Re: Error when using AES_ECB_PAD
On Tuesday 06 September 2011 00:14:31 fainardi wrote: > hi > i have this error when i try to use the algorythm CKM_AES_ECB_PAD What do you expect this to do? > => error : 'CKM_AES_ECB_PAD' undeclared ( first use in this function ) So this isn't what you're looking for. Brad -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: NSS_NoDB_Init undefined refence ??
On Tuesday 09 August 2011 19:19:48 florent ainardi wrote: > when i launch gcc i have the error > undefined reference to 'NSS_NoDB_Init' You really should consider Anders' response on this one - NSS isn't the place to be learning to use gcc. However if you still need to resolve this, add the appropriate library entries (-L / -l) to your gcc invocation. You can use nss-config to determine this. Brad -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: bug compiling ridiculous program
On Thursday 28 July 2011 02:12:32 florent ainardi wrote: > > If you're installing using pre-built packages make sure you also install > > the devel packages, those have the headers necessary for software > > development (hence the devel suffix). For RPM based systems it would be > > nspr-devel, nss-devel, nss-util-devel (because you need both nspr and > > nss). > > > > Understanding where to find headers, how to install packages, etc. are > > OS specific issues better dealt on a mailing list devoted to software > > development on you're chosen OS. > > > > Hope that helps and gets you started, > > > > John > hi > i found what is the problem ^^ > let me explain > in my programm i have > > #include > #include > > and when i look inside the nss.h or pk11pub.h all library are called > using the following method #include "lib.h" but all the lib of nss are > in the following directory > > /usr/include > /usr/include/nss > /usr/incldue/nspr > > but if i use "" the libs must be in the same directory than the source > code This isn't correct, and I'd prefer to not let it be a source of confusion for other developers. As John pointed out, you need to specify the correct include paths (e.g. -I using gcc). You can get that include path from nspr-config or nss-config, and integrate it into whatever build system you are using. bradh@incana:~$ nss-config --includedir /usr/include/nss bradh@incana:~$ nspr-config --includedir /usr/include/nspr Brad -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: Extract Mozilla trusted certs into PEM files?
On Thursday 06 August 2009 09:20:02 Nelson Bolyard wrote: > Hi all, > > Quite a while ago, I read a message from someone saying he had devised, > or was going to devise, a scheme to extract all of Mozilla's trusted root > certs from NSS and make PEM files from them, and use them as trusted certs > in some other non-NSS-based product. > > Does anyone remember that? > Can you point me to the person(s) who did that? > I'd like to ask them about it, and maybe reuse it. Justin Karneges did it for the QCA library - see http://websvn.kde.org/trunk/kdesupport/qca/tools/mozcerts/ I'm not sure you really want that approach though, and perhaps don't want to depend on Qt4. Brad -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
keygen specification? (was long thread about various HTML/javascript key generation)
On Friday 26 December 2008 07:15:59 am Kyle Hamilton wrote: > among other things, because is not a standardized mechanism. FWIW, is there a description of how is actually supposed to work, and a set of test cases? Brad ___ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: YA digitally signed email protocol
On Thursday 13 December 2007 09:53:51 pm Nelson Bolyard wrote: > So, one wonders: > - Does signed email become something only EV-eligible parties can send? Is it really "EV" equivalent? Is there really enough rigour being applied to make sure these people are "really nice and friendly"? How does goodmail make sure it isn't being spoofed? > - Does this kill S/MIME? or I think S/MIME is dying all on its own... > - Should we enlist the CABForum to issue EV certs for email, and promote > a competing system based on S/MIME, for use in mail clients such as > ThunderBird and Outlook Express (or its Vista equivalent), and try > to keep S/MIME alive? Might be a worthwhile thing. > - or maybe: if you can't beat 'em, join 'em? That is, add this format > to Thunderbird as an alternative format for signed email? Maybe, but you need to do the "who the hell are these guys" investigation first. Brad ___ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: PKI Book reccomendation?
On Sunday 09 December 2007 01:28:09 pm Nelson Bolyard wrote: > Brad Hards wrote, On 2007-12-07 18:09: > > [I've] found Chapter 3 of the OpenSSL book from OReilly to be quite OK. > > There are a lot of "cookbook" books that might be entitled "how to set > up a home brew CA using OpenSSL". I didn't want a book that was focused > on any particular implementation. There is a bit of theory as well, but your point is well makde > > That book recommends "Planning for PK: Best Practices Guide for Deploying > > Public Key Infrastructure" by Russ Housley and Tim Polk. I've never even > > seen a copy. > > Amazon has the entire text of this book online. (Strangely, a search by > title didn't find it, but an author search did.) Probably because there is a typo in the title (Planning for PKI:, not Planning for PK). Sorry about that. > It had more depth on cert extensions than any others I browsed, but not > as much as I had hoped. I'm not optimistic that a QA developer can > develop positive and negative test cases for explicit policy constraints > after reading it. (:-) But if it cuts the teaching time even by half, > that will have been a big help. You know, you should have told us more about the target audience... Maybe: http://csrc.nist.gov/groups/ST/crypto_apps_infra/pki/pkitesting.html (not the site, but the various tests and documents linked off it) will be of some use after they get through the intro stuff. > Oh, I wasn't looking for any cynicism from "down under". :-) No extra charge :-) Brad ___ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: PKI Book reccomendation?
On Saturday 08 December 2007 11:31:50 am Nelson Bolyard wrote: > I need a way to bring some people up to speed on the details of PKI and > RFC 3280, ideally without me spending a lot of time teaching. > > I'm hoping there's a good book that offers a tutorial about PKI, and > explains certs, CRLs, OCSP, and the (IETF) standard extensions for certs > and CRLs. It needs to cover the use of policy extensions. > > Ideally it would NOT spend a lot of text on other subjects (e.g. how > crypto algorithms work, or how SSL or S/MIME or IPSec or other security > protocols work, but that's not a major consideration. > > Can you suggest a good book for that purpose? If found Chapter 3 of the OpenSSL book from OReilly to be quite OK. http://www.oreilly.com/catalog/openssl/ Chapter 10 of the Secure Programming Cookbook (same authors, mostly) is probably about as good. http://www.oreilly.com/catalog/secureprgckbk/ Both of those are quite openssl-centric, and it is just one chapter in each book. That book recommends "Planning for PK: Best Practices Guide for Deploying Public Key Infrastructure" by Russ Housley and Tim Polk. I've never even seen a copy. If (and only if) you want them to be cynical about PKI, they should read: http://www.cs.auckland.ac.nz/~pgut001/pubs/pkitutorial.pdf (also http://www.cs.auckland.ac.nz/%7Epgut001/pubs/notdead.pdf or http://csdl.computer.org/comp/mags/co/2002/08/r8toc.htm) If that isn't enough: http://www.cs.auckland.ac.nz/~pgut001/tutorial/index.html and http://www.cs.auckland.ac.nz/%7Epgut001/pubs/x509guide.txt Brad ___ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: Newbie question: Initializing without an on-disk database?
On Friday 17 August 2007 03:04, Wan-Teh Chang wrote: > On 8/16/07, Brad Hards <[EMAIL PROTECTED]> wrote: > > G'day, > > > > I'm just getting started with a NSS backend for the Qt Cryptographic > > Architecture (see: > > http://websvn.kde.org/trunk/kdesupport/qca/plugins/qca-nss/qca-nss.cpp?vi > >ew=markup for the code). > > > > I am having success with basic crypto ops (cipher, hashing, hmac), but > > things got a bit messier when I started with RSA key generation. For the > > basic ops, I'm using NSS_NoDB_Init("."); > > > > However PK11_GenerateKeyPair() doesn't appear to work with this. It does > > work with NSS_InitReadWrite(".") though. > > Could you try passing PR_FALSE as the fifth argument (named 'isPerm' or > 'token') to PK11_GenerateKeyPair()? That'll cause PK11_GenerateKeyPair() > to generate the private and public keys as "session" objects rather than > "token" (permanent) objects, which is what you want. Please let us know if > that works. That does work, just as you suggested. That is, I'm back to using NSS_NoDB_Init() and appear to successfully generate key pairs using m_privateKey = PK11_GenerateKeyPair( m_slot, CKM_RSA_PKCS_KEY_PAIR_GEN, &rsaParams, &m_publicKey, PR_FALSE, PR_TRUE, 0 ); I still have a long way to go (i.e. I'm sure I'll be back with more questions :-), but this certainly got me going again. Thanks again. Brad pgpL2czfqmIS2.pgp Description: PGP signature ___ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Newbie question: Initializing without an on-disk database?
G'day, I'm just getting started with a NSS backend for the Qt Cryptographic Architecture (see: http://websvn.kde.org/trunk/kdesupport/qca/plugins/qca-nss/qca-nss.cpp?view=markup for the code). I am having success with basic crypto ops (cipher, hashing, hmac), but things got a bit messier when I started with RSA key generation. For the basic ops, I'm using NSS_NoDB_Init("."); However PK11_GenerateKeyPair() doesn't appear to work with this. It does work with NSS_InitReadWrite(".") though. That isn't very satisfactory though, because I don't want my keys appearing in a on-disk database (because I don't really have any way to protect them, and because the behaviour may or may not be suitable for a given application. The desired behaviour is to have everything only last for the duration of the application run. I'm happy to maintain a per-session database, as long as it is in memory. Is there any way to do this? If not, I'm considering trying to use temporary files, assuming I can use some of randomly generated per-session passphrase to protect them. Brad pgpAVTsAPqgxN.pgp Description: PGP signature ___ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto