 1.0.8
> NSS and NSPR: nss-3.12.3.1-with-nspr-4.7.5
> Apache: 2.2.11
> 

-- 
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto

Re: Extrace Mozilla trusted certs into PEM files?

[Nelson B Bolyard]

On 2009-08-10 10:24 PDT, Georgi Guninski wrote:
> On Mon, Aug 10, 2009 at 09:44:55AM -0700, Nelson B Bolyard wrote:
>>
>> https://developer.mozilla.org/en/Mozilla_Source_Code_Via_CVS#CVS_Client_Settings
>>
>>
>> These instructions don't show the use of ssh.  I'm not sure that the
>> combination of anonymous cvs and ssh is available at this time.  It was
>> not available a year ago, but ...   See
>>
>> https://developer.mozilla.org/en/Using_SSH_to_connect_to_CVS
> 
> yes, i was asking about anonymous ssh - the above url assumes "write cvs
> access".

Please file a bug with bugzilla.mozilla.org, product mozilla.org,
component Server Operations (or perhaps Server Operations Security)
requesting that an anonymous ssh account be created for read-only access
on the CVS mirrors.  Please CC me on that bug.  Thanks.
-- 
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto

Re: "SSL input filter read failed" error for apache with mod_nss

[Rishi Renjith]

Hello, The issue with the dummy DB was that some permissions to some files
in it were not given. I did a chmod 777 to all files and now the dummy DB
seems to be working fine.

I configured the NSS database with the crypto card(sun sca6000) as follows.
mkdir /opt/SMC/Apache2/nsscertdb

cd /opt/SMC/Apache2/nsscertdb

-certutil -N -d /opt/SMC/Apache2/nsscertdb

-modutil -dbdir . -nocertdb -force -add "Sun Crypto Accelerator" -libfile
/usr/lib/libpkcs11.so -mechanisms RSA:DSA:RC4:DES
 modutil -list -dbdir /opt/SMC/Apache2/nssdb
Using database directory /opt/SMC/Apache2/nssdb...

Listing of PKCS #11 Modules
---
  1. NSS Internal PKCS #11 Module
 slots: 2 slots attached
status: loaded

 slot: NSS Internal Cryptographic Services
token: NSS Generic Crypto Services

 slot: NSS User Private Key and Certificate Services
token: NSS Certificate DB

  2. Sun Crypto Accelerator
library name: /usr/lib/libpkcs11.so
 slots: 2 slots attached
status: loaded

 slot: Sun Metaslot
token: Sun Metaslot

 slot: Sun Crypto Softtoken
token: Sun Software PKCS#11 softtoken
---


certutil -R  -s "C=IN, O=NSN, OU=SPA2, CN=sandeeprc.eu.org" -h "Sun
Metaslot" -o ismc.csr -d . -a  -n ismc_cert

(Got the CSR signed from CA Cert)
certutil -A  -d . -n "ismc_cert" -a -t "CT,," -i cert2.csr -h "Sun Metaslot"

certutil -A  -d . -n "CACERT CA" -a -t "CTu,CTu,CTu" -i ca.txt -h "Sun
Metaslot"

certutil -V -u V -d . -n "ismc_cert" -h "Sun Metaslot"

The certificate is verified corrrectly. In nss.conf, i gave the following
directives to use this database

Now in NSS.conf I added the following lines to use the hardware accelarator
NSSNickname "Sun Metaslot:ismc_cert"
NSSCertificateDatabase /opt/SMC/Apache2/nssdb

Now everything is working fine, the requests are getting processed
correctly. But the issue is that the rsaprivate value is not getting
incremented in the kstat -n mca0 output. Which means that it is not using
the hardware accelerator card.

I have also given cryptoadm enable metaslot token= so as to use
the hardware accelerator.

Any suggestions?

(When we try to use mod_ssl using the pkcs patch, it s correctly
incrementing the rsaprivate values.)

On Mon, Aug 10, 2009 at 5:12 PM, Rishi Renjith wrote:

>
> Hello, We are trying to make apache work with mod_nss in Solaris10 x86
> platform in our project, which currently uses mod_ssl. For that we did the
> following.
> 1) Compiled and installed NSS with NSPR.
>  2) Installed Apache compiled with mod_ssl
> 3) Compiled and installed mod_nss for this Apache
> 4) Created the dummy DB using gencert.sh fie in mod_nss
> 5) Changed permissions for DB so that we can use it.
> The issue we are getting is that the browser(Firefox) says "SSL_Disabled",
> when trying to run in FIPS mode. When I checked the server logs, it says
> "SSL Input filter read failed." "Cannot connect, SSL is disabled".  error.
>
> Is there any setting that we are missing?
> I am attaching the nss.conf and httpd.conf files.
>
> Versions used:
> Mod_nss: 1.0.8
> NSS and NSPR: nss-3.12.3.1-with-nspr-4.7.5
> Apache: 2.2.11
>
>
>
> Thanks,
> Rishi
>
>
>
-- 
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto

RE: Microsoft: is old and very basic

[Adrian Bateman]

On Saturday, August 08, 2009 12:50 AM, Anders Rundgren wrote:
> http://lists.w3.org/Archives/Public/public-html/2009Aug/0389.html
> 
> However, that doesn't make Microsoft's solution ideal either because it
> also fails to address provisioning in a way that is even remotely
> comparable to what current card management software offers.

Hi Anders,

Thanks for the mail and the forward to the lists in the CC line.

I certainly wasn't trying to make a claim that Microsoft's solution is ideal - 
this isn't my area of expertise so I wouldn't be able to judge that. I have 
forwarded your mail on to a team better equipped to give feedback. My question 
was, based on the feedback I'd heard, whether or not it made sense to 
standardize the old  behaviour in HTML 5 when a more modern solution 
might be more appropriate.

I will follow-up here when I get more feedback from the team that looks after 
this area.

Regards,

Adrian.

-- 
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto

Signed scripting

[Adrian]

Hi everyone,

Please tell me if I'm not posting on the right forum and where I can
find the right place.

I'm writing a script that has to be signed since it needs access to
the brother's (firefox 3.0.13) DOM. As far as I know, I need a
certificate to sign the script so I generated one with certutils and
then used signtools in order to generate a jar containing my script. I
used the doc at 
http://www.mozilla.org/projects/security/components/jssec.html#signedscript
to make it work.

certutil -N -d sFolder
signtool -G certname -d sFolder -p password
signtool -d sFolder -k certname -p password -X -Z myOutputJar.jar
(generated cert was imported to firefox)

When I call it using jar:file:///...myjar.jar!/secure.html the browser
opens it, asks for privileges, etc, no problem... BUT  jar:HTTP://
localhost/...myjar.jar!/secure.html doesn't. Sometimes after
refreshing several times it DOES but that's very unpredictable.

Why does the "jar:HTTP://.." call fail? Do you think there is a
problem with my certificate (security issue)? Or is there another
configuration to do on the server to make it work (and thus where can
I find some help concerning it)?

I've tried the whole procedure to create root, distributors and
signing certificates at : http://books.mozdev.org/chapters/ch12.html#77079
and succeeded in it.
But I still can't access my secured scripts through "jar:http://...";!
In firebug I've got the response "Failed to load source for:
http://localhost/.../secure.jar"; when the jar is accessed.

Any idea?

Thanks for your help
Adrian
-- 
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto