Re: Error when using AES_ECB_PAD

2011-09-05 Thread Brad Hards 
On Tuesday 06 September 2011 00:14:31 fainardi wrote:
> hi
> i have this error when i try to use the algorythm CKM_AES_ECB_PAD
What do you expect this to do?

> => error : 'CKM_AES_ECB_PAD' undeclared ( first use in this function )
So this isn't what you're looking for.

Brad


-- 
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto

Re: NSS_NoDB_Init undefined refence ??

2011-08-09 Thread Brad Hards 
On Tuesday 09 August 2011 19:19:48 florent ainardi wrote:
> when i launch gcc i have the error
> undefined reference to 'NSS_NoDB_Init'
You really should consider Anders' response on this one - NSS isn't the place 
to be learning to use gcc.

However if you still need to resolve this, add the appropriate library entries 
(-L / -l) to your gcc invocation. You can use nss-config to determine this.

Brad
-- 
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto

Re: bug compiling ridiculous program

2011-07-27 Thread Brad Hards 
On Thursday 28 July 2011 02:12:32 florent ainardi wrote:
> > If you're installing using pre-built packages make sure you also install
> > the devel packages, those have the headers necessary for software
> > development (hence the devel suffix). For RPM based systems it would be
> > nspr-devel, nss-devel, nss-util-devel (because you need both nspr and
> > nss).
> > 
> > Understanding where to find headers, how to install packages, etc. are
> > OS specific issues better dealt on a mailing list devoted to software
> > development on you're chosen OS.
> > 
> > Hope that helps and gets you started,
> > 
> > John
> hi
> i found what is the problem ^^
> let me explain
> in my programm i have
> 
> #include 
> #include 
> 
> and when i look inside the nss.h or pk11pub.h all library are called
> using the following method #include "lib.h" but all the lib of nss are
> in the following directory
> 
> /usr/include
> /usr/include/nss
> /usr/incldue/nspr
> 
> but if i use "" the libs must be in the same directory than the source
> code
This isn't correct, and I'd prefer to not let it be a source of confusion for 
other developers.

As John pointed out, you need to specify the correct include paths (e.g. -I 
using gcc). 

You can get that include path from nspr-config or nss-config, and integrate it 
into whatever build system you are using.

bradh@incana:~$ nss-config --includedir
/usr/include/nss
bradh@incana:~$ nspr-config  --includedir
/usr/include/nspr

Brad
-- 
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto

Re: Extract Mozilla trusted certs into PEM files?

2009-08-06 Thread Brad Hards 
On Thursday 06 August 2009 09:20:02 Nelson Bolyard wrote:
> Hi all,
>
> Quite a while ago, I read a message from someone saying he had devised,
> or was going to devise, a scheme to extract all of Mozilla's trusted root
> certs from NSS and make PEM files from them, and use them as trusted certs
> in some other non-NSS-based product.
>
> Does anyone remember that?
> Can you point me to the person(s) who did that?
> I'd like to ask them about it, and maybe reuse it.
Justin Karneges did it for the QCA library - see 
http://websvn.kde.org/trunk/kdesupport/qca/tools/mozcerts/

I'm not sure you really want that approach though, and perhaps don't want to 
depend on Qt4.

Brad


-- 
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto

keygen specification? (was long thread about various HTML/javascript key generation)

2008-12-25 Thread Brad Hards 
On Friday 26 December 2008 07:15:59 am Kyle Hamilton wrote:
> among other things, because  is not a standardized mechanism.
FWIW, is there a description of how  is actually supposed to work, and 
a set of test cases?

Brad
___
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto

Re: YA digitally signed email protocol

2007-12-13 Thread Brad Hards 
On Thursday 13 December 2007 09:53:51 pm Nelson Bolyard wrote:
> So, one wonders:
> - Does signed email become something only EV-eligible parties can send?
Is it really "EV" equivalent? Is there really enough rigour being applied to 
make sure these people are "really nice and friendly"?  How does goodmail 
make sure it isn't being spoofed?

> - Does this kill S/MIME?  or
I think S/MIME is dying all on its own...
> - Should we enlist the CABForum to issue EV certs for email, and promote
>   a competing system based on S/MIME, for use in mail clients such as
>   ThunderBird and Outlook Express (or its Vista equivalent), and try
>   to keep S/MIME alive?
Might be a worthwhile thing.

> - or maybe: if you can't beat 'em, join 'em?  That is, add this format
>   to Thunderbird as an alternative format for signed email?
Maybe, but you need to do the "who the hell are these guys" investigation 
first.

Brad


___
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto

Re: PKI Book reccomendation?

2007-12-08 Thread Brad Hards 
On Sunday 09 December 2007 01:28:09 pm Nelson Bolyard wrote:
> Brad Hards wrote, On 2007-12-07 18:09:
> > [I've] found Chapter 3 of the OpenSSL book from OReilly to be quite OK.
>
> There are a lot of "cookbook" books that might be entitled "how to set
> up a home brew CA using OpenSSL".  I didn't want a book that was focused
> on any particular implementation.
There is a bit of theory as well, but your point is well makde
> > That book recommends "Planning for PK: Best Practices Guide for Deploying
> > Public Key Infrastructure" by Russ Housley and Tim Polk. I've never even
> > seen a copy.
>
> Amazon has the entire text of this book online. (Strangely, a search by
> title didn't find it, but an author search did.)
Probably because there is a typo in the title (Planning for PKI:, not Planning 
for PK). Sorry about that.

> It had more depth on cert extensions than any others I browsed, but not
> as much as I had hoped.  I'm not optimistic that a QA developer can
> develop positive and negative test cases for explicit policy constraints
> after reading it. (:-)  But if it cuts the teaching time even by half,
> that will have been a big help.
You know, you should have told us more about the target audience...
Maybe: http://csrc.nist.gov/groups/ST/crypto_apps_infra/pki/pkitesting.html 
(not the site, but the various tests and documents linked off it)
will be of some use after they get through the intro stuff.


> Oh, I wasn't looking for any cynicism from "down under". :-)
No extra charge :-)

Brad

___
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto

Re: PKI Book reccomendation?

2007-12-07 Thread Brad Hards 
On Saturday 08 December 2007 11:31:50 am Nelson Bolyard wrote:
> I need a way to bring some people up to speed on the details of PKI and
> RFC 3280, ideally without me spending a lot of time teaching.
>
> I'm hoping there's a good book that offers a tutorial about PKI, and
> explains certs, CRLs, OCSP, and the (IETF) standard extensions for certs
> and CRLs.  It needs to cover the use of policy extensions.
>
> Ideally it would NOT spend a lot of text on other subjects (e.g. how
> crypto algorithms work, or how SSL or S/MIME or IPSec or other security
> protocols work, but that's not a major consideration.
>
> Can you suggest a good book for that purpose?
If found Chapter 3 of the OpenSSL book from OReilly to be quite OK.
http://www.oreilly.com/catalog/openssl/
Chapter 10 of the Secure Programming Cookbook (same authors, mostly) is 
probably about as good. http://www.oreilly.com/catalog/secureprgckbk/
Both of those are quite openssl-centric, and it is just one chapter in each 
book.

That book recommends "Planning for PK: Best Practices Guide for Deploying 
Public Key Infrastructure" by Russ Housley and Tim Polk. I've never even seen 
a copy.

If (and only if) you want them to be cynical about PKI, they should read:
http://www.cs.auckland.ac.nz/~pgut001/pubs/pkitutorial.pdf
(also http://www.cs.auckland.ac.nz/%7Epgut001/pubs/notdead.pdf or 
http://csdl.computer.org/comp/mags/co/2002/08/r8toc.htm)

If that isn't enough:
http://www.cs.auckland.ac.nz/~pgut001/tutorial/index.html
and http://www.cs.auckland.ac.nz/%7Epgut001/pubs/x509guide.txt

Brad
___
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto

Re: Newbie question: Initializing without an on-disk database?

2007-08-16 Thread Brad Hards 
On Friday 17 August 2007 03:04, Wan-Teh Chang wrote:
> On 8/16/07, Brad Hards <[EMAIL PROTECTED]> wrote:
> > G'day,
> >
> > I'm just getting started with a NSS backend for the Qt Cryptographic
> > Architecture (see:
> > http://websvn.kde.org/trunk/kdesupport/qca/plugins/qca-nss/qca-nss.cpp?vi
> >ew=markup for the code).
> >
> > I am having success with basic crypto ops (cipher, hashing, hmac), but
> > things got a bit messier when I started with RSA key generation. For the
> > basic ops, I'm using   NSS_NoDB_Init(".");
> >
> > However PK11_GenerateKeyPair() doesn't appear to work with this. It does
> > work with NSS_InitReadWrite(".") though.
>
> Could you try passing PR_FALSE as the fifth argument (named 'isPerm' or
> 'token') to PK11_GenerateKeyPair()?  That'll cause PK11_GenerateKeyPair()
> to generate the private and public keys as "session" objects rather than
> "token" (permanent) objects, which is what you want.  Please let us know if
> that works.
That does work, just as you suggested.

That is, I'm back to using NSS_NoDB_Init() and appear to successfully generate 
key pairs using 
m_privateKey = PK11_GenerateKeyPair( m_slot, CKM_RSA_PKCS_KEY_PAIR_GEN, 
&rsaParams, &m_publicKey, PR_FALSE, PR_TRUE, 0 );

I still have a long way to go (i.e. I'm sure I'll be back with more 
questions :-), but this certainly got me going again.

Thanks again.

Brad


pgpL2czfqmIS2.pgp
Description: PGP signature
___
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto

Newbie question: Initializing without an on-disk database?

2007-08-16 Thread Brad Hards 
G'day,

I'm just getting started with a NSS backend for the Qt Cryptographic 
Architecture (see:
http://websvn.kde.org/trunk/kdesupport/qca/plugins/qca-nss/qca-nss.cpp?view=markup
 
for the code).

I am having success with basic crypto ops (cipher, hashing, hmac), but things 
got a bit messier when I started with RSA key generation. For the basic ops, 
I'm using   NSS_NoDB_Init(".");

However PK11_GenerateKeyPair() doesn't appear to work with this. It does work 
with NSS_InitReadWrite(".") though.

That isn't very satisfactory though, because I don't want my keys appearing in 
a on-disk database (because I don't really have any way to protect them, and 
because the behaviour may or may not be suitable for a given application.

The desired behaviour is to have everything only last for the duration of the 
application run. I'm happy to maintain a per-session database, as long as it 
is in memory.  Is there any way to do this?

If not, I'm considering trying to use temporary files, assuming I can use some 
of randomly generated per-session passphrase to protect them.

Brad


pgpAVTsAPqgxN.pgp
Description: PGP signature
___
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto