from:"Glen Beasley"

Re: JSS and smart card decryption

2010-02-12 Thread glen beasley

Hello,

your issue is not obvious to me. I suggest you try turning on the PKCS
# 11 Module logger

see:
http://www.mozilla.org/projects/security/pki/nss/tech-notes/tn2.html

comparing the Signing/Verifying to the unsuccessful wrap/unwrap.

Although your code (assuming various assumptions) appears to be
correct, you may want to look at the
JSS test program:

http://mxr.mozilla.org/security/source/security/jss/org/mozilla/jss/tests/JCAKeyWrap.java

you also could test your code without the smart card by creating a
self sign RSA certificate
with a RSA keypair stored on the NSS internal token and then testing
wrap/unwrap of a secret key and comparing your logs:

Example with a bash shell:

java -cp ./jss4.jar org.mozilla.jss.tests.SetupDBs . passwords
java -cp ./jss4.jar org.mozilla.jss.tests.GenerateTestCert . passwords
1001 localhost SHA-256/RSA myCA_RSA myServer_RSA myClient_RSA

export NSPR_LOG_FILE=/tmp/nspr.log
export NSPR_LOG_MODULES=nss_mod_log:4
export NSS_DEBUG_PKCS11_MODULE=NSS Internal PKCS #11 Module"

then with your test program use the "myClient_RSA" certificate
nickname
and it's associated key pair.

hope this helps,

glen



On Feb 1, 8:34 am, Jem  wrote:
> To all Gurus,
>
> I am having a problem in utilizing the JSS API with smart card
> operation (OpenSC) in encryption/decryption process.
>
> Here is the status of the crypto operation:
>
>                         Soft cert              Smart card cert
> Signing/Verifying                      SUCCESS           SUCCESS
> Encrypt/Decrypt                       SUCCESS               FAIL
>
> I received error stating java.security.InvalidKeyException: Key does
> not reside on the current token.
>
> I have test the private key and public key by inserting the signing
> code, and it is successfully being signed and verified.
>
> Any API operations that i have missed ?
>
> Thank you.
>
> The following is the code
>
> String RSAAlgo =  "RSA";
> String TDESAlgo =  "DESede";
> String provider = "Mozilla-JSS";
>
> // generate 3DES key
> KeyGenerator keyGen = KeyGenerator.getInstance(TDESAlgo);
> Key tdesKey = keyGen.generateKey();
>
> // encrypt data
> String theData = "Hello World";
> byte[] plainText = theData.getBytes();
>
> System.out.println("Encrypt");
>
> Cipher cipherData = Cipher.getInstance(TDESAlgo);
> cipherData.init(Cipher.ENCRYPT_MODE, tdesKey);
> byte[] cipherText = cipherData.doFinal(plainText);
> System.out.println("Cipher Text:" + new String (cipherText));
>
> // Get Public Key
> PublicKey pubKey = cert.getPublicKey();
>
> // wrap key
> Cipher rsa = Cipher.getInstance(RSAAlgo);
> rsa.init(Cipher.WRAP_MODE, pubKey);
> byte[] wrappedKey = rsa.wrap(tdesKey);
>
> System.out.println("Decrypt");
> // Get Private Key
> PrivateKey privKey = cm.findPrivKeyByCert(cert);
> System.out.println(wrappedKey.length);
>
> System.out.println("Unwrap Done1");
> rsa.init(Cipher.UNWRAP_MODE, privKey); <==the error
>
> System.out.println("Unwrap Done2");
> Key unwrappedDesKey = rsa.unwrap(wrappedKey, TDESAlgo,
> Cipher.SECRET_KEY);
>
> System.out.println("Unwrap Done3");
>
> cipherData.init(Cipher.DECRYPT_MODE, unwrappedDesKey);
> byte[] decryptedText = cipherData.doFinal(cipherText);
>
> System.out.println("Result: " + new String (decryptedText));
> System.out.println("Decrypt Done");
>
> Result:
> Unwrap Done1
> java.security.InvalidKeyException: Key does not reside on the current
> token

-- 
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto

Re: can't seem to init SQLite db with JSS 4.3.1

2010-02-05 Thread glen beasley

Hi David,


did you provide JSS with the string "sql" like you did with certutil -
d sql:.
or did could just set the environment variable NSS_DEFAULT_DB_TYPE=sql
and then you will not have to specify sql.

https://developer.mozilla.org/en/NSS_reference/NSS_environment_variables

-glen

On Feb 1, 6:37 am, David Stutzman 
wrote:
> I recently built NSS 3.12.5/NSPR4.8.2 and JSS 4.3.1 on a RHEL4.8 system
> (SUN JDK 1.6u18).  certutil works fine with -d sql:., but JSS tosses an
> exception when I try to initialize pointing to a (freshly created with
> certutil) SQLite DB whereas it will initialize with the legacy db format.
>
> Exception in thread "main" java.lang.SecurityException: Unable to
> initialize security library
>          at org.mozilla.jss.CryptoManager.initializeAllNative(Native Method)
>          at org.mozilla.jss.CryptoManager.initialize(CryptoManager.java:919)
>          at org.mozilla.jss.CryptoManager.initialize(CryptoManager.java:885)
>          at jsstest.Main.main(Main.java:21)
> Java Result: 1
>
> I thought an issue with SQLite support, but certutil can create and
> access those types of DBs so it appears ok from the NSS side. *shrug*
>
> Dave

-- 
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto

Re: SunPKCS11 and NSS 3.11.4

2009-11-13 Thread Glen Beasley




Hi Glen,
I finally got all the other problems solved, and ran into this problem
when trying to run your code
  


I have some doubts that you're running my exact code sample and instead 
have changed the code
sample which would mean the code is no longer mine and is yours. Doubts, 
only of course, I freely

admit to haven written some buggy code in my day.


My code sample creates an  "128 bit AES" key.

I expect that you change the sample and are trying to create say a 
DESede key?

not sure, but if yes then please review

http://java.sun.com/javase/6/docs/technotes/guides/security/crypto/CryptoSpec.html
http://java.sun.com/javase/6/docs/technotes/guides/security/p11guide.html


Also, please try to provide detailed info such as version number of the 
software you're using, and which OS.
Meaning state "I am using NSPR ver, NSS ver, Java ver, on OS, with 
FIPSMODE ON/OFF".


You also might want to consider using JSS, as I believe it should be easier
than using NSS-SunPKCS11 bridge.

https://developer.mozilla.org/En/JSS
http://mxr.mozilla.org/security/source/security/jss/org/mozilla/jss/tests/JCASymKeyGen.java

hope this helps,

glen



When attempting to actually generate the key, I get this exception:
java.security.ProviderException: Could not generate key
at sun.security.pkcs11.P11KeyGenerator.engineGenerateKey
(P11KeyGenerator.java:260)
  

http://hg.openjdk.java.net/jdk7/jsn/jdk/file/66c2b0cfc896/src/share/classes/sun/security/pkcs11/P11KeyGenerator.java

at javax.crypto.KeyGenerator.generateKey(DashoA13*..)
at test.SunPKCS11NSS.main(SunPKCS11NSS.java:53)
Caused by: sun.security.pkcs11.wrapper.PKCS11Exception:
CKR_ATTRIBUTE_VALUE_INVALID
at sun.security.pkcs11.wrapper.PKCS11.C_GenerateKey(Native Method)
at sun.security.pkcs11.P11KeyGenerator.engineGenerateKey
(P11KeyGenerator.java:255)
... 2 more

  



Anyway, thanks very much for all your help so far.

Kevin Oberlies
Student Software Developer
CDM Technologies, Inc. (http://www.cdmtech.com)
  


--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto

Re: SunPKCS11 and NSS 3.11.4

2009-11-02 Thread Glen Beasley


morris.d...@gmail.com wrote:
  

I ran into issues creating the secmod database:

before moving on to Java/SunPKCS11-NSSFIPS issue you should first get 
your configuration correct
so that running the modutil command will work correctly. Copying the 
databases from a working system to
a system that is unable to correctly run "modutil -fips true -dbdir ." 
makes no sense.


In an attempt to recreate your problem, I wrote a test program and some 
rough notes that
should hopefully help. The program/notes are rough as I don't have much 
time to spend on this issue.


I had a clean window 7 box so I:

downloaded NSPR 4.6.4 
https://ftp.mozilla.org/pub/mozilla.org/nspr/releases/v4.6.4/msvc6.0/WINNT5.0_OPT.OBJ/

downloaded NSS 3.11.4
https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_11_4_RTM/msvc6.0/WINNT5.0_OPT.OBJ/
installed java version "1.6.0_16":

2) set the PATH for NSS/NSPR libraries/chk files/binaries and Java bin 
directory


3) created the NSS db's and configured for FIPS mode:

certutil -N -d . 
modutil -fips true -dbdir .


4) created the following nss.cfg file:

name = NSSFIPS
nssLibraryDirectory = ./lib
nssSecmodDirectory = .
nssDbMode = readWrite
nssModule = fips

5) created the attached test program sunpkcs11nss.java

6) javac javac sunpkcs11nss.java
7) java sunpkcs11nss nss.cfg 
Initializing sunpkcs11-NSS nss.cfg
Initialized sunpkcs11-NSS
Provider 0: SunPKCS11-NSSFIPS
Provider 1: SUN
Provider 2: SunRsaSign
Provider 3: SunJSSE
Provider 4: SunJCE
Provider 5: SunJGSS
Provider 6: SunSASL
Provider 7: XMLDSig
Provider 8: SunPCSC
Provider 9: SunMSCAPI
Key generation done by SunPKCS11-NSSFIPS version 1.6
encrypt op done by SunPKCS11-NSSFIPS version 1.6
decrypt op done by SunPKCS11-NSSFIPS version 1.6
recovered bytes equal the original plaintext

Hopefully the above will help you solve your issue, or at least aid in 
creating a bug with a provided testcase.


-glen






import java.security.AlgorithmParameters;
import java.security.Provider;
import java.security.Security;
import javax.crypto.Cipher;
import javax.crypto.KeyGenerator;
import java.security.KeyStore;

//glen.beas...@sun.com
//This is a sample test program
//the nss.cfg file
//name = NSSFIPS
//nssLibraryDirectory = ./lib
//nssSecmodDirectory = .
//nssDbMode = readWrite
//nssModule = fips
//
//http://java.sun.com/javase/6/docs/technotes/guides/security/p11guide.html

public class sunpkcs11nss {


public static void main(String args[]) {
try {
// pass in nss.cfg file and "password" for the NSS databases
String nssConfig = args[0];
System.out.println("Initializing sunpkcs11-NSS " + nssConfig);
Provider pkcs11NSS = new sun.security.pkcs11.SunPKCS11(nssConfig);
Security.insertProviderAt(pkcs11NSS, 1);
System.out.println("Initialized sunpkcs11-NSS");

Provider[] providers = Security.getProviders();
for (int i = 0; i < providers.length; i++) {
System.out.println("Provider " + i + ": " +
providers[i].getName());
}

// Login
   KeyStore ks = KeyStore.getInstance("PKCS11", pkcs11NSS);
   // this is test code, please mask the password
   ks.load(null, args[1].toCharArray());

javax.crypto.SecretKey skey = null;
javax.crypto.KeyGenerator kg = null;

kg = KeyGenerator.getInstance("AES",
pkcs11NSS);
kg.init(128);
skey = kg.generateKey();

System.out.println("Key generation done by " +
kg.getProvider().toString());

String algFamily = "AES";
String algType = "AES/CBC/PKCS5Padding";

byte[] plaintext = "testing NSS in FIPS MODE".getBytes();
Cipher cipher = Cipher.getInstance(algType, pkcs11NSS);
AlgorithmParameters ap = null;
byte[] encodedAlgParams = null;

cipher.init(Cipher.ENCRYPT_MODE, skey);
//generate the algorithm Parameters; they need to be
//the same for encrypt/decrypt if they are needed.
ap = cipher.getParameters();
if (ap != null) {
//get parameters to store away as example.
encodedAlgParams = ap.getEncoded();
}
byte[] ciphertext =
new byte[cipher.getOutputSize(plaintext.length)];
int cLen = cipher.update(plaintext, 0, plaintext.length,
ciphertext, 0);
cLen += cipher.doFinal(ciphertext, cLen);

System.out.println("encrypt op done by " +
cipher.getProvider().toString());

//decrypt
cipher = Cipher.getInstance(algType, pkcs11NSS);
if (encodedAlgParams == null) {
cipher.init(Cipher.DECRYPT_MODE, skey);
} else {
//retrieve the algorithmParameters from the encoded a

Re: SunPKCS11 and NSS 3.11.4

2009-10-30 Thread Glen Beasley




I ran into issues creating the secmod database:

* Steps taken on the first Windows XP Professional Version 2002 SP2
box
1) "certutil -N -d ." ran fine, created the three database files with
a strong password
2) "modutil -fips true -dbdir ." failed, with error:
"An I/O error occurred during security authorization.
ERROR: Unable to switch FIPS modes."

* Executed the same commands and same configuration on a Windows Vista
box with success (output: "FIPS mode enabled.", and modutil -list
shows the appropriate FIPS module).
* Executed the same commands and same configuration on a second
Windows XP Professional Version 2002 SP2 box with success.

That was odd, but nevertheless, I now have a secmod database that I
can work with.

Next, I copied the database files/directory into my Eclipse Java
project and modified the NSS configuration file appropriately:

name = NSScrypto
attributes = compatibility
nssLibraryDirectory = ./lib
nssSecmodDirectory = ./nss_db
nssDbMode = readWrite
nssModule = fips

This project is hosted on shared storage between both the Windows XP
boxes.  Running the test application (see previous message) on the
original machine still produces the original exception:

java.security.ProviderException: Could not initialize NSS
at sun.security.pkcs11.SunPKCS11.(SunPKCS11.java:183)
at sun.security.pkcs11.SunPKCS11.(SunPKCS11.java:90)
at test.TripleDESTest.main(TripleDESTest.java:112)
Caused by: java.io.IOException: The specified version of NSS is
incompatible, 3.7 or later required
at sun.security.pkcs11.Secmod.initialize(Secmod.java:190)
at sun.security.pkcs11.SunPKCS11.(SunPKCS11.java:179)
... 2 more

Running the test application (the exact same Eclipse Java project, the
same libraries, the same configuration) with the same JVM, jdk/jre
1.6.0_13, on the second Windows XP machine (where "modutil -fips true"
succeeded) was successful (e.g., the crypto provider object was
returned).



On the Windows XP system that does not work, can you confirm/deny that you
have the .chk files installed in your path with their matching libraries.

see security rule 34 
http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140sp/140sp814.pdf


. softokn3.dll
. softokn3.chk
. freebl3.dll
. freebl3.chk

Since you have one system that works and one that does not, missing .chk 
files is

the most logical configuration difference.

Any further insight into this issue would be appreciated!

Best regards,

Drew Morris
Technical Lead, Software Developer
CDM Technologies, Inc. (http://www.cdmtech.com)



My Google searches happened to bring this highly-related gem to the
surface today (odd that they didn't yesterday):

http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=6521498
  
Looks like it is a real issue.
  

will missing .chk files are a real issue. The other issue
 is nobody is actively working on bug_id=6521498.
I will see if I can contact the jce team about updating this bug.

-glen


Any ideas?

Thanks!

Drew Morris
Technical Lead, Software Developer
CDM Technologies, Inc. (http://www.cdmtech.com)

  




smime.p7s
Description: S/MIME Cryptographic Signature
-- 
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto

Re: SunPKCS11 and NSS 3.11.4

2009-10-29 Thread Glen Beasley


morris.d...@gmail.com wrote:

Initializing SunPKCS11 for utilization of NSS 3.11.4 capabilities
yields the following exception:

java.security.ProviderException: Could not initialize NSS
at sun.security.pkcs11.SunPKCS11.(SunPKCS11.java:183)
at sun.security.pkcs11.SunPKCS11.(SunPKCS11.java:90)
at test.TripleDESTest.main(TripleDESTest.java:112)
Caused by: java.io.IOException: The specified version of NSS is
incompatible, 3.7 or later required
at sun.security.pkcs11.Secmod.initialize(Secmod.java:190)
at sun.security.pkcs11.SunPKCS11.(SunPKCS11.java:179)
... 2 more

The version I am using is greater than 3.7, despite what the exception
says. I am looking to use the FIPS 140-2 certified symmetric key
algorithms in this library.

I am using the following configuration:

name = NSScrypto
attributes = compatibility
nssLibraryDirectory = ./lib
nssDbMode = noDb
nssModule = fips
  
the NSS dbs must exist if your goal is to be FIPS compliant and your 
setting "nssModule = fips".
The "nssDbMode = noDb" mode allows NSS to be used without database files 
purely as a cryptographic provider.


make the following changes:

name = NSScrypto
attributes = compatibility
nssLibraryDirectory =   <- full path to NSS and NSPR libraries
nssSecmodDirectory =  < full path to location of the NSS databases   
nssDbMode = readWrite

nssModule = fips

To create a set of databases in the current directory:
certutil -N -d .
review the NSS 3.11.4 security policy 
 "Strength 
of Authentication Mechanism" for password requirements.
To enable FIPS mode:
modutil -fips true -dbdir .




I am adding the cryptography provided dynamically with the following
code:

String configName = "nss.cfg";
Provider cryptoProvider = new sun.security.pkcs11.SunPKCS11
(configName);  // exception occurs on this line
Security.addProvider(cryptoProvider);

Has anyone else run into this issue or have any insight into the
problem?

If this doesn't work out I will look into direct utilization of JSS.

  
Java 1.5 claimed no FIPS compliance, and Java 1.6 or higher needs to be 
used for the SunPKCS11-NSS bridge. JSS can use Java 1.4 of higher to be 
FIPS compliant.


http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140sp/140sp814.pdf
http://java.sun.com/javase/6/docs/technotes/guides/security/p11guide.html
http://java.sun.com/javase/6/docs/technotes/guides/security/jsse/FIPS.html 
http://mxr.mozilla.org/security/source/security/jss/org/mozilla/jss/tests/all.pl see createpkcs11_cfg



-glen

Thanks!
  




smime.p7s
Description: S/MIME Cryptographic Signature
-- 
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto

Re: Help about NSS and Windows

2009-09-03 Thread Glen Beasley

On 9/3/09 4:24 PM, Glen Beasley wrote:

On 9/3/09 11:23 AM, Nelson B Bolyard wrote:

On 2009-09-03 02:23 PDT, Amine wrote:

Well, I'll try to be very precise this time.

I am writing a little Java program that uses an NSS Internal PKCS#11
Module for signing. Am using Win XP, service pack 3 and, for now, no
Visual C++ is installed.

So am using the JSS 4.2 that uses NSPR 4.6.4 and NSS 3.11.4.

JSS 4.2 was released in December 2005. please do not use it.

We have stopped providing binaries on mozilla because you should be
able to build

NSPR/NSS/JSS for your platform. There are free versions of Visual C++.

please work on getting your system to build NSPR/NSS/JSS 4.3.
https://developer.mozilla.org/En/JSS/4_3_ReleaseNotes
https://developer.mozilla.org/jss_build_4.3.html
ftp://ftp.mozilla.org/pub/mozilla.org/security/jss/releases/JSS_4_3_RTM/

If you really cannot get your build working then at least use JSS 4.2.5
http://www.mozilla.org/projects/security/pki/jss/jss_release_4.2.5.html

Binaries for JSS:
ftp://ftp.mozilla.org/pub/mozilla.org/security/jss/releases/JSS_4_2_5_RTM/WINNT5.0_OPT.OBJ/lib/jss4.dll
ftp://ftp.mozilla.org/pub/mozilla.org/security/jss/releases/JSS_4_2_5_RTM/jss4.jar
understand that the built JSS 4.2.5 for windows is built for
the OS_TARGET= WINNT. these binaries should not be mixed with firefox
binaries of NSPR/NSS which are built WIN95. see the JSS build
instructions for more detail

https://developer.mozilla.org/jss_build_4.3.html

Binaries for NSS 3.11.4:
ftp://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_11_4_RTM/msvc6.0/WINNT5.0_OPT.OBJ/nss-3.11.4.zip

unfortunately there are no binaries for NSPR 4.6.4 so you need to
build them, once you build NSPR you should

have no problem building NSS/JSS.
http://www.mozilla.org/projects/nspr/release-notes/nspr464.html

sorry there are binaries for NSPR 4.6.4
ftp://ftp.mozilla.org/pub/mozilla.org/nspr/releases/v4.6.4/msvc6.0/WINNT5.0_OPT.OBJ/nspr-4.6.4.zip

I believe if you download all JSS 4.2.5, NSS 3.11.4, and NSPR 4.6.4
optimize bits then set your

path correctly your problem should be solved
-glen
]

-glen

--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto

Re: Help about NSS and Windows

2009-09-03 Thread Glen Beasley

On 9/3/09 11:23 AM, Nelson B Bolyard wrote:

On 2009-09-03 02:23 PDT, Amine wrote:

Well, I'll try to be very precise this time.

I am writing a little Java program that uses an NSS Internal PKCS#11
Module for signing. Am using Win XP, service pack 3 and, for now, no
Visual C++ is installed.

So am using the JSS 4.2 that uses NSPR 4.6.4 and NSS 3.11.4.

JSS 4.2 was released in December 2005. please do not use it.

We have stopped providing binaries on mozilla because you should be able
to build

NSPR/NSS/JSS for your platform. There are free version of Visual C++.

If you really cannot get your build working then at least use JSS 4.2.5
http://www.mozilla.org/projects/security/pki/jss/jss_release_4.2.5.html

https://developer.mozilla.org/jss_build_4.3.html

Binaries for NSS 3.11.4:
ftp://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_11_4_RTM/msvc6.0/WINNT5.0_OPT.OBJ/nss-3.11.4.zip

unfortunately there are no binaries for NSPR 4.6.4 so you need to build
them, once you build NSPR you should

have no problem building NSS/JSS.
http://www.mozilla.org/projects/nspr/release-notes/nspr464.html

-glen
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto

Re: Help about NSS and Windows

2009-09-02 Thread Glen Beasley


hi,

What is the debug assertion message? While you may not get the assertion in
optimize build, it may be an issue that needs to be addressed.
Also, please specify what versions you're using.
Meaning I am trying to build JSS 4.3, NSS 3.12.4, NSPR 4.8 using Visual 
C++ 6.0

and Java 6.

To build optimize:

You need to build JSS optimize, and therefor first build NSPR/NSS 
optimize first.
understand JSS requires NSPR/NSS libraries as well as  the C runtime 
library since

you're listing msvcrt[d].dll I assume you are Visual C++ 5 or 6.

set BUILD_OPT=1
set OS_TARGET= WIN95

https://developer.mozilla.org/jss_build_4.3.html

use the optimize signed jss4.jar

ftp://ftp.mozilla.org/pub/mozilla.org/security/jss/releases/JSS_4_3_RTM/

If you're running an applet in firefox don't replace the provided 
firefox version of

NSPR/NSS just install your built jss4.dll/jss4.jar.

-glen



On 9/2/09 7:07 AM, Amine wrote:

Hi everyone,
I've got a question about building NSS on windows. I hope you're among
the right persons to ask, if not so, please can you forward my mail to
an apropriate person.

I think that there's a real problem because when trying to run
programs
that use NSS on windows, a Debug Assertion Failed message apears.

I looked for such messages on many sites and found that this is due
when
deploying a debug build of dll's. I've inspected the jss shared
library
jss4.dll through "dependency walker" and found that it depends on many
libraries such :
- libnspr4.dll,
- libplc4.dll,
- libplds4.dll,
and libnspr4.dll depends on msvcrtd.dll, and this is the debug build
of
msvcrt.dll.

   

msvcrt[d].dll is a c run time library...

To be clear, all these dll's:
- libnspr4.dll,
- libplc4.dll,
- libplds4.dll
   

JSS requires NSPR, you should also see the NSS libraries.

- msvcrtd.dll,

do not exist in a "normal" machine (msvcrt.dll exists actually in
Windows\System32). Let's be more precise by saying that the listed
dll's
(lib***.dll) exist in Programe File\Mozilla Firefox but without the
prefix lib.

So I had to download them (lib***.dll) one by one including
msvcrtd.dll.
And you understand me that this is very binding when we have to deploy
the application.

I've also tried to rebuild the jss4.dll with BUILD_OPT=1 and i've got
the same library exposed on the Mozilla links . How can I override
this
problem ? I think that Mozilla is giving the debug build of the jss
shared library instead of the release build.

Thank you in advance for your help.

Amine

   


-- 
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto

[ANNOUNCE] NSS 3.12.4 Release

2009-08-28 Thread Glen Beasley


The NSS 3.12.4 release is now available.

Please read the NSS 3.12.4 release notes at:

https://developer.mozilla.org/NSS_3.12.4_release_notes

The CVS tag NSS_3_12_4_RTM.  NSS 3.12.4 requires NSPR 4.8.

You can check out the source from CVS by

 cvs co -r NSPR_4_8_RTM NSPR
 cvs co -r NSS_3_12_4_RTM NSS

NSS 3.12.4 source is also available on ftp.mozilla.org for secure HTTPS 
download:

   * Source tarball: 
https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_12_4_RTM/src/.

Major changes in NSS 3.12.4

   * NSS 3.12.4 is the version that we submitted to NIST for FIPS 140-2 
validation.
 Currently NSS 3.12.4 is in the "Review Pending" state in the FIPS 140-2 
pre-validation
 list at 
http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140InProcess.pdf

   * The old documentation of the expression matching syntax rules was
 incorrect, and the new corrected documentation is as follows for
 public nssutil functions (see portreq.h):

   PORT_RegExpValid
   PORT_RegExpSearch
   PORT_RegExpCaseSearch

 These functions will match a string with a shell expression. The 
expressions
 accepted are based loosely on the expressions accepted by zsh.
 Expected return values:

   NON_SXP if exp is a standard string
   INVALID_SXP if exp is a shell expression, but invalid
   IVALID_SXP if exp is a valid shell expression
 Expression matching rules:
   + * matches anything
   + ? matches one character
   + \ will escape a special character
   + $ matches the end of the string
   + Bracketed expressions:
 [abc] matches one occurence of a, b, or c.
 [^abc] matches any character except a, b, or c.
 To be matched between [ and ], these characters must be 
escaped: \ ]
 No other characters need be escaped between brackets.
 Unnecessary escaping is permitted.
   + [a-z] matches any character between a and z, inclusive.
 The two range-definition characters must be alphanumeric ASCII.
 If one is upper case and the other is lower case, then the 
ASCII
 non-alphanumeric characters between Z and a will also be in 
range.
   + [^a-z] matches any character except those between a and z, 
inclusive.
 These forms cannot be combined, e.g [a-gp-z] does not work.
   + Exclusions:
 As a top level, outter-most expression only, the expression
 foo~bar will match the expression foo, provided it does not 
also
 match the expression bar. Either expression or both may be a 
union.
 Except between brackets, any unescaped ~ is an exclusion.
 At most one exclusion is permitted.
 Exclusions cannot be nested (contain other exclusions).
 example: *~abc will match any string except abc
   + Unions:
 (foo|bar) will match either the expression foo, or the 
expression bar.
 At least one '|' separator is required. More are permitted.
 Expressions inside unions may not include unions or exclusions.
 Inside a union, to be matched and not treated as a special 
character,
 these characters must be escaped: \ ( | ) [ ~ except when they 
occur
 inside a bracketed expression, where only \ and ] require 
escaping.

   * New functions in the nss shared library:
   PK11_IsInternalKeySlot (see pk11pub.h)
   SECMOD_OpenNewSlot (see pk11pub.h)

   * New error codes (see secerr.h):
   SEC_ERROR_BAD_INFO_ACCESS_METHOD
   SEC_ERROR_CRL_IMPORT_FAILED

   * New OIDs (see secoidt.h)
   SEC_OID_X509_ANY_POLICY

   * The nssckbi PKCS #11 module's version changed to 1.75.

   * Support for win16 has been removed.

   * Support for OpenVMS has been removed.

-Glen Beasley





smime.p7s
Description: S/MIME Cryptographic Signature
-- 
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto

Re: NSS 3.12.4 rtm binary

2009-08-28 Thread Glen Beasley


yanlin wrote:

Hi,

I am trying to locate the nss 3.12.4 or 3.12.3 RTM binary for all
platforms. Nss 3.11.4 rtm has all binaries in the ftp site but for
3.12.x there is only src dir and all binaries are missing.  I'd like
to know where to find these binaries or is there any commercial
support from nss team  ?

  
Binaries are no longer provided as users can pull the source from the 
CVS repository
rooted at cvs.mozilla.org:/cvsroot, or download the source tarball of 
NSPR/NSS to build a

version of NSPR/NSS for their platforms.

Release notes and build instructions for NSS 3.12.4 RTM will be posted 
soon to


http://www.mozilla.org/projects/security/pki/nss/

-glen


Thx,
Yanlin
  




smime.p7s
Description: S/MIME Cryptographic Signature
-- 
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto

Re: JSS 4.3 download?

2009-08-17 Thread Glen Beasley


Tony wrote:

On Aug 5, 10:58 pm, Nelson B Bolyard  wrote:
  

On 2009-08-05 18:20 PDT, Tony wrote:> JSS 4.3 download links appear broken. 
Tried HTTP and FTP. Any thoughts?

What JSS 4.3 download links?  Where?



https://developer.mozilla.org/En/JSS/4_3_ReleaseNotes
  


the jss 4.3 download is now fixed. Understand that we are only providing 
the jss4.jar and you need to build

jss4 JNI library for your platform.

https://developer.mozilla.org/jss_build_4.3.html

Full JSS binary releases are no longer available on ftp.mozilla.org. JSS 
is a JNI library we provide the jss4.jar but expect you to build
JSS's matching JNI library. We provide the jss4.jar in case you do not 
want to obtain your own JCE code signing certificate.
JSS is a JCE provider and therefore the jss4.jar must be signed. 
ftp://ftp.mozilla.org/pub/mozilla.org/security/jss/releases/JSS_4_3_RTM.


Note: I still have to update the online jss 4.3 javadoc and I will this 
week. Today you can download the zipped version of the the jss 4.3

java doc.


-glen
https://developer.mozilla.org/En/JSS


smime.p7s
Description: S/MIME Cryptographic Signature
-- 
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto

Re: java.lang.SecurityException: Unable to initialize security library

2009-08-17 Thread Glen Beasley


NB wrote:

Hi All,

I tried to execute following commands on Solaris 10 Sparc

  
export LD_LIBRARY_PATH=


java -cp ./jss4.jar org.mozilla.jss.tests.SetupDBs . passwords

java -cp ./jss4.jar  java org.mozilla.jss.tests.SSLClientAuth .
passwords
<<

and have following exception >>>

Failed to initialize the security subsystem!
java.lang.SecurityException: Unable to initialize security library
   at org.mozilla.jss.CryptoManager.initializeAllNative(Native
Method)
   at org.mozilla.jss.CryptoManager.initialize(CryptoManager.java:
919)

Thanks in advance

Rgds,
Naveen
  
your path needs to include JSS JNI library jss4.so, and also have NSS 
and NSPR shared libraries in your path.


Just requires NSS and NSPR.

Since you're on Solaris 10. JSS/NSS/NSPR libraries are installed by 
default in /usr/lib/mps


so

export LD_LIBRARY_PATH=/usr/lib/mps:$LD_LIBRARY_PATH

and the jar is installed by default in /usr/shared/lib/mps/jss4.jar


java -cp /usr/shared/lib/mps/jss4.jar org.mozilla.jss.tests.SetupDBs . passwords

you of course can use your own paths of your built NSPR/NSS/JSS binaries.


-glen


smime.p7s
Description: S/MIME Cryptographic Signature
-- 
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto

Re: client certificate JSS keystore

2009-07-14 Thread Glen Beasley

"On 7/13/09 11:40 PM, Dmitriy Varnavskiy wrote:

Still cant make it working. Are there any suggestions?

2009/7/4 Nelson B Bolyard 

On 2009-07-03 10:52 PDT, Dmitriy Varnavskiy wrote:
> I have run several tests of JSS on Linux - they all worked fine
so seems
> JSS is correctly installed. But when I am launching my app java
for some
> reason is not using certificates in firefox keystore.

It is most likely that you are not providing the correct location to 
firefox cert and key database.

Firefox builds/installs WIN95 version of NSPR/NSS, and if you're
running an applet within firefox then that applet needs JSS's JNI 
dependent library built WIN95.

Firefox builds NSPR/NSS with the OS_TARGET=WIN95, follow the
JSS build instructions and build JSS with the WIN95 OS_TARGET.
Note: JSS WIN95 binary is not provided on ftp.mozilla.org you need to 
build it yourself.

You can use the signed jss4.jar from ftp.mozilla.org provide you make no
changes to jss and you're just building the jss4.dll for the WIN95 target.

The JSS build instructions:

http://www.mozilla.org/projects/security/pki/jss/jss_build_4.2.5.html

The install instructions:

http://java.sun.com/j2se/1.5.0/docs/guide/deployment/deployment-guide/keystores.html 

Firefox already has nspr/nss installed you need to use these version and 
not install your
own especially not the WINNT versions, just install the matching win95 
version of JSS.

If you cannot get this to work please create a JSS bug and attach
your sample applet with the steps you have taken

so far.

https://bugzilla.mozilla.org/

-glen

-- 
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto

referral links to developer.mozilla.org

2009-06-15 Thread Glen Beasley


hi,

When you do a Google search for NSS, JSS, or NSPR  the first pages you 
find are the original www.mozilla.org pages:


http://www.mozilla.org/projects/security/pki/nss/
http://www.mozilla.org/projects/security/pki/jss/
http://www.mozilla.org/projects/nspr/

we are starting to have more recent info put on developer.mozilla.org

I put this update on the original JSS page:

For current JSS info goto the new JSS home page: JSS There is still a 
lot of information related to JSS on this site, but in time it should 
all be ported to http://developer.mozilla.org/En/JSS.


I can do the same for the NSS and NSPR?

NSS:

For current NSS info goto the new NSS home page: NSS There is still a 
lot of information related to NSS on this site, but in time it should 
all be ported to http://developer.mozilla.org/En/NSS.



NSPR:

For current NSPR info goto the new NSPR home page: NSPR There is still a 
lot of information related to NSPR on this site, but in time it should 
all be ported to http://developer.mozilla.org/En/NSPR.



Should I?


-glen




smime.p7s
Description: S/MIME Cryptographic Signature
-- 
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto

Re: JCA (Mozilla-JSS) Problem in SecretKeySpec for AES

2009-06-04 Thread Glen Beasley


agentma...@hotmail.com wrote:

Hi,

I am trying to run the following example code for Mozilla-JSS provider
but it always gives:"java.security.InvalidKeyException: Key is not the
right type for this algorithm" for init function. The same code runs
perfectly fine with Sun default provider.
  

I took your code snippet and do not see any obvious error.
I did a quick test with 1.6.0_07 and the current build of JSS 4.3.

what happens when you do the following:

java -cp ./jss4.jar org.mozilla.jss.tests.SetupDBs . passwords
java -cp ./jss4.jar org.mozilla.jss.tests.JCASymKeyGen . passwords

does the above run fine? If no, please create a bug, state what 
platform, version of java, and version of JSS.


you can look at the source of JCASymKeyGen.java:

http://mxr.mozilla.org/security/source/security/jss/org/mozilla/jss/tests/JCASymKeyGen.java

also in the future it is best to attach a full test program that 
demonstrates the error.

attached is my test program.

-glen


Please let me know if there is anything that needs to be done to make
the code work.

thanks
-P

-

CryptoManager manager = CryptoManager.getInstance();
CryptoToken internalToken = 
manager.getInternalCryptoToken();

javax.crypto.KeyGenerator kg1 =
javax.crypto.KeyGenerator.getInstance( "AES","Mozilla-JSS" );
kg1.init(128);
SecretKey secretkey1 = kg1.generateKey();
byte[] preSharedKey = secretkey1.getEncoded();
System.out.println("Encoded Key is:" + 
StringUtil.bytesToHexString
(preSharedKey));

key = new SecretKeySpec(preSharedKey,"AES");
  

jss expects key to be declared as
SecretKeySpec key;

Cipher enc = Cipher.getInstance(
key.getAlgorithm() + 
"/CBC/PKCS5Padding","Mozilla-JSS");
if(encrypt)
System.out.println("Encrypting with: " + 
key.getAlgorithm());
else
System.out.println("Decrypting with: " + 
key.getAlgorithm());
System.out.println("Key size: " + 
key.getEncoded().length);
System.out.println("Data size: " + data.length);
SADebugLogger.info("Encrypting with: " + 
key.getAlgorithm());
  
			SADebugLogger.info("Key size: " + key.getEncoded().length);

enc.init(encrypt ? Cipher.ENCRYPT_MODE : 
Cipher.DECRYPT_MODE,
key, new IvParameterSpec(iv));

return enc.doFinal(data);
---
  



import java.security.AlgorithmParameters;
import java.security.GeneralSecurityException;
import java.security.NoSuchAlgorithmException;
import java.security.SecureRandom;
import java.util.logging.Level;
import java.util.logging.Logger;
import javax.crypto.Cipher;
import javax.crypto.SecretKey;
import javax.crypto.spec.IvParameterSpec;
import javax.crypto.spec.SecretKeySpec;
import org.mozilla.jss.CertDatabaseException;
import org.mozilla.jss.CryptoManager;
import org.mozilla.jss.CryptoManager.NotInitializedException;
import org.mozilla.jss.KeyDatabaseException;
import org.mozilla.jss.crypto.AlreadyInitializedException;
import org.mozilla.jss.crypto.CryptoToken;

/**
 *
 * @author gb
 */
public class testAES {

public static void main(String args[]) throws NoSuchAlgorithmException, 
Exception {

boolean encrypt = true;

byte[] data = "this is a quick an dirty test program".getBytes();
SecretKeySpec key;

try {
CryptoManager.initialize(".");
CryptoManager manager = CryptoManager.getInstance();
CryptoToken internalToken = manager.getInternalCryptoToken();
javax.crypto.KeyGenerator kg1 = 
javax.crypto.KeyGenerator.getInstance("AES", "Mozilla-JSS");
kg1.init(128);
SecretKey secretkey1 = kg1.generateKey();
byte[] preSharedKey = secretkey1.getEncoded();

key = new SecretKeySpec(preSharedKey, "AES");
Cipher enc = Cipher.getInstance(key.getAlgorithm() + 
"/CBC/PKCS5Padding", "Mozilla-JSS");

System.out.println("Encrypting with: " + enc.getAlgorithm());



System.out.println("Key size: " + key.getEncoded().length);
byte[] iv = new byte[key.getEncoded().length];
SecureRandom random = SecureRandom.getInstance("pkcs11prng",
"Mozilla-JSS");
random.nextBytes(iv);
enc.init(encrypt ? Cipher.ENCRYPT_MODE : Cipher.DECRYPT_MODE, key, 
new IvParameterSpec(iv));
byte[] cipherText = enc.doFinal(data);

AlgorithmParameters

Re: JCA (Mozilla-JSS) Problem in SecretKeySpec for AES

2009-06-04 Thread Glen Beasley


agentma...@hotmail.com wrote:

Hi,

I am trying to run the following example code for Mozilla-JSS provider
but it always gives:"java.security.InvalidKeyException: Key is not the
right type for this algorithm" for init function. The same code runs
perfectly fine with Sun default provider.
  

I took your code snippet and do not see any obvious error.
I did a quick test with 1.6.0_07 and the current build of JSS 4.3.

what happens when you do the following:

java -cp ./jss4.jar org.mozilla.jss.tests.SetupDBs . passwords
java -cp ./jss4.jar org.mozilla.jss.tests.JCASymKeyGen . passwords

does the above run fine? If no, please create a bug, state what 
platform, version of java, and version of JSS.


you can look at the source of JCASymKeyGen.java:

http://mxr.mozilla.org/security/source/security/jss/org/mozilla/jss/tests/JCASymKeyGen.java

also in the future it is best to attach a full test program that 
demonstrates the error.

attached is my test program.

-glen


Please let me know if there is anything that needs to be done to make
the code work.

thanks
-P

-

CryptoManager manager = CryptoManager.getInstance();
CryptoToken internalToken = 
manager.getInternalCryptoToken();

javax.crypto.KeyGenerator kg1 =
javax.crypto.KeyGenerator.getInstance( "AES","Mozilla-JSS" );
kg1.init(128);
SecretKey secretkey1 = kg1.generateKey();
byte[] preSharedKey = secretkey1.getEncoded();
System.out.println("Encoded Key is:" + 
StringUtil.bytesToHexString
(preSharedKey));

key = new SecretKeySpec(preSharedKey,"AES");
  

jss expects key to be declared as
SecretKeySpec key;

Cipher enc = Cipher.getInstance(
key.getAlgorithm() + 
"/CBC/PKCS5Padding","Mozilla-JSS");
if(encrypt)
System.out.println("Encrypting with: " + 
key.getAlgorithm());
else
System.out.println("Decrypting with: " + 
key.getAlgorithm());
System.out.println("Key size: " + 
key.getEncoded().length);
System.out.println("Data size: " + data.length);
SADebugLogger.info("Encrypting with: " + 
key.getAlgorithm());
  
			SADebugLogger.info("Key size: " + key.getEncoded().length);

enc.init(encrypt ? Cipher.ENCRYPT_MODE : 
Cipher.DECRYPT_MODE,
key, new IvParameterSpec(iv));

return enc.doFinal(data);
---
  



import java.security.AlgorithmParameters;
import java.security.GeneralSecurityException;
import java.security.NoSuchAlgorithmException;
import java.security.SecureRandom;
import java.util.logging.Level;
import java.util.logging.Logger;
import javax.crypto.Cipher;
import javax.crypto.SecretKey;
import javax.crypto.spec.IvParameterSpec;
import javax.crypto.spec.SecretKeySpec;
import org.mozilla.jss.CertDatabaseException;
import org.mozilla.jss.CryptoManager;
import org.mozilla.jss.CryptoManager.NotInitializedException;
import org.mozilla.jss.KeyDatabaseException;
import org.mozilla.jss.crypto.AlreadyInitializedException;
import org.mozilla.jss.crypto.CryptoToken;

/**
 *
 * @author gb
 */
public class testAES {

public static void main(String args[]) throws NoSuchAlgorithmException, 
Exception {

boolean encrypt = true;

byte[] data = "this is a quick an dirty test program".getBytes();
SecretKeySpec key;

try {
CryptoManager.initialize(".");
CryptoManager manager = CryptoManager.getInstance();
CryptoToken internalToken = manager.getInternalCryptoToken();
javax.crypto.KeyGenerator kg1 = 
javax.crypto.KeyGenerator.getInstance("AES", "Mozilla-JSS");
kg1.init(128);
SecretKey secretkey1 = kg1.generateKey();
byte[] preSharedKey = secretkey1.getEncoded();

key = new SecretKeySpec(preSharedKey, "AES");
Cipher enc = Cipher.getInstance(key.getAlgorithm() + 
"/CBC/PKCS5Padding", "Mozilla-JSS");

System.out.println("Encrypting with: " + enc.getAlgorithm());



System.out.println("Key size: " + key.getEncoded().length);
byte[] iv = new byte[key.getEncoded().length];
SecureRandom random = SecureRandom.getInstance("pkcs11prng",
"Mozilla-JSS");
random.nextBytes(iv);
enc.init(encrypt ? Cipher.ENCRYPT_MODE : Cipher.DECRYPT_MODE, key, 
new IvParameterSpec(iv));
byte[] cipherText = enc.doFinal(data);

AlgorithmParameters

Re: Problem running JSS_SSLServer

2009-06-04 Thread Glen Beasley


agentma...@hotmail.com wrote:

Hi,

I created the db and added a certificate using these commands:
./certutil -N -n servercert -x -t "TCu,TCu,TCu" -s "CN=TestCA,
OU=Test, O=Test, L=Some City, ST=CA, C=US" -m 2 -d /tmp -f passfile

./certutil -S -n servercert -x -t "TCu,TCu,TCu" -s "CN=TestCA,
OU=Test, O=Test, L=Some City, ST=CA, C=US" -m 2 -d /tmp -f passfile

Then I am calling the JSS_SSLServer with this command:
java -Djava.library.path=. -classpath .:./jss4.jar
org.mozilla.jss.tests.JSS_SSLServer /tmp ./passfile localhost
servercert true 9191
  

the format for the password file for certutil and JSS are different.

JSS expects you to have the following format:

=

as in:

Internal\ Key\ Storage\ Token=
NSS\ FIPS\ 140-2\ User\ Private\ Key=

http://mxr.mozilla.org/security/source/security/jss/org/mozilla/jss/tests/passwords

-glen


However it fails with this exception:

unable to log into the token
org.mozilla.jss.util.IncorrectPasswordException
at org.mozilla.jss.pkcs11.PK11Token.nativeLogin(Native Method)
at org.mozilla.jss.pkcs11.PK11Token.login(PK11Token.java:178)
at org.mozilla.jss.tests.JSS_SSLServer.doIt(JSS_SSLServer.java:111)
at org.mozilla.jss.tests.JSS_SSLServer.main(JSS_SSLServer.java:71)


What could be the problem?
I have looked up the internet but could not find any references.

Please help.
thanks

  


--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto

FIPS code completion for 3.12.4 date?

2009-06-02 Thread Glen Beasley


hello,

We need to set a date for 3.12.4 RTM, so the lab can officially run the 
algorithm tests and submit their results. I would like to provide the 
lab an update after the Thursday Mozilla-dev meeting  on  when we expect 
the official date to be.


Please review your bugs that would require changes to the FIPS 
cryptographic boundary freebl and softoken directories.


There are currently five bugs with the whiteboard "FIPS [Awaiting 
Softoken's Thaw] 
" 
that have base reviewed

and I believe should be checked in.

If you know of a bug that is pending review or is required for 3.12.4 
RTM please put in the

whiteboard: FIPS SUN_MUST_HAVE or just FIPS MUST_HAVE

https://bugzilla.mozilla.org/show_bug.cgi?id=494107

- need to create a bug or provide patch to 
https://bugzilla.mozilla.org/show_bug.cgi?id=457045 for
issue  "The first random value ever generated by the RNG should be 
discarded to be stored in rng->oldV, causing the RNG to generate another 
value." - fix "a call with a full buffer (or a single call to 
prng_generateNewBytes) in rng_init should resolve this".


https://bugzilla.mozilla.org/show_bug.cgi?id=494073

In thursday's meeting we will discuss the date which will hopefully be 
as soon as possible.. like next week.


-glen




smime.p7s
Description: S/MIME Cryptographic Signature
-- 
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto

Re: NSPR assertion failure

2009-05-13 Thread Glen Beasley


Glen Beasley wrote:

hi,

Looking at the bottom of this  stack trace:

J  java.lang.ref.Finalizer.invokeFinalizeMethod(Ljava/lang/Object;)V
J  java.lang.ref.Finalizer.runFinalizer()V
J  java.lang.ref.Finalizer$FinalizerThread.run()V

Called by the garbage collector on an object when garbage collection 
determines that there are no more references to the object.


j  com.sun.net.ssl.internal.ssl.SSLSocketImpl.close()V+44
j  com.sun.net.ssl.internal.ssl.BaseSSLSocketImpl.finalize()V+1


Java's JSSE com.sun.net.ssl.internal.ssl finalize method is being called

J org.mozilla.jss.provider.java.security.JSSMessageDigestSpi.engineUpdate
([BII)V
J  java.security.MessageDigest$Delegate.engineUpdate([BII)V
J  java.security.MessageDigest.update([B)V


The stack trace then goes on to show that the Mozilla-JSS JCE provider 
is being called by Java's JSSE SSLSocket instance to compute an HMAC 
on message that will inform the other end that this socket is closing. 
Then finally crashes in NSPR with an invalid argument...


Are you using JSS for SSL, or Java's JSSE? Have you monitored your 
server memory usage, is the process running out of memory? If you're 
doing JSS for SSL, and are NOT creating any instances of JSSE SSL 
sockets then this issue is likely stack corruption.


can you create a bug on JSS, and try to attach a reproducible test 
case, or at least in the bug detail
description of what your server is doing, how it is configured, and 
what load it takes to crash.


-glen




ksreedha...@gmail.com wrote:

Hi Wan-Teh,

Before I try to get the stack track using gdb on the core file, as I
made it to crash with your suggested change, Java crashed with this
error. Actually it also stack trace. Can you see anything from it.

I appreciate your help. This is a must fix for us.

#
# An unexpected error has been detected by Java Runtime Environment:
#
#  SIGSEGV (0xb) at pc=0x712a97e2, pid=10873, tid=1904720784
#
# Java VM: Java HotSpot(TM) Client VM (1.6.0_01-b06 mixed mode)
# Problematic frame:
# C  [libnspr4.so+0x277e2]  PR_Lock+0x6b
#
# If you would like to submit a bug report, please visit:
#   http://java.sun.com/webapps/bugreport/crash.jsp
#

---  T H R E A D  ---

Current thread (0x080ae000):  JavaThread "Finalizer" daemon
[_thread_in_native, id=10878]

siginfo:si_signo=11, si_errno=0, si_code=1, si_addr=0x

Registers:
EAX=0x, EBX=0x712be460, ECX=0x7187a6a4, EDX=0x
ESP=0x7187a748, EBP=0x7187a770, ESI=0x08378368, EDI=0x080ae0e8
EIP=0x712a97e2, CR2=0x, EFLAGS=0x00010206

Top of Stack: (sp=0x7187a748)
0x7187a748:   712bc3dc 0016 0014 0014
0x7187a758:    74568ba0 7187a780 0016
0x7187a768:    713d3608 7187a790 7135c4aa
0x7187a778:   089757d8  7187a7c0 7135c480
0x7187a788:   08378368 713d3608 7187a7c0 7135d8b9
0x7187a798:   09581cd8 080ae0e8 7187a7c0 7135d86d
0x7187a7a8:   080ae0e8 7187a810  
0x7187a7b8:   713fbf1c 08378368 7187a7f0 713e6203

Instructions: (pc=0x712a97e2)
0x712a97d2:   83 7c df ff ff 89 04 24 e8 41 07 fe ff 8b 45 f8
0x712a97e2:   c7 00 00 00 00 00 83 7d f4 00 74 20 c7 44 24 08

Stack: [0x7185b000,0x7187c000),  sp=0x7187a748,  free space=125k
Native frames: (J=compiled Java code, j=interpreted, Vv=VM code,
C=native code)
C  [libnspr4.so+0x277e2]  PR_Lock+0x6b
C  [libnss3.so+0x2a4aa]
C  [libnss3.so+0x2b8b9]  PK11_DigestOp+0x59
C  [libjss4.so+0x11203]
Java_org_mozilla_jss_pkcs11_PK11MessageDigest_update+0x5f
J  org.mozilla.jss.pkcs11.PK11MessageDigest.update(Lorg/mozilla/jss/
pkcs11/CipherContextProxy;[BII)V
J  org.mozilla.jss.pkcs11.PK11MessageDigest.update([BII)V
J
org.mozilla.jss.provider.java.security.JSSMessageDigestSpi.engineUpdate
([BII)V
J  java.security.MessageDigest$Delegate.engineUpdate([BII)V
J  java.security.MessageDigest.update([B)V
j  com.sun.crypto.provider.SslMacCore.update([BII)V+16
j  com.sun.crypto.provider.SslMacCore$SslMacSHA1.engineUpdate([BII)V+7
j  javax.crypto.Mac.update([B)V+33
j  com.sun.net.ssl.internal.ssl.MAC.compute(BLjava/nio/ByteBuffer;[BII)
[B+60
j  com.sun.net.ssl.internal.ssl.MAC.compute(B[BII)[B+7
j  com.sun.net.ssl.internal.ssl.OutputRecord.addMAC(Lcom/sun/net/ssl/
internal/ssl/MAC;)V+36
J  com.sun.net.ssl.internal.ssl.SSLSocketImpl.writeRecord(Lcom/sun/net/
ssl/internal/ssl/OutputRecord;)V
j  com.sun.net.ssl.internal.ssl.SSLSocketImpl.sendAlert(BB)V+216
j  com.sun.net.ssl.internal.ssl.SSLSocketImpl.warning(B)V+3
j  com.sun.net.ssl.internal.ssl.SSLSocketImpl.closeInternal(Z)V+192
j  com.sun.net.ssl.internal.ssl.SSLSocketImpl.close()V+44
j  com.sun.net.ssl.internal.ssl.BaseSSLSocketImpl.finalize()V+1
v  ~StubRoutines::call_stub
V  [libjvm.so+0x209a4d]
V  [libjvm.so+0x305bc8]
V  [libjvm.so+0x2098e0]
V  [libjvm.so+0x232f77]
V  [libjvm.so+0x2198ad]
C  [libjava.so+0xcb9e]
Java_java_lang_ref_Finalizer_invokeFinalizeMethod+0x6e
J  java.lang.ref.Finalizer.invokeFinalizeMethod(Ljava/lang/Object;)V
J  java.lang.r

Re: NSPR assertion failure

2009-05-13 Thread Glen Beasley


hi,

Looking at the bottom of this  stack trace:

J  java.lang.ref.Finalizer.invokeFinalizeMethod(Ljava/lang/Object;)V
J  java.lang.ref.Finalizer.runFinalizer()V
J  java.lang.ref.Finalizer$FinalizerThread.run()V

Called by the garbage collector on an object when garbage collection determines 
that there are no more references to the object.

j  com.sun.net.ssl.internal.ssl.SSLSocketImpl.close()V+44
j  com.sun.net.ssl.internal.ssl.BaseSSLSocketImpl.finalize()V+1


Java's JSSE com.sun.net.ssl.internal.ssl finalize method is being called

J org.mozilla.jss.provider.java.security.JSSMessageDigestSpi.engineUpdate
([BII)V
J  java.security.MessageDigest$Delegate.engineUpdate([BII)V
J  java.security.MessageDigest.update([B)V


The stack trace then goes on to show that the Mozilla-JSS JCE provider 
is being called by Java's JSSE SSLSocket instance to compute an HMAC on 
message that will inform the other end that this socket is closing. Then 
finally crashes in NSPR with an invalid argument...


Are you using JSS for SSL, or Java's JSSE? Have you monitored your 
server memory usage, is the process running out of memory? If you're 
doing JSS for SSL, and are creating any instances of JSSE SSL sockets 
then this issue

is likely stack corruption.

can you create a bug on JSS, and try to attach a reproducible test case, 
or at least in the bug detail
description of what your server is doing, how it is configured, and what 
load it takes to crash.


-glen




ksreedha...@gmail.com wrote:

Hi Wan-Teh,

Before I try to get the stack track using gdb on the core file, as I
made it to crash with your suggested change, Java crashed with this
error. Actually it also stack trace. Can you see anything from it.

I appreciate your help. This is a must fix for us.

#
# An unexpected error has been detected by Java Runtime Environment:
#
#  SIGSEGV (0xb) at pc=0x712a97e2, pid=10873, tid=1904720784
#
# Java VM: Java HotSpot(TM) Client VM (1.6.0_01-b06 mixed mode)
# Problematic frame:
# C  [libnspr4.so+0x277e2]  PR_Lock+0x6b
#
# If you would like to submit a bug report, please visit:
#   http://java.sun.com/webapps/bugreport/crash.jsp
#

---  T H R E A D  ---

Current thread (0x080ae000):  JavaThread "Finalizer" daemon
[_thread_in_native, id=10878]

siginfo:si_signo=11, si_errno=0, si_code=1, si_addr=0x

Registers:
EAX=0x, EBX=0x712be460, ECX=0x7187a6a4, EDX=0x
ESP=0x7187a748, EBP=0x7187a770, ESI=0x08378368, EDI=0x080ae0e8
EIP=0x712a97e2, CR2=0x, EFLAGS=0x00010206

Top of Stack: (sp=0x7187a748)
0x7187a748:   712bc3dc 0016 0014 0014
0x7187a758:    74568ba0 7187a780 0016
0x7187a768:    713d3608 7187a790 7135c4aa
0x7187a778:   089757d8  7187a7c0 7135c480
0x7187a788:   08378368 713d3608 7187a7c0 7135d8b9
0x7187a798:   09581cd8 080ae0e8 7187a7c0 7135d86d
0x7187a7a8:   080ae0e8 7187a810  
0x7187a7b8:   713fbf1c 08378368 7187a7f0 713e6203

Instructions: (pc=0x712a97e2)
0x712a97d2:   83 7c df ff ff 89 04 24 e8 41 07 fe ff 8b 45 f8
0x712a97e2:   c7 00 00 00 00 00 83 7d f4 00 74 20 c7 44 24 08

Stack: [0x7185b000,0x7187c000),  sp=0x7187a748,  free space=125k
Native frames: (J=compiled Java code, j=interpreted, Vv=VM code,
C=native code)
C  [libnspr4.so+0x277e2]  PR_Lock+0x6b
C  [libnss3.so+0x2a4aa]
C  [libnss3.so+0x2b8b9]  PK11_DigestOp+0x59
C  [libjss4.so+0x11203]
Java_org_mozilla_jss_pkcs11_PK11MessageDigest_update+0x5f
J  org.mozilla.jss.pkcs11.PK11MessageDigest.update(Lorg/mozilla/jss/
pkcs11/CipherContextProxy;[BII)V
J  org.mozilla.jss.pkcs11.PK11MessageDigest.update([BII)V
J
org.mozilla.jss.provider.java.security.JSSMessageDigestSpi.engineUpdate
([BII)V
J  java.security.MessageDigest$Delegate.engineUpdate([BII)V
J  java.security.MessageDigest.update([B)V
j  com.sun.crypto.provider.SslMacCore.update([BII)V+16
j  com.sun.crypto.provider.SslMacCore$SslMacSHA1.engineUpdate([BII)V+7
j  javax.crypto.Mac.update([B)V+33
j  com.sun.net.ssl.internal.ssl.MAC.compute(BLjava/nio/ByteBuffer;[BII)
[B+60
j  com.sun.net.ssl.internal.ssl.MAC.compute(B[BII)[B+7
j  com.sun.net.ssl.internal.ssl.OutputRecord.addMAC(Lcom/sun/net/ssl/
internal/ssl/MAC;)V+36
J  com.sun.net.ssl.internal.ssl.SSLSocketImpl.writeRecord(Lcom/sun/net/
ssl/internal/ssl/OutputRecord;)V
j  com.sun.net.ssl.internal.ssl.SSLSocketImpl.sendAlert(BB)V+216
j  com.sun.net.ssl.internal.ssl.SSLSocketImpl.warning(B)V+3
j  com.sun.net.ssl.internal.ssl.SSLSocketImpl.closeInternal(Z)V+192
j  com.sun.net.ssl.internal.ssl.SSLSocketImpl.close()V+44
j  com.sun.net.ssl.internal.ssl.BaseSSLSocketImpl.finalize()V+1
v  ~StubRoutines::call_stub
V  [libjvm.so+0x209a4d]
V  [libjvm.so+0x305bc8]
V  [libjvm.so+0x2098e0]
V  [libjvm.so+0x232f77]
V  [libjvm.so+0x2198ad]
C  [libjava.so+0xcb9e]
Java_java_lang_ref_Finalizer_invokeFinalizeMethod+0x6e
J  java.lang.ref.Finalizer.invokeFinalizeMethod(Ljava/lang/Object;)V
J  java.lang.ref.Finalizer.runFinalizer()V
J  java.lang.ref.Finalizer$FinalizerThread.run()V

Re: Cache CRL SSL Test is Failing

2009-05-11 Thread Glen Beasley


Nelson B Bolyard wrote:

Glen Beasley wrote, On 2009-05-11 14:01:
  

John Smith wrote:


Hi:
  
*Glen*: Wow, you managed to match that bug to my problem, even though 
the test numbers are totally different (as per what Nelson said)!  Its 
not terribly important that all tests pass for my purposes, so I think 
I will wait for 3.12.4.  Do you have a rough idea of when that will be 
released?


  
I should have said that I expect those 3 errors are related to 
chain.sh/OCSP related and are fixed in that bug...


I will say anyone on any platform that builds and tests NSS 3.12.3 and 
does not have access to the internal NSS OCSP QA server should have 3 
failures. May have more, but they should have at least 3. 



Glen,
If that's true, then that is a serious bug in the NSS QA test scripts.
By default, the NSS QA test scripts should never perform any of the tests
that require access to servers that are not publicly available.  Those
private extended tests must only be used when explicitly enabled.
If you're sure that's true, please file a P1 test bug.  Thanks.
  

This issue has already been fixed in the trunk.

https://bugzilla.mozilla.org/show_bug.cgi?id=488646 

unfortunately when you do a cvs co -r NSS_3_12_3_RTM 
mozilla/security/nss ...
these QA_test_script_only_bug exists. I believe it was introduced after 
3.12.2 RTM and
is now fixed in the trunk. 

Today I tested the NSS_3_12_3_RTM and not only did I get the expected 
chains.sh/OCSP errors,
I got 3 chains.sh: #2997: RealCerts  errors which thankfully are 
fixed in the trunk as well,
not sure on the bug number. We had various discussions on chain.sh QA 
failures in the past weeks
and it took awhile for the QA/developers working on theses issue to fix 
them due to time constraints.


We should discuss pushing 3.12.4 sooner rather than later in the NSS 
developers meeting

this week to address this issue. I will add it to the agenda.

John,

I did not reproduce you're Cache CRL SSL test fail with the co of 
NSS_3_12_3_RTM:


It occurred to me that you wrote the following sample:


tstclnt -p 8443 -h [my-ip-address] -f -d ../client -v \
  -w nss -n TestUser41


the NSS all.sh tests require that you "hostanme.computer domain name" as in
"myhost.locathost"

http://www.mozilla.org/projects/security/pki/nss/testnss_32.html


tstclnt -p 8443 -h [host.domsuf] -f -d ../client -v \
  -w nss -n TestUser41



on my ubuntu virtual machine I set

and added to sudo vi /etc/hosts
127.0.1.1gb-ubuntu gb-ubuntu.localhost

then in bash shell

export DOMSUF localhost
export HOST cat

see if that fixes your Cache CRL SSL test issue?

-glen





-glen



/Nelson
  




smime.p7s
Description: S/MIME Cryptographic Signature
-- 
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto

Re: Cache CRL SSL Test is Failing

2009-05-11 Thread Glen Beasley


John Smith wrote:

Hi:




*Glen*: Wow, you managed to match that bug to my problem, even though 
the test numbers are totally different (as per what Nelson said)!  Its 
not terribly important that all tests pass for my purposes, so I think 
I will wait for 3.12.4.  Do you have a rough idea of when that will be 
released?


I should have said that I expect those 3 errors are related to 
chain.sh/OCSP related and are fixed in that bug...


I will say anyone on any platform that builds and tests NSS 3.12.3 and 
does not have access to the internal NSS OCSP QA server should have 3 
failures. May have more, but they should have at least 3. While the 
tests numbers are different per platform the ones you listed follow a 
plausible range if you're familiar with the NSS tests.  Now I could be 
wrong and your 3 test failures are different and are not related to 
chains.sh/OCSP.


I also stated that I have an Ubuntu 8.10 instance and built the trunk of 
NSPR/NSS on it (with out access to the

OCSP QA server)  all tests passed.

It's not much work to install CVS and run the check out command 
especially since you can already build NSPR/NSS from source. I guess 
it's not too much work for me to go back build and run 3.12.3 RTM, but 
since the trunk is successful then I don't want to figure out what a 
colleague has already fixed. I would try to look into a current issue 
though.


Not sure when we'll post 3.12.4, and also if we are going to, we may 
post to 3.12.5 etc to ftp.mozilla.org


-glen




Cheers,
legit




smime.p7s
Description: S/MIME Cryptographic Signature
-- 
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto

Re: Cache CRL SSL Test is Failing

2009-05-08 Thread Glen Beasley


Nelson B Bolyard wrote:

John Smith wrote, On 2009-05-07 15:00 PDT:

  

I downloaded the NSS 3.12.3 and NSPR 4.7.4 source code and was running
the provided test suite.  However, test #537 (part of "Cache CRL SSL
Client Tests") gets stuck (all previous tests pass according to
results.html), and I have to kill the test process.  The last few lines
from output.log are (personal information was scrubbed):




If I comment out that particular test from the scripts, then all tests
pass except for three: test #1723, #3029, #4566 (these three don't hang,
they just fail).



  

https://bugzilla.mozilla.org/show_bug.cgi?id=488646 has been fixed.

John you can wait for 3.12.4 or you could set up cvs to checkout the 
trunk of NSPR/NSS


sudo apt-get install cvs
export CVSROOT=:pserver:anonym...@cvs-mirror.mozilla.org:/cvsroot
#checkout the trunk
cvs co NSPR NSS

I just did a build on Ubuntu 8.10 x86_64 bit of the trunk all tests passed.

-glen


Please give us the log extracts for those tests.  Otherwise those are just
numbers.

  




smime.p7s
Description: S/MIME Cryptographic Signature
-- 
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto

Re: NSS source building

2009-04-27 Thread Glen Beasley


ksreedha...@gmail.com wrote:

Thanks Glen for the response.

I just copied new built library files to the same directory where the
original ones were. No environment changes. The library files
directory is in LD_LIBRARY_PATH.

  

make sure you copy the .chk files that you built along with the libraries.
make sure JSS's JNI libjss4.so is with the NSPR/NSS libraries

Do I need to build JSS from source if I build NSS/NSPR from source or
can I use the binaries downloaded from Mozilla site.

  

you're existing JSS should be fine.

this issue appears to be a configuration error. your LD_LIBRARY_PATH or 
possibly

provided location to your NSS cert/key databases is at issue

Consider using a test directory then:
bash
export LD_LIBRARY_PATH=

java -cp ./jss4.jar org.mozilla.jss.tests.SetupDBs . passwords

java -cp ./jss4.jar  java org.mozilla.jss.tests.SSLClientAuth . passwords

Get this sample working, and you should be able to figure out
your issue.

I believe you care about FIPS. Understand that if you are building your own
copy of NSS_3_11_4_RTM and modifying the source then you no longer
can claim FIPS compliance until you have that patch included in a release
and then have that NSS release pass it's own FIPS validation. I'm just
stating the obvious, you're likely just building NSS 3.11.4 for 
debugging purposes.


-glen




I suspect I am doing something wrong during NSS/NSPR building.

Thanks,
Sreedhar

On Apr 27, 10:11 am, Glen Beasley  wrote:
  

ksreedha...@gmail.com wrote:


Hello,
  
I am using JSS 4.2.5, NSS 3.11.4, NSPR 4.6.4.
  
If I use the binaries downloaded from

https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_1...
and
  
https://ftp.mozilla.org/pub/mozilla.org/nspr/releases/v4.6.4/Linux2.6...
  
everything works fine. But once I download the source from
  
https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_1...,
  
build it using "gmake nss_build_all" in mozilla/security/nss directory

and use the built libraries, I get the following exception:
  
ava.lang.SecurityException: Unable to initialize security library

at org.mozilla.jss.CryptoManager.initializeAllNative2(Native
Method)
  

This exception means JSS is unable to find the dependent JSS
JNI/NSS/NSPR libraries.
set your LD_LIBRARY_PATH correct.





at org.mozilla.jss.CryptoManager.initialize(CryptoManager.java:
834)
at com.fhp.ems.ssl.JssInitializer.initJss(JssInitializer.java:
35)
at com.fhp.ems.main.NmsMainBE.main(NmsMainBE.java:15)
  
Can someone point me what I am doing wrong in the building the source.
  
I appreciate your help
  
Thanks,

Sreedhar
  


 smime.p7s
6KViewDownload- Hide quoted text -

- Show quoted text -- Hide quoted text -

- Show quoted text -



  




smime.p7s
Description: S/MIME Cryptographic Signature
-- 
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto

Re: NSS source building

2009-04-27 Thread Glen Beasley


ksreedha...@gmail.com wrote:

Hello,

I am using JSS 4.2.5, NSS 3.11.4, NSPR 4.6.4.

If I use the binaries downloaded from
https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_11_4_RTM/Linux2.6_x86_glibc_PTH_DBG.OBJ/
and

https://ftp.mozilla.org/pub/mozilla.org/nspr/releases/v4.6.4/Linux2.6_x86_glibc_PTH_DBG.OBJ/

everything works fine. But once I download the source from

https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_11_4_RTM/src/nss-3.11.4-with-nspr-4.6.4.tar.gz,

build it using "gmake nss_build_all" in mozilla/security/nss directory
and use the built libraries, I get the following exception:

ava.lang.SecurityException: Unable to initialize security library
at org.mozilla.jss.CryptoManager.initializeAllNative2(Native
Method)
  
This exception means JSS is unable to find the dependent JSS 
JNI/NSS/NSPR libraries.

set your LD_LIBRARY_PATH correct.

at org.mozilla.jss.CryptoManager.initialize(CryptoManager.java:
834)
at com.fhp.ems.ssl.JssInitializer.initJss(JssInitializer.java:
35)
at com.fhp.ems.main.NmsMainBE.main(NmsMainBE.java:15)

Can someone point me what I am doing wrong in the building the source.

I appreciate your help

Thanks,
Sreedhar

  




smime.p7s
Description: S/MIME Cryptographic Signature
-- 
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto

Re: RNG continuous test failure

2009-04-24 Thread Glen Beasley


ksreedha...@gmail.com wrote:

On Apr 24, 10:03 am, Wan-Teh Chang  wrote:
  

On Thu, Apr 23, 2009 at 1:51 PM,   wrote:


Hello,
  
I am using Mozilla JSS provider from Java.
  
JSS 4.2.5

NSS 3.11.4
NSPR 4.6.4
  
When the FIPS RNG continuous tests fail, what is the behavior in NSS/

JSS. What does it return. do we get an java exception to the calling
function.
  
For example, when Java code tries to establish a TLS Socket session,

and this continuous tests fail during random number generation, do we
get an exception to the socket creation code.
  

I guess so.  In FIPS mode, once the continuous RNG test fails, the
NSS software crypto module ("softoken") enters an error state, and
all subsequent crypto operations will fail.  I don't know how these
NSS errors will be reflected in Java, but JSS definitely won't be able
to do TLS.

Wan-Teh- Hide quoted text -

- Show quoted text -



Thanks Wan for the reply.

I was also certain that JSS will not able to do TLS but it would be
helpful if a distinct exception/error is thrown incase of continuous
tests fail. It seems we need to flag/log these messages.
  
Understand that it very unlikely that the NSS 3.11.4 FIPS RNG would 
fail, but
if the RNG continuous test failed, NSS would consider that a critical 
error, and would go
into error state setting SEC_ERROR_LIBRARY_FAILURE and would allow no 
further cryptographic operation, until NSS was re-initialized. All JSS 
method requesting the NSS module to perform an operation would result 
with an exception, most likely with 
org.mozilla.jss.crypto.TokenRuntimeException

but this Exception is not guaranteed for all methods.


If any one can point me what kind of errors will be thrown, that would
be great.
  
Otherwise I may have to tweak the nss code.
  
you're welcome to tweak that NSS code but understand that would break 
NSS 3.11.4 FIPS compliance.
meaning if you want to tweak the NSS code, you would have to submit a 
patch,  have patch pass review, and

then have the release with that included patch pass a FIPS validation.

if you want the JSS Exception consistent you would be tweaking the JSS 
code (not NSS), and providing patch for JSS.


But right now I don't see the point. The JSS layer is FIPS compliant 
because it requests the NSS cryptographic module to perform any and all 
cryptographic operations. If the RNG continuous test fail the NSS 
cryptographic module enters an error state and is not usable. A java 
application configured to be FIPS compliant using JSS/NSS would be 
unusable for cryptographic operations until re-initialized. If the user 
configured NSS to audit data the user would view the configured log files.


see Access to Audit Data in the NSS security policy:
http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140sp/140sp814.pdf

-glen


Thanks,
Sreedhar
  




smime.p7s
Description: S/MIME Cryptographic Signature
-- 
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto

Re: RSA AES Cipher problem with JSS/NSS

2009-04-07 Thread Glen Beasley


hello,

I created https://bugzilla.mozilla.org/show_bug.cgi?id=487325

for an immediate work around you can choose to use JSS's own SSL 
classes, instead

of the JSSE.

-glen


ksreedha...@gmail.com wrote:

Hello Glen,

I tried to look into the source of classes where these exceptions were
thrown.

One interesting thing I observed is, JSSCipherSpi expects Public Key
only in "WRAP_MODE". But JCE_RSACipher is calling it in "ENCRYPT_MODE"
in which JSS expects a secret key. Since the passed key not a secret
key, it is trying to import the secret key out of this key and it says
"invalid key type".

Pre master secret is encrypted using the public key according to the
TLS RFC,

7.4.7.1. RSA encrypted premaster secret message

   Meaning of this message:
   If RSA is being used for key agreement and authentication, the
   client generates a 48-byte premaster secret, encrypts it using
   the public key from the server's certificate or the temporary
RSA
   key provided in a server key exchange message, and sends the
   result in an encrypted premaster secret message. This structure
   is a variant of the client key exchange message, not a message
in
   itself.

So, is it looks like a problem between JCE_RSACipher and JSSCipherSpi.
Or Am I missing anything here.

Thanks,
Sreedhar

On Apr 2, 5:38 pm, ksreedha...@gmail.com wrote:
  

Thanks Glen. Yes it works with the default provider. tstclnt fails
with the error Issuer certificate is invalid.

When I used with option -o (Override bad server cert), it works fine.
The certificate wes used is a Self signed certificate. So, probably
tstclnt didn't like it.

One more thing is, OpenSSL based c client is able to communicate with
server successfully.

Thanks,
Sreedhar

On Apr 2, 4:52 pm, Glen Beasley  wrote:





hi,
  
can you successfully  connect  to your server using JSSE  with it's

default provider? meaning
not using mozilla-JSS as the provider?
  
I know you have used ssltap can you use NSS tool tstclnt?
  
tstclnt -h  -p  -d  -v -2 -3 -c v
  
If you want full client auth specify your cert nickname with -n 
cert nickname>
  
If the JSSE works with the default provider, and tstclnt works  then  open

a bug on JSS with steps to recreate issue.
  
-glen
  
ksreedha...@gmail.com wrote:
  

Thanks Nelson for the reply.

Jss version is 4.2.5

JRE version is 1.6
NSS vesion is 3.11.4

See my comments inline.

On Apr 1, 8:45 pm, Nelson B Bolyard  wrote:


ksreedha...@gmail.com wrote, On 2009-04-01 17:54:
  

Hello,

I am [using] Mozilla-JSS as the provider in my Java application which

is a SSL client connecting to OpenSSL based SSL Server.


You haven't reported version information, such as:
- version of JDK/JRE
- version of JSS
- version of NSS
It's possible that you have a version mismatch of some sort.
  

I am using the cipher suite "TLS_RSA_WITH_AES_128_CBC_SHA" and we are
using TLSv1.0 as the SSL protocol.

I get this exception when I try to connect to the server. Server has a

self signed RSA based certificate.


I have rearranged the stack below, so that it appears as one continuous
stack, with the first (or "root cause") exception at the top.
  

I thought premaster secret key is generated by the Client and encrypt
using the public key of the certificate so that Server will decrypt using
its private key.


That's correct for the cipher suite "TLS_RSA_WITH_AES_128_CBC_SHA".
  

Can some one tell me what I am missing here and what this exception
means?


The first exception reported in this stack, namely:
  

java.security.InvalidKeyException: Invalid key type: 
org.mozilla.jss.pkcs11.PK11RSAPublicKey


says that the failure occurred when trying to encrypt the pre-master secret
with the RSA public key.  The exception reports that the key it was given as
the pre-master secret, to be encrypted with the server's RSA public key, was
actually not a pre-master secret, but rather was an RSA public key.
  

But the premaster secret key is generated internally right?


The code that threw the first exception may be seen at
  

http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/security/jss/org/...
 at org.mozilla.jss.provider.javax.crypto.JSSCipherSpi.importKey 
(JSSCipherSpi.java:123)
 at org.mozilla.jss.provider.javax.crypto.JSSCipherSpi.engineInit 
(JSSCipherSpi.java:161)
 at org.mozilla.jss.provider.javax.crypto.JSSCipherSpi.engineInit 
(JSSCipherSpi.java:270)
 at javax.crypto.Cipher.init(DashoA13*..)
 at com.sun.net.ssl.internal.ssl.JCE_RSACipher.encryptInit (RSACipher.java:76)
 at com.sun.net.ssl.internal.ssl.PreMasterSecret. 
(PreMasterSecret.java:83)


Consequently, it was unable to create an RSA-encrypted pre-master

Re: RSA AES Cipher problem with JSS/NSS

2009-04-02 Thread Glen Beasley


hi,

can you successfully  connect  to your server using JSSE  with it's 
default provider? meaning

not using mozilla-JSS as the provider?

I know you have used ssltap can you use NSS tool tstclnt?

tstclnt -h  -p  -d  -v -2 -3 -c v

If you want full client auth specify your cert nickname with -n cert nickname>


If the JSSE works with the default provider, and tstclnt works  then  open
a bug on JSS with steps to recreate issue.

-glen



ksreedha...@gmail.com wrote:

Thanks Nelson for the reply.

Jss version is 4.2.5
JRE version is 1.6
NSS vesion is 3.11.4

See my comments inline.
On Apr 1, 8:45 pm, Nelson B Bolyard  wrote:
  

ksreedha...@gmail.com wrote, On 2009-04-01 17:54:



Hello,
  
I am [using] Mozilla-JSS as the provider in my Java application which

is a SSL client connecting to OpenSSL based SSL Server.
  

You haven't reported version information, such as:
- version of JDK/JRE
- version of JSS
- version of NSS
It's possible that you have a version mismatch of some sort.



I am using the cipher suite "TLS_RSA_WITH_AES_128_CBC_SHA" and we are
using TLSv1.0 as the SSL protocol.
  
I get this exception when I try to connect to the server. Server has a

self signed RSA based certificate.
  

I have rearranged the stack below, so that it appears as one continuous
stack, with the first (or "root cause") exception at the top.



I thought premaster secret key is generated by the Client and encrypt
using the public key of the certificate so that Server will decrypt using
its private key.
  

That's correct for the cipher suite "TLS_RSA_WITH_AES_128_CBC_SHA".



Can some one tell me what I am missing here and what this exception
means?
  

The first exception reported in this stack, namely:



java.security.InvalidKeyException: Invalid key type: 
org.mozilla.jss.pkcs11.PK11RSAPublicKey
  

says that the failure occurred when trying to encrypt the pre-master secret
with the RSA public key.  The exception reports that the key it was given as
the pre-master secret, to be encrypted with the server's RSA public key, was
actually not a pre-master secret, but rather was an RSA public key.




But the premaster secret key is generated internally right?

  

The code that threw the first exception may be seen at



http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/security/jss/org/...
 at org.mozilla.jss.provider.javax.crypto.JSSCipherSpi.importKey 
(JSSCipherSpi.java:123)
 at org.mozilla.jss.provider.javax.crypto.JSSCipherSpi.engineInit 
(JSSCipherSpi.java:161)
 at org.mozilla.jss.provider.javax.crypto.JSSCipherSpi.engineInit 
(JSSCipherSpi.java:270)
 at javax.crypto.Cipher.init(DashoA13*..)
 at com.sun.net.ssl.internal.ssl.JCE_RSACipher.encryptInit (RSACipher.java:76)
 at com.sun.net.ssl.internal.ssl.PreMasterSecret. 
(PreMasterSecret.java:83)
  

Consequently, it was unable to create an RSA-encrypted pre-master secret
(also know as the "RSA pre-master secret"), and this is what the second
exception is complaining about.



(which caused) javax.net.ssl.SSLKeyException: RSA premaster secret error
 at com.sun.net.ssl.internal.ssl.PreMasterSecret. 
(PreMasterSecret.java:86)
 at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverHelloDone 
(ClientHandshaker.java:439)
 at com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage 
(ClientHandshaker.java:132)
 at com.sun.net.ssl.internal.ssl.Handshaker.process_record (Handshaker.java:334)
 at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord 
(SSLSocketImpl.java:805)
 at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake 
(SSLSocketImpl.java:1046)
 at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake 
(SSLSocketImpl.java:1059)
 at com.fhp.ems.main.TestSecurity_SSL.testSSL (TestSecurity_SSL.java:218)
 at com.fhp.ems.main.TestSecurity_SSL.main (TestSecurity_SSL.java:69)
  

Maybe Glen can tell us more about diagnosing this failure.





smime.p7s
Description: S/MIME Cryptographic Signature
-- 
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto

Re: JSS: How to load symmetric key from NSS DB?

2009-03-23 Thread Glen Beasley




alex.agra...@gmail.com wrote:

I wonder how is it possible to load symmetric key that is stored
inside the NSS DB via JSS API? I tried using KeyStore JCA class (as in
org.mozilla.jss.tests.KeyStoreTest example):

  KeyStore ks = KeyStore.getInstance("Mozilla-JSS");

but it turns out that JSSProvider doesn't register JSSKeyStoreSpi
class at all and therefore "Mozilla-JSS" instance of KeyStore doesn't
exist.
I tried fixing this by adding the following line to JSSProvider class:

  put("KeyStore.Mozilla-JSS",
"org.mozilla.jss.provider.java.security.JSSKeyStoreSpi");

But even though "getKey" API seemed to work fine, I got the following
exception when trying to use this key to init the cipher:
  

This is not supported:
http://www.mozilla.org/projects/security/pki/jss/provider_notes.html#not-supported

  encryptCipher.init(Cipher.ENCRYPT_MODE, key, params);

  # An unexpected error has been detected by Java Runtime Environment:
  #
  #  EXCEPTION_ACCESS_VIOLATION (0xc005) at pc=0x19ea4930,
pid=17900, tid=10928
  #
  # Java VM: Java HotSpot(TM) Client VM (11.2-b01 mixed mode windows-
x86)
  # Problematic frame:
  # C  [nss3.dll+0x34930]
  #
  # An error report file with more information is saved as:
  # D:\projects\yevgeniyg_EMS_5.8\TG1000\EMS\hs_err_pid17900.log
  #
  # If you would like to submit a bug report, please visit:
  #   http://java.sun.com/webapps/bugreport/crash.jsp
  # The crash happened outside the Java Virtual Machine in native
code.
  # See problematic frame for where to report the bug.
  #

So I wonder if there is some way to load symmetric key stored in the
NSS DB via JCA API?
  
not using the JCA API/Mozilla-JSS provider but you can use JSS's  
KeyManager class


http://www.mozilla.org/projects/security/pki/jss/javadoc/org/mozilla/jss/SecretDecoderRing/KeyManager.html#lookupKey(org.mozilla.jss.crypto.EncryptionAlgorithm,%20byte[])

Now that NSS 3.12 has the Certificate and Key shareable database I need 
to revisit  Mozilla-JSS provider

supporting JCA KeyStore.


-glen





smime.p7s
Description: S/MIME Cryptographic Signature
-- 
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto

Re: using JSS to build cert chains

2009-03-20 Thread Glen Beasley


David Stutzman wrote:
I'm in the process of porting over certificate path building code from 
using Sun's API to using JSS as we are gradually migrating all of our 
crypto over to JSS/NSS.  I'm running some testing with 
CryptoManager.buildCertificateChain(X509Certificate leaf).
If I grab a cert out of the db and pass it, everything is fine.  If I 
want to chain a CA (either subCA with root in the DB or root) 
everything is fine.  The CAs probably work fine as they get imported 
first due to the conversion problem.  If I have a byte[] containing a 
certificate and would like to build a chain to see if it is in my 
hierarchy I need to get that certificate into an instance of the 
interface org.mozilla.jss.crypto.X509Certificate to pass to 
buildCertificateChain.  The problem is, you can't seem to instantiate 
one of these in any way if you are holding some bytes.  I can ASN1 
decode the bytes into a org.mozilla.jss.pkix.cert.Certificate but that 
doesn't help.  According to the JSS FAQ 
(http://www.mozilla.org/projects/security/pki/jss/faq.html#convertPkix) 
I can call Cryptomanager.importCertPackage() and pass the DER encoded 
certificate/PKCS7 bytes and it will return the leaf cert.  The problem 
is the only way it will work and return the leaf cert is if it has a 
matching key in the token.  The javadoc implies this and looking at 
the code for the native import function in 
http://mxr.mozilla.org/security/source/security/jss/org/mozilla/jss/PK11Finder.c, 
the comments all say that's the intended behavior.


If I would like to build a chain to an SSL server's certificate, for 
example, I can't as I would never have its key.  I know the NSS db can 
hold arbitrary non-CA certs (in Firefox, for ssl exceptions and in 
thunderbird for another user's email cert).  Is there any way to get 
around this limitation in building chains using JSS?  It seems odd 
that I can't just present a random certificate to JSS and have it 
build the chain if it's in a hierarchy I know/trust or throw an 
exception if it's not.



please make a bug request.
Another side-effect I'm not too fond of is if I'm in a situation where 
the import-conversion is useful and works, I end up with the cert I've 
imported in my permanent certDB.  It's not a deal-breaker, but I'd 
prefer in this case that it's just a temporary compare and the next 
time I'd run the application it wouldn't be there.


you have the ability to remove the certs you imported, so you could 
clean up yourself, but you

could also make a bug request on this and I will look into it.


Thanks,
Dave




smime.p7s
Description: S/MIME Cryptographic Signature
-- 
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto

Re: pk11util and pk11mode

2009-03-12 Thread Glen Beasley


marcelino jr esguerra wrote:
wow! thanks for all the help. I've successfully build it now. But then 
again, how do i use pk11mode in testing pkcs?
The goal of pk11mode is to test every function entry point of the PKCS11 
api "that NSS provides" at least once.
Once you built NSS set your path to find the NSPR/NSS libraries the run 
pk11mode:


To test in FIPS mode: pk11mode -v
To test in NONFIPS mode: pk11mode -n -v

usage: pk11mode -h

You are going to have to review pk11mode.c and learn some of the code base.
Your pkcs11 implementation may not provide all of the pkcs11 functions 
that NSS does.


open pk11mode bugs:
https://bugzilla.mozilla.org/buglist.cgi?query_format=specific&order=relevance+desc&bug_status=__open__&content=pk11mode

-glen






smime.p7s
Description: S/MIME Cryptographic Signature
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto

Re: JSS SSLSocket connection timeout

2009-02-19 Thread Glen Beasley


David Stutzman wrote:

(How) Is it possible to set a connection timeout for a JSS SSLSocket?
http://www.mozilla.org/projects/security/pki/jss/javadoc/org/mozilla/jss/ssl/SSLSocket.html 





None of the constructors have a connection timeout and 
SSLSocket.setSoTimeout(int timeout) can only be called *after* 
creating the socket so I'm assuming it functions as a read/write timeout.
True you can only call SSLSocket.setSoTimeout(int timeout) after you 
successfully instantiated an SSLSocket instance, that has achieved a 
successful socket connection.


There are plenty of examples of setSoTimeout being used in the JSS tests.

http://mxr.mozilla.org/security/search?string=setSoTimeout

but the info is not related to your issue. Just trying to clear up some 
confusion.




From testing it appears it's using a 30 second timeout, I just have no 
idea where it's getting this value from and if/how I can change it.


Opening connection: Wed Feb 18 11:03:31 EST 2009
Exception:  Wed Feb 18 11:04:01 EST 2009
java.net.SocketTimeoutException: Unable to connect: (-5990) I/O 
operation timed out.

at org.mozilla.jss.ssl.SSLSocket.socketConnect(Native Method)
at org.mozilla.jss.ssl.SSLSocket.(SSLSocket.java:265)
at org.mozilla.jss.ssl.SSLSocket.(SSLSocket.java:236)
at org.mozilla.jss.ssl.SSLSocket.(SSLSocket.java:180)

Your testing is attempting to create a SSLSocket and the socketConnect 
fails.


In this case SSLSocket.socketConnect was unable to make the basic socket 
connection and returned I/O operation time out. You need to handle the 
error and determine why your configuration cannot connect.


This is not a bug in JSS or with the NSPR PR_Connect call.

PR_INTERVAL_NO_TIMEOUT as a value to PR_Connect is stating have the 
timeout be the

underlying OS's timeout interval.

There is a bug open to fix the NSPR documentation.
https://bugzilla.mozilla.org/show_bug.cgi?id=276536


It's likely that your trying to debug a server that is taking too long 
to reply to a TCP connection?

Or attempting to connect to an IP address that there is no active computer?


-glen

The native method socketConnect is defined here:
http://mxr.mozilla.org/security/source/security/jss/org/mozilla/jss/ssl/SSLSocket.c#457 






and down on line 501 appears to be the actual connect call:
http://mxr.mozilla.org/security/source/security/jss/org/mozilla/jss/ssl/SSLSocket.c#501 


 status = PR_Connect(sock->fd, &addr, PR_INTERVAL_NO_TIMEOUT);

PR_INTERVAL_NO_TIMEOUT is defined here:
http://mxr.mozilla.org/security/source/nsprpub/pr/include/prinrval.h#83

Logically, no timeout would mean no timeout...so where does 30 seconds 
come into play?  Is NSPR getting some value from my OS and using it?


Thanks,
Dave
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto


--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto

Re: "pretty print" a cert from JSS

2009-02-12 Thread Glen Beasley


David Stutzman wrote:

Glen Beasley wrote:
you can code the same pretty print functionality but there is no 
existing function that

duplicates certutil -l -n.

You can start with
http://mxr.mozilla.org/security/source/security/jss/org/mozilla/jss/tests/ListCerts.java 


Which currently outputs:

java -cp ./jss4.jar org.mozilla.jss.tests.ListCerts . Client_RSA

main: jss library loaded
1 certs found with this nickname.
Subject: CN=ClientCert,OU=JSS Testing100,O=Mozilla,C=US
Signature oid {1 2 840 113549 1 1 11}
Convert to JDK cert
Subject CN=ClientCert, OU=JSS Testing100, O=Mozilla, C=US
Signature oid SHA256withRSA
no NON Critical Extensions
no Critical Extensions
END


Yeah, I was looking more like the NSS output or very similar to what 
I'm currently using which is functionality that Dogtag CA uses (part 
of their "security_deprecated" sdk...JSS is the "security" toolkit).  
I'm just looking to drop a jar (nsutil) for that one thing I need and 
it's probably something other people would like.


The class I'm using is 
https://pki.fedoraproject.org/svn/pki/trunk/pki/base/util/src/netscape/security/util/CertPrettyPrint.java 
and I need to convert my jss/java cert to a
https://pki.fedoraproject.org/svn/pki/trunk/pki/base/util/src/netscape/security/x509/X509CertImpl.java 
to pass in to that thing.  Since the Dogtag code is GPL...what are the 
(legal) ramifications of attempting to port that functionality over 
for JSS?  


My belief is if there was a well written patch that did this clean up, 
both the JSS and Dogtag teams would welcome it. So, if you desire 
CertPrintPrint.java functionality to belong to JSS you can open a bug on 
JSS and either attempt a patch or hopefully a JSS developer may have 
some cycles to do it.


http://pki.fedoraproject.org/wiki/PKI_TechNote_Jar_files

nsutil.jar - "this jar file provides the basic ASN.1/DER encoding and 
decoding functions for all X.509 objects such as keys, certificates, 
certificate extensions. It is one of the two ASN.1 implementation in the 
PKI server. The other one is JSS. The server currently is using a both 
implementation. The long term plan is to migrate everything to JSS"


-glen


I guess it would be an interesting side project.  I haven't really 
looked at it to see how hard it would be but I imagine JSS can already 
ASN.1 decode all the pieces, it's just a question of formatting it and 
tossing out a String.


Dave
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto


--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto

Re: "pretty print" a cert from JSS

2009-02-05 Thread Glen Beasley


David Stutzman wrote:
Is there a way to pretty print a certificate using JSS?  I know NSS 
has the functionality based on output from certutil -L -n "nickname".


you can code the same pretty print functionality but there is no 
existing function that

duplicates certutil -l -n.

You can start with
http://mxr.mozilla.org/security/source/security/jss/org/mozilla/jss/tests/ListCerts.java
Which currently outputs:

java -cp ./jss4.jar org.mozilla.jss.tests.ListCerts . Client_RSA

main: jss library loaded
1 certs found with this nickname.
Subject: CN=ClientCert,OU=JSS Testing100,O=Mozilla,C=US
Signature oid {1 2 840 113549 1 1 11}
Convert to JDK cert
Subject CN=ClientCert, OU=JSS Testing100, O=Mozilla, C=US
Signature oid SHA256withRSA
no NON Critical Extensions
no Critical Extensions
END


Dave
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto


--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto

Re: JSS Diffie Hellman

2009-01-30 Thread Glen Beasley

Nelson B Bolyard wrote:

Sreedhar Kamishetti wrote on 2009-01-29 16:28 PST:

I just started to use JSS/NSS. So, if hope some one will reply to this
post.

We use SSL_DH_anon_WITH_3DES_EDE_CBC_SHA” as cipher suite for
communication between SSL Peers. Client is in Java and Server is in C
(uses OpenSSL).

I am trying to use JSS/NSS for Client side SSL Provider for supporting
FIPS, but I am not able to do it easily as Diffie Hellman protocol for
Key exchange is not implemented by JSS/NSS.

That's not exactly correct. NSS implements DH for SSL clients, but it
does not implement *anonymous* cipher suites at all, not for Diffie Hellman
or any other flavor of key agreement algorithm.

We are having problems communicating to Server by writing Java SSL Client
from scratch using JSS API. Can I use the Sun JSSE provider along with
Mozilla-JSS provider so that my existing code will not change except for
initializing the Mozilla-JSS provider so that SSL Context from Sun JSSE
provider internally uses all the services of Mozilla-JSS provider?

Which Cipher suite is recommended with minimal changes to use between
JSS/NSS client and OpenSSL Server.

I think that any cipher suites that are supported by both NSS/JSS and
Java's SSL classes will require about the same amount of adaptation to
switch from one implementation to the other. But I don't know how much
that will be. Hopefully one of this list's Java gurus can help answer
that.

You'll find the list of cipher suites supported by NSS at
http://mxr.mozilla.org/security/source/security/nss/lib/ssl/sslenum.c#48

JSS supports all NSS ciphersuites.

For recommend ciphersuites, how about:

TLS_RSA_WITH_AES_128_CBC_SHA
TLS_DHE_RSA_WITH_AES_128_CBC_SHA

There is a sample "JSSE Server using Mozilla-JSS" test in our automated
tinderbox QA.

To see the output search for JSSE Server using Mozilla-JSS
http://tinderbox.mozilla.org/showlog.cgi?tree=NSS&errorparser=unix&logfile=1233326113.122216.20828.gz&buildtime=1233326113&buildname=trunk%20standard%20dositups%20SunOS%2fi386%2064bit%20OPT&fulltext=1

The above link will expire, but you get the link by going to the
http://tinderbox.mozilla.org/showlog.cgi?tree=NSS selecting a succesful
"green" run, and viewing the Full log.

Test:
http://mxr.mozilla.org/security/source/security/jss/org/mozilla/jss/tests/JSSE_SSLServer.java
http://mxr.mozilla.org/security/source/security/jss/org/mozilla/jss/tests/JSSE_SSLClient.java

The above code is test/sample code. Cleanup or additional functionality
contributions are welcomed.

-glen

--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto

Re: JSS API for FIPS Self Tests

2009-01-28 Thread Glen Beasley

On 1/19/09 6:30 PM, ksreedha...@gmail.com wrote:

On Jan 15, 10:53 am, Glen Beasley wrote:

ksreedha...@gmail.com wrote:

On Jan 14, 10:21 am, Glen Beasley wrote:

Sreedhar Kamishetti wrote:

Hello,

I just started looking at JSS.

Can some one point me to the API provided by JSS for running Power Up

and Conditional Self Tests for various cryptographic modules/algorithms?

JSS is a JAVA interface to NSS; basically a JNI wrapper for NSS. JSS in
FIPS mode or Non-FIPS mode does not do any crypto
at the java layer and instead, via JNI calls, requests NSS to perform
the cryptographic operations.

Thus the PowerUp and Conditional Self Test are in NSS.http://mxr.mozilla.org/security/source/security/nss/lib/softoken/fips...

The PowerUp tests will be performed when NSS is initialized in FIPS mode.

Java application using JSS are said to be FIPS compliant by either

loading NSS in FIPS mode
or using the JSS provided methods to put NSS in FIPS mode. As with C
applications that want to
be FIPS compliant, Java applications using JSS loading (NSS in FIPS
mode) must adhere to
the "Security Rules" specified in the NSS security policy:

http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140sp/140sp814.pdf

Some Related links:https://wiki.mozilla.org/FIPS_Validation

Sample test
program:http://mxr.mozilla.org/security/source/security/jss/org/mozilla/jss/t...

-glen

Thanks Glen for the reply. I understood that NSS takes care of Self
Tests. But FIPS require on demand tests also right. So, I wondering is
there an easy way to trigger these tests.

Shutting down and restarting the application satisfies the requirement
to execute power-up self-tests on demand
by the user as defined in Section 4.9.1 of FIPS 140-2 . Each time you
launch your java app and initialize JSS, it can
load NSS in FIPS mode and run the power up self tests.

"In addition to performing the power-up tests when powered up, a
cryptographic module shall permit
operators to initiate the tests on demand for periodic testing of the
module. Resetting, rebooting, and power
cycling are acceptable means for the on-demand initiation of power-up
tests. "

http://csrc.nist.gov/publications/fips/fips140-2/fips1402.pdf

-glen

Thanks,
Sreedhar
___
dev-tech-crypto mailing list
dev-tech-cry...@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto- Hide quoted text -

- Show quoted text -- Hide quoted text -

- Show quoted text -

Thanks Glen. How about the RNG continuous tests?
In the FIPS Approved mode of operation, the NSS softoken cryptographic
module shall perform a

continuous random number generator test upon each invocation of the
pseudorandom number generator as defined in Section 4.9.2 of FIPS 140-2.

When the NSS softoken module is in FIPS mode and the Java application
calls various JSS methods such as:

PK11SecureRandom rng = new PK11SecureRandom();
or Secure-Random random = SecureRandom.getInstance("pkcs11prng",
""Mozilla-JSS");

or if you created asymetric keys such as RSA or DSA
KeyPairGenerator.getInstance("RSA", "Mozilla-JSS");
etc

The NSS softoken module in FIPS would run RNG continuous test appropriately.

Also, how can we get
the states of Finite state model of the cryptographic modules of NSS
from JSS as required by FIPS.

FIPS 140-2 requires that module itself be specified using a finite state
(or equivalent) represented by a state transition diagram

and/or a state transition table.

NSS is a collection of software libraries; the actual NSS cryptographic
FIPS boundary is the API based PKCS #11 version 2.20
that is exposed by the NSS libraries softoken/freebl as specified in the
Security Policy:

http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140sp/140sp814.pdf

Please read the security policy for a certain level of user
understanding is required for FIPS compliance.
For application that want to maintain FIPS compliance they need to
adhere to the Security Rules specified in the the Security Policy.
The state transition table is defined in the Specification of Services
section of the Security Policy.

state transition diagram: https://wiki.mozilla.org/FIPSFSM#States

JSS should be view as an API layer that can be used to interface with
NSS softoken module in FIPS mode. JSS/high level NSS api will make the
appropriate call when the module is in FIPS MODE and has logic to
respond to the various states of the module appropriately.
If the module is not in the correct state the higher level api may then
re-interpret the PKCS#11 error such as "CKR_USER_NOT_LOGGED_IN" returned
by NSS softoken Module in FIPS mode and then the JSS layer would prompt
for the NSS FIPS User password. If the module is in FIPS mode with the
user logged in su

Re: status of NSS FIPS-140 certification on SPARC Solaris 10

2009-01-28 Thread Glen Beasley


On 1/28/09 9:56 AM, Wan-Teh Chang wrote:

On Tue, Jan 27, 2009 at 9:56 PM,  wrote:
   

Hi,

I wonder if someone could clear to me the status of NSS FIPS-140
certification on SPARC Solaris 10. According to 
https://wiki.mozilla.org/FIPS_Validation
the latest certified NSS "crypto module" version is 3.11.4 (AFAIK this
"crypto module" is part of NSS libraries 3.11.4 and 3.11.5) and the
list of platforms includes:
   # Solaris 10 64-bit SPARC v9
   # Solaris 10 32-bit SPARC v8+

However the issued NIST certificate mentions only one SPARC platform:
   # Sun Blade 2500 Workstation with UltraSPARC IIIi CPU, Sun Trusted
Solaris Version 8 4/01, Extended ECC.
and one Solaris 10 x86 platform:
   # Sun W2100z workstation with dual AMD Opteron CPUs, 64-bit Solaris
10,
Extended ECC.

As far as I understand, vendor and/or user may recompile FIPS-
certified software on a "compatible" platform (assuming that no
changes to the source code are required) and retain FIPS-140
certification. Can we use this clause to claim NSS certification on
Solaris 10 SPARC platforms? Is this claim based on the certificate for
Solaris 10 x86 or Solaris 8 SPARC platforms?
 


Yes, you can use this clause to claim NSS certification on
Solaris 10 SPARC platforms, based on the certificate for
*Trusted* Solaris 8 SPARC.

In addition, if Solaris 10 has been Common Criteria evaluated
at EAL2 or higher (you may need to install some extensions),
you can claim certification at Level 2.

   

Also what is the status of the latest FIPS-140 certification of NSS
3.12? The Wiki says that it was planned for Fall 2008 and I wonder how
does it go (I see that the module is in IUT state on the NIST site).
What platforms will it be certified on?
 


It's still in an early stage.  We're getting ready to start
the algorithm testing.  I don't know what platforms it
will be certified on.

   

The platforms are listed on
https://wiki.mozilla.org/FIPS_Validation

*  Level 1
  o Windows XP Service Pack 2
  o Mac OS X 10.5
* Level 2
  o RHEL 5 x86 32 bit
  o RHEL 5 x86 64 bit
  o Solaris 10 64-bit SPARC v9
  o Solaris 10 32-bit SPARC v8+
  o Solaris 10 32-bit x86
  o Solaris 10 64-bit x86_64

Note: the NIST certificates will list the actual machine the testing lab 
used to test on. These machines can be old and may not
even be currently sold. One needs to pay attention to the OS and 
Architecture/Instruction Set that the binary was built for.


-glen

--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto

Re: JSS API for FIPS Self Tests

2009-01-15 Thread Glen Beasley


ksreedha...@gmail.com wrote:

On Jan 14, 10:21 am, Glen Beasley  wrote:
  

Sreedhar Kamishetti wrote:



Hello,
  
I just started looking at JSS.
  
Can some one point me to the API provided by JSS for running Power Up

and Conditional Self Tests for various cryptographic modules/algorithms?
  

JSS is a JAVA interface to NSS; basically a JNI wrapper for NSS. JSS in
FIPS mode or Non-FIPS mode does not do any crypto
at the java layer and instead, via JNI calls, requests NSS to perform
the cryptographic operations.

Thus the PowerUp and Conditional Self Test are in 
NSS.http://mxr.mozilla.org/security/source/security/nss/lib/softoken/fips...

The PowerUp tests will be performed when NSS is initialized in FIPS mode.

Java application using JSS are said to be FIPS compliant by either
loading NSS in FIPS mode
or using the JSS provided methods to put NSS in FIPS mode. As with C
applications that want to
be FIPS compliant, Java applications using JSS loading (NSS in FIPS
mode) must adhere to
the "Security Rules" specified in the NSS security policy:

http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140sp/140sp814.pdf

Some Related links:https://wiki.mozilla.org/FIPS_Validation
Sample test 
program:http://mxr.mozilla.org/security/source/security/jss/org/mozilla/jss/t...

-glen






Thanks Glen for the reply. I understood that NSS takes care of Self
Tests. But FIPS require on demand tests also right. So, I wondering is
there an easy way to trigger these tests.
  
Shutting down and restarting the application satisfies the requirement 
to execute power-up self-tests on demand
by the user as defined in Section 4.9.1 of FIPS 140-2 . Each time you 
launch your java app and initialize JSS, it can

load NSS in FIPS mode and run the power up self tests.

"In addition to performing the power-up tests when powered up, a 
cryptographic module shall permit
operators to initiate the tests on demand for periodic testing of the 
module.  Resetting, rebooting, and power
cycling are acceptable means for the on-demand initiation of power-up 
tests. "


http://csrc.nist.gov/publications/fips/fips140-2/fips1402.pdf

-glen


Thanks,
Sreedhar
___
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
  


___
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto

Re: JSS API for FIPS Self Tests

2009-01-14 Thread Glen Beasley


Sreedhar Kamishetti wrote:


Hello,

 


I just started looking at JSS.

 

Can some one point me to the API provided by JSS for running Power Up 
and Conditional Self Tests for various cryptographic modules/algorithms?


JSS is a JAVA interface to NSS; basically a JNI wrapper for NSS. JSS in 
FIPS mode or Non-FIPS mode does not do any crypto
at the java layer and instead, via JNI calls, requests NSS to perform 
the cryptographic operations.


Thus the PowerUp and Conditional Self Test are in NSS.
http://mxr.mozilla.org/security/source/security/nss/lib/softoken/fipstest.c

The PowerUp tests will be performed when NSS is initialized in FIPS mode.

Java application using JSS are said to be FIPS compliant by either 
loading NSS in FIPS mode
or using the JSS provided methods to put NSS in FIPS mode. As with C 
applications that want to
be FIPS compliant, Java applications using JSS loading (NSS in FIPS 
mode) must adhere to

the "Security Rules" specified in the NSS security policy:

http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140sp/140sp814.pdf

Some Related links:
https://wiki.mozilla.org/FIPS_Validation
Sample test program:
http://mxr.mozilla.org/security/source/security/jss/org/mozilla/jss/tests/FipsTest.java

-glen



 


Thanks,

Sreedhar



___
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
  


___
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto

Re: JSS doesn't support AES key unwrapping

2009-01-13 Thread Glen Beasley


alex.agra...@gmail.com wrote:

FYI - I submitted a patch that fixes the problem.
See https://bugzilla.mozilla.org/show_bug.cgi?id=470982 for details.
___
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
  
thank you. I put myself as reviewer. Note once you have a created a bug 
you can keep communication in the bug.


-glen

___
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto

Re: Building NSS on Vista

2008-12-22 Thread Glen Beasley


hi,

ps_mitrofa...@mail.ru wrote:

On 22 дек, 20:08, Nelson B Bolyard  wrote:
   

ps_mitrofa...@mail.ru wrote, On 2008-12-22 08:45:
Please supply more output from the gmake run, like (say) the last 20
lines of output
 


There is building log(but there are only 5  lines of output):
   

gmake nss_build_all
   

process_begin:CreateProcess((null),pwd,..) failed.
process_begin:CreateProcess((null),pwd,..) failed.
cd ../coreconf ; gmake
System could not find mentioned path.
gmake: *** [build_coreconf] Error 1


   
did you install the MozillaBuild 1.3 package, and launch the correct 
start-msvc*.bat file?

review:
https://developer.mozilla.org/en/Windows_Build_Prerequisites#MozillaBuild

Building on Vista works great using the MSYS build enviroment. You just 
need a little patience and

follow the correct steps to get your enviroment correct.


-glen







Sorry for bad translation. As you can see it isn't working from the
start. And as I said, I have "coreconf" directory.
  I'll be appreciated for any help.

___
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
   


___
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto

Re: JSS NSS sun.security.pkcs11.SunPKCS11

2008-12-18 Thread Glen Beasley


banzai wrote:

Hi all,

I have tried to read all the certificates in NSS.
you probably know this but you of course can use the built in Firefox 
Certificate Manager

Options->Advanced->View Certificates

I a little confused by some of the info provided. One you can configure 
Sun PKCS#11 provider to
use NSS PKCS#11 implementation but you cannot configure SunPKCS11 to use 
JSS at all.


For SunPkcs11/NSS rather than using keytool I think you should write 
your own applet and
play with the available api. You should be able to see all the 
Certificates you want to.


http://java.sun.com/javase/6/docs/technotes/guides/security/p11guide.html#NSS

Instead you can write an applet that loads JSS/NSS; you would not use 
SunPKCS11.

http://www.mozilla.org/projects/security/pki/jss/
http://www.mozilla.org/projects/security/pki/jss/provider_notes.html
sample code: 
http://mxr.mozilla.org/mozilla/source/security/jss/org/mozilla/jss/tests/

http://java.sun.com/j2se/1.5.0/docs/guide/deployment/deployment-guide/keystores.html

Note: If you plan on writing an applet that uses JSS in Firefox on 
windows please read

the http://www.mozilla.org/projects/security/pki/jss/jss_build_4.2.5.html

One of the issue with an applet is to how to init JSS with the correct 
Profile directory


http://kb.mozillazine.org/Profile_folder_-_Firefox#Finding_the_profile_folder

-glen


Unfortunately the
current setting only allowed listing of either soft token certficates
in NSS or the smart card token . My objective is to read all the
certiifates inside the firefox keystores, the soft token and smart
card certificates as in PKCS11ListCert function.

The current setting is:
1) In the nss.cfg
name = NSS
nssSecmodDirectory = C:\Users\user1\AppData\Roaming\Mozilla\Firefox
\Profiles\zgk9nrxt.default
2)In the java.security
security.provider.10=sun.security.pkcs11.SunPKCS11   c:/javadev/
nss.cfg

The run test command: running keytool -keystore NONE -storetype PKCS11
-list -v
Result: It only list soft token certificates

if i switch the configuration to accept the opensc framework
1) In the sc.cfg
name = smartcard
library = C:\windows\system32\my-pkcs11.dll
2)In the java.security
security.provider.10=sun.security.pkcs11.SunPKCS11   c:/javadev/sc.cfg
Result: It lists the PKCS11 - smart card certificates

Reading from the previous groups posts, it lead to the usage of JSS
module as a solution.
I have setup the environement for JSS and tested with the testing
program provided by mozilla. So far so good..

Now, how should i go to set the JSS inside the cfg file ?
name = JSS
library = C:\Program Files\Mozilla Firefox\jss4.dll
and .. it does not work. I can't find jssArgs to replace the nssArgs
as in config.java file

Any configuration guide that i have missed..?

Thank you
___
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
   


___
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto

Re: FIPS compliant version of NSS

2008-10-30 Thread Glen Beasley


On 10/29/08 07:05, Dean wrote:

Hi folks,

I was hoping somebody could confirm or correct my understanding of
which version of NSS is FIPS certified.

As I unserstand from

https://wiki.mozilla.org/FIPS_Validation

Softokn version 3.11.4 is the most recent FIPS certified  version.
And this is a component of NSS 3.11.4 and 3.11.5  This same document
mentions a Target version of Softoken of 3.12.x ... but I have to say,
I'm not sure what they are getting at.

  

We will be starting our next FIPS 140 validation soon, and it will  be on a
softokn 3.12.x release.  (the patch release is still to be determined.)

On the Mozilla site I've only been able to find binaries for NSS
3.11.4.  However, from posts in this forum and reading the document
http://csrc.nist.gov/groups/STM/cmvp/documents/fips140-2/FIPS1402IG.pdf
section G.4 it seems that I am able to recompile the unchanged source
myself and be able to call the resulting binaries FIPS certified.

Are my assumptions correct?

  
yes. provided you checkout with the RTM tag, make no changes, and build. 
Any changes  after  NSS_3_11_5_RTM did not get get FIPS certified 
certified by a lab.


http://www.mozilla.org/projects/security/pki/nss/nss-3.11.4/nss-3.11.4-build.html



Also, is 3.11.5 really the lastest FIPS certified version of NSS or
can I use later versions in the 3.11.x chain?  How can I tell which
versions of NSS are using the correct version of Softoken and is
that correct version of Softoken 3.11.4 or 3.12.2?

  
Softoken/freebl have version numbers.  There are many  ways to check 
version numbers

on various platforms, here are two ways:
On windows check right click on the library and check the version.
On unix/solaris: strings libsoftokn3.so | grep Header

Also, just to be correct, when I'm talking about the NSS libraries do
I need to call the NSS FIPS complaint libraries, and the Softoken
libraries FIPS certified libraries?
  

correct. Understand that NSS need needs to be put in FIPS compliant mode
please review the security policy.

http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140sp/140sp814.pdf

-glen



Thanks



___
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
  


___
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto

Re: JSS not finding built in CA certificates on Linux

2008-10-27 Thread Glen Beasley


hi,

The Root Cert are stored in the PKCS #11 module that is loaded from the 
library libnssckbi.so. 

The default location for libnssckbi.so is the same directory with your 
NSS databases cert8.db,  key3.db,  and  secmod.db. It's

best to just copy libnssckbi. so to this directory with your NSS databases.

The location of libnssckbi.so can be checked/(changed with modutil) by 
cd'ng to your db directory and doing "modutil -list -dbdir ."


[EMAIL PROTECTED]:~/tip/mozilla/tests_results/jss/Macintosh-2.local.1] ls
key3.db  secmod.db cert8.db libnssckbi.dylib
[EMAIL PROTECTED]:~/tip/mozilla/tests_results/jss/Macintosh-2.local.1] 
modutil -list -dbdir .


Listing of PKCS #11 Modules
---
 1. NSS Internal PKCS #11 Module
slots: 2 slots attached
   status: loaded

slot: NSS Internal Cryptographic Services
   token: NSS Generic Crypto Services

slot: NSS User Private Key and Certificate Services
   token: NSS Certificate DB

 2. Root Certs
   library name: 
/Users/b/tip/mozilla/tests_results/jss/Macintosh-2.local.1/libnssckbi.dylib

slots: 1 slot attached
   status: loaded

slot: NSS Builtin Objects
   token: Builtin Object Token
---

have a good day,

glen



-glen


Dean wrote:

I've installed JSS on RedHat Linux and while it runs, it does not seem
able to find any of the built-in Ca certificates.

As I unserstand it these certificates are in libnssckbi.so.  I have
checked to make sure this library is in the same directory with all
the other JSS, NSS and NSPR libraries and it is.

I wrote a simple program to call
  cryptoManager.getCACerts();

On my Linux box it is returning an empty X509Certificate[].  On
Windows I get the expected array of size 103.

I've tried setting LD_LIBRARY_PATH to the directory with all the
shared libraries and that did not help.  As a kind of weird sanity
check, I moved the libjss4.so file out of the libraries directory and
got the expected invocation errors due to a missing library.

Moving libnssckbi.so out of the library directory did not actually
cause any additional errors.  I would still just get back the empty
array.

I'm sure I'm doing something really stupid ... but any help would be
appreciated.

Thanks

...Dean...

___
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
  


___
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto

Re: PK11Mode

2008-10-14 Thread Glen Beasley


On 10/13/08 07:00 PM, marcelino esguerra jr wrote:

Good Morning!

I'm Marcelino and I'm new in pkcs. i found this test tool from 
mozilla, the PK11Mode. I checkout them in cvs. However I am confused 
on how to run this. I would like to ask for instructions on this.


Here are some quick instructions:

pk11mode -h

note the "-v for verbose output" is missing  from the help support

Build NSPR/NSS see:
http://developer.mozilla.org/En/NSS_reference/Building_and_installing_NSS/Build_instructions

I don't know what platform you're on so I am going to assume your using 
Solaris.


after building cd ../../dist/SunOS5.10_DBG.OBJ/

You need to set the environment variable LD_LIBRARY_PATH to the full
pathname of the 'lib' subdirectory and the PATH to the bin directory 
'pk11mode'.


run:  pk11mode -v

you can also check out our tinderbox build and test logs and search a 
"view full log" for pk11mode to see various tests run


http://tinderbox.mozilla.org/showbuilds.cgi?tree=NSS

I know this is not complete info but it should get you started.



-glen





Thank you.

Regards,
Marcelino.
___
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto


___
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto

Re: "ld: symbol(s) not found" when building JSS on MacOS 10.5

2008-10-03 Thread Glen Beasley

Georges Martin wrote:
> Hello, I'm searching for help in building JSS for MacOS X 10.5.
>
> I've successfully built NSS 3.12, with MOZ_DEBUG_SYMBOLS set or not, 
> but always get a "ld: symbol(s) not found" whenever I try to build JSS, 
> as shown below.
>
> Any clues ? :-)
>
> TIA,
> Georges Martin
>
>
> $ make nss_build_all
>
> perl build_java.pl "SOURCE_PREFIX=../../dist" 
>   
after building NSS/NSPR with nss_build_all

cd ../jss and just type "make" and the Makefile will configure the build 
and exec the build script for you.

http://www.mozilla.org/projects/security/pki/jss/jss_build_4.2.5.html

Note: Java does need to be in your path.

JAVA_HOME=/System/Library/Frameworks/JavaVM.framework/Versions/1.5.0
PATH=$JAVA_HOME/Commands:

export PATH JAVA_HOME

have a good day,

glen


> "SOURCE_RELEASE_PREFIX=../../dist/release/no-policy" 
> "SOURCE_RELEASE_CLASSES_DBG_DIR=classes_DBG" 
> "SOURCE_RELEASE_CLASSES_DIR=classes" "XPCLASS_DBG_JAR=xpclass_dbg.jar" 
> "XPCLASS_JAR=xpclass.jar" build
> Command variables:
> XPCLASS_JAR=xpclass.jar
> XPCLASS_DBG_JAR=xpclass_dbg.jar
> SOURCE_RELEASE_PREFIX=../../dist/release/no-policy
> SOURCE_RELEASE_CLASSES_DIR=classes
> SOURCE_RELEASE_CLASSES_DBG_DIR=classes_DBG
> SOURCE_PREFIX=../../dist
> /System/Library/Frameworks/JavaVM.framework/Versions/1.5.0/Home/bin/javah 
> -classpath ../../dist/classes_DBG -d ../../dist/private/jss/_jni 
> org.mozilla.jss.DatabaseCloser org.mozilla.jss.CryptoManager 
> org.mozilla.jss.crypto.Algorithm 
> org.mozilla.jss.crypto.EncryptionAlgorithm 
> org.mozilla.jss.crypto.PQGParams 
> org.mozilla.jss.crypto.SecretDecoderRing 
> org.mozilla.jss.pkcs11.CertProxy 
> org.mozilla.jss.pkcs11.CipherContextProxy 
> org.mozilla.jss.pkcs11.PK11Module org.mozilla.jss.pkcs11.ModuleProxy 
> org.mozilla.jss.pkcs11.PK11Cert org.mozilla.jss.pkcs11.PK11Cipher 
> org.mozilla.jss.pkcs11.PK11KeyWrapper 
> org.mozilla.jss.pkcs11.PK11MessageDigest 
> org.mozilla.jss.pkcs11.PK11PrivKey org.mozilla.jss.pkcs11.PK11PubKey 
> org.mozilla.jss.pkcs11.PK11SymKey 
> org.mozilla.jss.pkcs11.PK11KeyPairGenerator 
> org.mozilla.jss.pkcs11.PK11KeyGenerator 
> org.mozilla.jss.pkcs11.PK11Token org.mozilla.jss.pkcs11.PrivateKeyProxy 
> org.mozilla.jss.pkcs11.PublicKeyProxy 
> org.mozilla.jss.pkcs11.SymKeyProxy org.mozilla.jss.pkcs11.KeyProxy 
> org.mozilla.jss.pkcs11.PK11Token org.mozilla.jss.pkcs11.TokenProxy 
> org.mozilla.jss.pkcs11.PK11Signature org.mozilla.jss.pkcs11.PK11Store 
> org.mozilla.jss.pkcs11.PK11KeyPairGenerator 
> org.mozilla.jss.pkcs11.SigContextProxy 
> org.mozilla.jss.pkcs11.PK11RSAPublicKey 
> org.mozilla.jss.pkcs11.PK11DSAPublicKey 
> org.mozilla.jss.pkcs11.PK11ECPublicKey 
> org.mozilla.jss.pkcs11.PK11SecureRandom 
> org.mozilla.jss.provider.java.security.JSSKeyStoreSpi 
> org.mozilla.jss.SecretDecoderRing.KeyManager 
> org.mozilla.jss.ssl.SSLSocket org.mozilla.jss.ssl.SSLServerSocket 
> org.mozilla.jss.ssl.SocketBase org.mozilla.jss.util.Debug 
> org.mozilla.jss.util.Password
> cd org; make export
> cd mozilla; make export
> cd jss; make export
> cd util; make export
> make[4]: Nothing to be done for `export'.
> cd crypto; make export
> make[4]: Nothing to be done for `export'.
> cd SecretDecoderRing; make export
> make[4]: Nothing to be done for `export'.
> cd pkcs11; make export
> make[4]: Nothing to be done for `export'.
> cd ssl; make export
> make[4]: Nothing to be done for `export'.
> cd provider; make export
> cd java; make export
> cd security; make export
> make[6]: Nothing to be done for `export'.
> cd lib; make export
> make[1]: Nothing to be done for `export'.
> cd org; make private_export
> cd mozilla; make private_export
> cd jss; make private_export
> cd util; make private_export
> ./../../../../coreconf/nsinstall/Darwin9.4.0_DBG.OBJ/nsinstall -R -m 
> 444 jssutil.h jss_exceptions.h java_ids.h jss_bigint.h jssver.h 
> ./../../../../../dist/private/jss
> cd crypto; make private_export
> ./../../../../coreconf/nsinstall/Darwin9.4.0_DBG.OBJ/nsinstall -R -m 
> 444 Algorithm.h ../../../../../../dist/private/jss
> cd SecretDecoderRing; make private_export
> There are no private exports.
> cd pkcs11; make private_export
> ./../../../../coreconf/nsinstall/Darwin9.4.0_DBG.OBJ/nsinstall -R -m 
> 444 pk11util.h ../../../../../../dist/private/jss
> cd ssl; make private_export
> There are no private exports.
> cd provider; make private_export
> cd java; make private_export
> cd security; make private_export
> There are no private exports.
> There are no private exports.
> There are no private exports.
> There are no private exports.
> There are no private exports.
> There are no private exports.
> cd lib; make private_export
> There are no private exports.
> There are no private exports.
> cd org; make libs
> cd mozilla; make libs
> cd jss; make libs
> ./../../../coreconf/nsinstall/Darwin9.4.0_DBG.OBJ/nsinstall -R -m 664 
> Darwin9.4.0_DBG.OBJ/libjssmanage.a 
> ./../../../../dist/Darwin9.4.0_DBG.OBJ/lib
> cd util; make libs
> ./../../../../coreconf/ns

Re: Re-reading certificates at runtime - Java

2008-09-16 Thread Glen Beasley

hi David,

For JSS with SSLServerSocket if you want to do a reconnect because your 
orginal cert you configured has expired
is now INVALID you would have to re-call setServerCert or 
setServerCertNickname first and configure the new cert.

For the JSS SSLSocket client connection you have the same methods.

http://www.mozilla.org/projects/security/pki/jss/javadoc/org/mozilla/jss/ssl/SSLSocket.html
http://www.mozilla.org/projects/security/pki/jss/javadoc/org/mozilla/jss/ssl/SSLServerSocket.html

If this is a JSS issue  you should be able to recreate the issue by 
modifying  this JSS test program
http://mxr.mozilla.org/security/source/security/jss/org/mozilla/jss/tests/SSLClientAuth.java 

Please modify the test program to create a reproducible test case with 
the latest JSS, then attach it to a bug.

Please list your exact version of NSPR/NSS/JSS/platform you're using.

If your JSS stand alone test program works, then you should be able  to 
use the cert creation
from SSLClientAuth.java to add the Java LDAP SDK and reproduce the bug. 
Then

make a bug on the Java Ldap SDK team.

I don't know how much development is being done on the Java LDAP SDK, 
but you're
able to download the source build/debug/provide fix. Both JSS and the 
Java LDAP SDK
are open source owned by the Mozilla Foundation and they welcome 
contributions.

http://www.mozilla.org/directory/javasdk.html

Note: in your c++ application if you're able to call NSS_Shutdown and 
re-initialize NSS,

you could do the same with JSS. Some code to help:
http://mxr.mozilla.org/security/source/security/jss/org/mozilla/jss/tests/CloseDBs.java
But you shouldn't need to shutdown NSS and re-initialize this is really 
frowned upon.
Your application may be 24X7 but this re-reinitialization of NSS is 
basically a

restart of your application.

Again once you installed your new certificates and your old certificates
have INVALID_CREDENTIALS, provided your code doesn't keep trying to use 
the same handle to the
old certificates and instead before attempting to reconnect it obtains 
new handles
to the new valid  certificates then tries a new connection every thing 
should work fine.

Please create a reproducible test case. I expect in the process of doing 
so you
should fix this issue, if not when you have a reproducible JSS test case 
I will

see what I can do. If the issue is with the Java LDAP SDK then likely a fix
would be  needed to the reconnect method.

-glen

On 09/11/08 09:13, David B Hinz wrote:

We are still encountering the problem detailed below that was described by
Steve over a year ago.

Is there anyone that can provide some insight on how we can solve this
problem?

What happens is that some of our applications must run 24x7 yet the user
certificates are changed every 90 days (or sooner based on other 
criteria).
When the certificates are changed while the applications are running 
we get

the INVALID_CREDENTIALS error.

We were able to solve this problem on C++ using the "ldap_unbind_s();
ldapssl_shutdown();" API calls (ldapssl_shutdown() was provided with the
LDAP C SDK 6.x).

As Steve points out there doesn't seem to be a way to do this with the 
Java

LDAP SDK.

After looking at the code the problem seems to be with a singleton that is
used as the JSS or libjss.so layer that is keeping the credentials from
being re-read.  But a modification to the code would be difficult because
the entire design of JSS is based on this singleton.

How do other applications that run 24x7 deal with the problem with
certificates changing while they are running?

We ar using the latest versions of the Java LDAP SDK and JSS.

Is there any active development being done on the Java LDAP SDK that is
currently as version 4.17 and has been for several years?

Is there any active development being done on JSS and libjss.so?

We need to use the JSSSocketFactor() provided by JSS because we need 
to use

the same type of certificates between the Java and C++ code.
JSSESocketFactory() provided by Java used PKCS12 or JKS keys.

We have looked at the Java version of OpenLDAP but it appears to be a
wrapper around the JSSESocketFactory.

Thanks for any info you can provide.

david.

>   This is sort of a follow-on to Mike's message of last Sept. 12.
> It, and Bug 352673 discussion, led us to be able to have our
> applications handle new certificates being created while the apps are
> running.  We detect the INVALID_CREDENTIALS error and call:
>  ldap_unbind_s()
>  ldapssl_shutdown()  (which calls SSL_ClearSessionCache() and
> NSS_Shutdown())
> ...and re-initialize, and everybody's happy - in our C++ world.
> 
>
>Now we need to accomplish the same thing in our Java apps, but
.can't seem to make them let go of and re-fetch certificates.
>We connect with:
>   jsf = new JSSSocketFactory(certDir)
>   conn = new LDAPConnection(jsf)
>   conn.connect()
>   conn.authenticate(), using EXTERNAL mechanism

>After re-creat

Re: Problem with JSS on Ubuntu

2008-09-08 Thread Glen Beasley

Marcin T wrote:
> Hi
>
> I finally discovered what is the issue here. In appears that in case
> of unsigned applets, the code is unable to access SunJCE provider
>
You need to spend your time on "signing the applet" correctly.

You really don't want to get unsigned applets working by modifying your 
java.policy
for the long term, as this grant permission to all applets. Now when you 
surf the web any
applet that is executed has the extra permissions that you configured:

> As a workaround I have set up the following policies using Policy
> Manager:
>
> grant {
>permission java.security.SecurityPermission
> "putProviderProperty.SunJCE";
> };
>
> grant {
>permission java.lang.RuntimePermission "getProtectionDomain";
> };
>
> grant {
>permission java.lang.RuntimePermission
> "accessClassInPackage.sun.security.*";
> };
>
> I don't know how insecure my actions are, but this definitely fixed
> problems with applets under SSL / HTTPS.
>
>
Security - Signed Applets forum:
http://forums.sun.com/forum.jspa?forumID=63&start=0

http://java.sun.com/javase/6/docs/technotes/guides/plugin/
http://java.sun.com/javase/6/docs/technotes/guides/plugin/developer_guide/security.html
 


-glen

> Feel free to send me your ideas how to fix this issue in more elegant
> way.
>
> Best,
> Marcin
> ___
> dev-tech-crypto mailing list
> dev-tech-crypto@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-tech-crypto
>

___
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto

Re: Problem with JSS on Ubuntu

2008-09-04 Thread Glen Beasley

hi Martin,

As this is not a JSS/NSS/NSPR issue.

Please read:

http://java.sun.com/javase/6/docs/technotes/guides/plugin/

If you have more questions on signing applets I believe your best source 
expert information is
to ask in this forum:

http://forums.sun.com/forum.jspa?forumID=63&start=0


> Woud you know where else I could get help on this topic (i.e. how to
> alter security polcies for unsigned applets ) ?
>
>   
I don't understand why you want to pursue how to get unsigned applets 
working? learn how to sign your applet correctly.

http://java.sun.com/javase/6/docs/technotes/guides/plugin/developer_guide/security.html

*  All unsigned applets are run under the standard applet security 
model.
* If usePolicy is not defined in the java.policy file, then a signed 
applet has the AllPermission permission only if Java Plug-in can verify 
the signers, and the user agrees to granting  the AllPermission 
permission when prompted.
* If usePolicy is defined, then a signed applet has only the 
permissions defined in java.policy and no prompting occurs.


note: I rarely work with applets, but when I do, for debugging an applet 
on my local system only rather than signing the applet I
modify my local java.policy file and add

permission java.security.AllPermission;
permission java.lang.RuntimePermission "loadLibrary.*";


-glen


> Best Regards,
> Marcin
> ___
> dev-tech-crypto mailing list
> dev-tech-crypto@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-tech-crypto
>   

___
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto

Re: Problem with JSS on Ubuntu

2008-09-03 Thread Glen Beasley

hi,

You only need to install JSS if your applet or the applet you want to 
use requires JSS.

Getting the following URL (you specified) to display correctly over SSL 
in FF3 does not require JSS

https://www.java.com/en/download/help/testvm.xml

The SSL connection and applet do not use JSS, so this problem is not JSS 
related at all.
And if you had JSS installed perfectly, it would not not help the above 
URL to display correctly.
so ignore JSS.

I assume that http works? If not start there.

http://www.java.com/en/download/help/testvm.xml

Since https does not work I would re-read the advice on the page:


If your applet is not displaying properly, please check these additional 
configurations.

   1. Enable the JRE through your Web browser
   2. Enable the JRE through the "Java Plug-in Control Panel"
   3. Clearing your Web Browser Cache

If you are unable to perform any of the steps above due to an error, 
please reinstall the JRE.

Download and installation instructions
http://www.java.com/en/download/help/610300.xml

---

Note I do not have a working Ubuntu system. Also its not clear to me 
that you
actually want/need to use JSS. I think you just want to get this URL

https://www.java.com/en/download/help/testvm.xml working on Ubuntu using FF3.

But if you do want to use JSS after 
getting the above URL working correctly and you are intending to 
have your own java applet use JSS then here is some tips that may
help:

http://java.sun.com/j2se/1.5.0/docs/guide/deployment/deployment-guide/keystores.html

For debugging and testing of your applet that uses JSS you can modify 
your java.policy file

permission java.security.AllPermission;
permission java.lang.RuntimePermission "loadLibrary.*";

Which will allow your applet to initialize JSS and allow JSS to load 
it's dependent NSPR/NSS libraries.
When you need to deploy your applet rather than modifying the 
java.policy file you should sign
your applet.

http://java.sun.com/javase/6/docs/technotes/guides/plugin/developer_guide/rsa_how.html

Also if you want to run an applet that uses JSS on windows, understand 
that Firefox builds
the NSPR/NSS binaries for the OS_TARGET=WIN95 which means you would have to
first build JSS for the OS_TARGET=WIN95 and then install.

hope this helps,

glen


Marcin T wrote:
> Hello
>
> I am trying to solve a problem with java applet  authentication on
> Ubuntu AMD64 in Firefox 3.0 32bit with Java 1.6 32bit.
>
> This distro doesn't come with JSS package (it took a lot of googling
> to actually understand this issue), so I had to install files by hand.
> I can see that installation was ok as command runs fine:
>
>   LD_LIBRARY_PATH=/usr/local/firefox32-3/ CLASSPATH=/usr/local/
> firefox32-3/jss4.jar java
> org.mozilla.jss.tests.SSLClientAuth . passwords
>
> However when I try to run a test java applet over SSL connection, I
> get ClassNotFound exception:
>
>  https://www.java.com/en/download/help/testvm.xml
>
> This is log from console:
>
> security: Loading certificates from Deployment session certificate
> store
> security: Loaded certificates from Deployment session certificate
> store
> security: Checking if certificate is in Deployment denied certificate
> store
> network: Cache entry not found [url:
> https://www.java.com/applet/testvmDynamicJavaComPopUp819/class.class,
> version: null]
> network: Connecting 
> https://www.java.com/applet/testvmDynamicJavaComPopUp819/class.class
> with proxy=DIRECT
> security: Loading certificates from Deployment session certificate
> store
> security: Loaded certificates from Deployment session certificate
> store
> security: Checking if certificate is in Deployment denied certificate
> store
> load: class testvmDynamicJavaComPopUp819.class not found.
> java.lang.ClassNotFoundException: testvmDynamicJavaComPopUp819.class
>   at sun.applet.AppletClassLoader.findClass(AppletClassLoader.java:194)
>   at java.lang.ClassLoader.loadClass(ClassLoader.java:306)
>   at sun.applet.AppletClassLoader.loadClass(AppletClassLoader.java:127)
>   at java.lang.ClassLoader.loadClass(ClassLoader.java:251)
>   at sun.applet.AppletClassLoader.loadCode(AppletClassLoader.java:640)
>   at sun.applet.AppletPanel.createApplet(AppletPanel.java:786)
>   at sun.plugin.AppletViewer.createApplet(AppletViewer.java:2108)
>   at sun.applet.AppletPanel.runLoader(AppletPanel.java:715)
>   at sun.applet.AppletPanel.run(AppletPanel.java:369)
>   at java.lang.Thread.run(Thread.java:619)
>
> Any help will be much appreciated
>
> Best Regards,
> Marcin
> ___
> dev-tech-crypto mailing list
> dev-tech-crypto@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-tech-crypto
>   

___
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto

Re: JSS version problem

2008-08-04 Thread Glen Beasley

hi,

JSS 4.3 beta requires NSS 3.12 because it is calling new API that was 
introduced in NSS 3.12.

JSS 4.2.5 should be able to use NSS 3.12 and have no compatibiltity issues.

You don't state the actual error you're seeing.

Could you send me a private version of your applet and instructions on
how to recreate your error in a separte email. I will then debug your 
issue.

thanks,

glen




fercufer wrote:
> Hi
>
> First, sorry for my BAD English
>
> I was developing an applet using JSS. It ran well in firefox but when
> tested it with firefox that use version NSS version 3.12. For example
> firefox-3 or firefox-2.0.0.15 on ubuntu. Seem that NSS 3.12 is
> incompatible with the JSS release that I use (JSS 4.2.5). The last JSS
> release publish in the official site (ftp://ftp.mozilla.org/pub/
> mozilla.org/security/jss/releases/) is the 4.2.5. However  I see in
> the mozilla´s CVS there are versions newer. Specially  there is a
> version 4.3 beta that the author said compatible with NSS 3.12. Is
> this version operational? Is there a site where i can get the
> binaries? nightly builds?. I have trying compile the library in a
> ubuntu but I have problems. To try compile I use
> http://www.mozilla.org/projects/security/pki/jss/jss_build_4.2.5.html
> and 
> http://www.mozilla.org/projects/security/pki/nss/nss-3.11.4/nss-3.11.4-build.html.
> Is there any changes in how to compile the libraries in this news
> versions?
>
> Thanks in advance
> ___
> dev-tech-crypto mailing list
> dev-tech-crypto@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-tech-crypto
>

___
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto

Re: JSS import / remove .p12 user certificate

2008-07-22 Thread Glen Beasley

hi,

http://mxr.mozilla.org/security/source/security/jss/org/mozilla/jss/tests/
google: JSS java applet
http://java.sun.com/j2se/1.5.0/docs/guide/deployment/deployment-guide/keystores.html
google: firefox java applet
http://kb.mozillazine.org/Java

-glen



joshuaaa wrote:
> On Jun 11, 10:04 am, joshuaaa <[EMAIL PROTECTED]> wrote:
>   
>> Hi guys,
>>
>> I'm looking for some guidance on how to import and remove .p12 user
>> certificates in the firefox user cert store. I would imagine
>> everything I need to accomplish this would be in the JSS PKCS12
>> library. Can anyone give me some details on how to go about doing
>> this? I just want to keep things simple and import a .p12 from my c:
>> drive and then remove it.
>>
>> What are the steps necessary to import the file? Sample code?
>> How do you go about finding that particular cert in the user store to
>> remove it?
>>
>> All help is much appreciated.
>> 
>
> Bump!
> ___
> dev-tech-crypto mailing list
> dev-tech-crypto@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-tech-crypto
>   

___
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto

Re: Failed to toggle FIPS mode with JSS

2008-07-22 Thread Glen Beasley

hello,

Can you ensure that your installation has the ".chk" files in the same 
directory as
their corresponding "dlls". meaning libfreebl3.chk  libsoftokn3.chk need 
to be with libfreebl3.dll  libsoftokn3.dll.

http://mxr.mozilla.org/security/source/security/jss/org/mozilla/jss/tests/
http://mxr.mozilla.org/security/source/security/jss/org/mozilla/jss/tests/SetupDBs.java
http://mxr.mozilla.org/security/source/security/jss/org/mozilla/jss/tests/FipsTest.java

if you want to do anything in FIPS mode you will need to initialize the 
password.

CryptoToken tok = cm.getInternalKeyStorageToken();
tok.initPassword

-glen



Dean wrote:
> Sorry to ask such a simple question, but I have been unable to
> successfully run JSS in FIPs mode.  I am using the binary distribution
> for:
>
> JSS 4.2.5
> NSPR 4.6.4
> NSS 3.11.4
>
> The following (very) simple Java program
>
> import org.mozilla.jss.CryptoManager;
>
>
> public class SimpleTest4 {
>   public static void main(String[] args) throws Exception {
>   System.out.println("Start");
>   CryptoManager.InitializationValues values = new
> CryptoManager.InitializationValues("c:\\test\\db");
>   values.fipsMode =
> CryptoManager.InitializationValues.FIPSMode.ENABLED;
>   CryptoManager.initialize(values);
>   System.out.println("Finish");
>   }
> }
>
> Throws:
>
> Exception in thread "main" java.security.GeneralSecurityException:
> Failed to tog
> gle FIPS mode
> at org.mozilla.jss.CryptoManager.enableFIPS(Native Method)
> at org.mozilla.jss.CryptoManager.initialize(CryptoManager.java:
> 856)
> at SimpleTest4.main(SimpleTest4.java:13)
>
> If I remove the values.fipsMode =
> CryptoManager.InitializationValues.FIPSMode.ENABLED; line the program
> executes and creates the 3 db files in c:\test\db.
>
> I have larger pieces of code that all run fine as long as I don't try
> to set FIPSMode.
>
> I'm running with Windows XP.  the jss4.jar file is on the classpath
> and the directories containing the nspr and nss libs are on my path.
>
> Any help would be appreciated.
> ___
> dev-tech-crypto mailing list
> dev-tech-crypto@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-tech-crypto
>   

___
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto

Re: DESede/CBC/NoPadding throws TokenRuntimeException during Cipher.update() for arbitarly sized input

2008-07-16 Thread Glen Beasley

hi,

you're welcome to create a bug, and JSS is open source so you're also 
more than welcome to
provide the suggest code change for review.

Also, if you do find the actual documentation that states "required by the
JCE specification" please include the link in the bug report.

thanks,

glen


Dean wrote:
> It appears that when I call Cipher.update() with arbitrarly sized
> input for a DESede/CBC/NoPadding Cipher I get a TokenRuntimeException
> with the description "Cipher operation failed".
>
> The error is not thrown if the input is a multiple of the cipher's
> block size, in this case a multiple of 8.
>
> Other JCE providers such as Sun and BouncyCastle do not require that
> udpate() be called with complete blocks, only that by the time
> doFinal() is called, a multiple of block size bytes has been passed.
> I'm pretty sure this behaviour is, in fact, the behaviour required by
> the JCE specification.
>
> I'm certainly willing to believe I'm missing something obvious here.
> Has anybody else run into this?  Here is a simple program that
> illustrates the problem.
>
> Using the JSS provider, the program fails on the first call to
> update.  Using BouncyCastle or Sun the program works fine.
>
> Also changing the size of data1 and data2 to a multiple of 8 allows
> JSS to work.
>
> import javax.crypto.Cipher;
> import javax.crypto.KeyGenerator;
> import javax.crypto.SecretKey;
>
> import org.mozilla.jss.CryptoManager;
>
>
> public class SimpleTest2 {
>
>   /**
>* @param args
>*/
>   public static void main(String[] args) throws Exception {
>   CryptoManager.initialize("");
>   Cipher cipher = Cipher.getInstance("DESede/CBC/NoPadding");
>
>   KeyGenerator kg = KeyGenerator.getInstance("DESede");
>   SecretKey key = kg.generateKey();
>
>   cipher.init(Cipher.ENCRYPT_MODE, key);
>
>   byte[] data1 = new byte[60];
>   byte[] data2 = new byte[64];
>   cipher.update(data1);
>   cipher.update(data2);
>   cipher.doFinal();
>   }
> }
> ___
> dev-tech-crypto mailing list
> dev-tech-crypto@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-tech-crypto
>   

___
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto

Re: Where are the binaries for nss 3.12 and nspr 4.7.1?

2008-06-24 Thread Glen Beasley

hi,

cannot you not just build the binaries yourself?

http://www.mozilla.org/projects/security/pki/nss/nss-3.12/nss-3.12-release-notes.html#docs
http://www.mozilla.org/projects/security/pki/nss/nss-3.11.4/nss-3.11.4-build.html

cvs co -r NSPR_4_7_1_RTM mozilla/nsprpub
cvs co -r NSS_3_12_RTM mozilla/dbm mozilla/security/dbm
cvs co -r NSS_3_12_RTM mozilla/security/coreconf mozilla/security/nss

our Release engineer does post every release to the mozilla ftp site,
and the timing is at his discretion. 

-glen


Larry Melton wrote:
> Maybe I'm missing something obvious here, but where are the binaries for nss 
> 3.12 and nspr 4.7.1?  The most recent ones I can find are for nss 3.11 and 
> nspr 4.6.4.  We do everything in java here, so I've always used the 
> binaries.
>
> Thanks,
> Larry 
>
>
> ___
> dev-tech-crypto mailing list
> dev-tech-crypto@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-tech-crypto
>   

___
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto

Re: jss and new libraries in ff3

2008-06-24 Thread Glen Beasley


hello Abraham,

please open a bug on JSS. Attach stack trace, test program and steps to 
recreate.


https://bugzilla.mozilla.org/enter_bug.cgi?product=JSS

I will try to look at your issue then.
>Could I avoid the applet to use the new dll's on 
%ProgramFiles%/Mozilla Firefox/ and use the old versions?


No,  you should not use  the older version of NSPR/NSS. you should use 
the one's that come with firefox.


thanks,

glen


Abraham wrote:

Hi all,

I deployed an applet that uses jss in order to get certs (and 
associated private keys) on firefox keystore and sign electronic 
documents. The applet works well in Firefox 2, but in Firefox 3 the 
browser crashes when my implementation of PasswordCallback provides 
the token password; if a password is not required for the token the 
applet works fine. I've readed about the changes in new release of nss 
and i thought in a possible incompatibility problem... Could it be? 
will be there a new version of jss? Could I avoid the applet to use 
the new dll's on %ProgramFiles%/Mozilla Firefox/ and use the old 
versions? I can´t get any information of the problem from "Crash 
Reports", excuse me if i don't provide too much info.


Thanks a lot.
Regards, Abraham.


___
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
  


___
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto

Re: Cannot encrypt cipher via pkcs11 in nss fips mode

2008-06-05 Thread Glen Beasley


Yevgeniy Gubenko wrote:

The main reason not to work with JSS is the following paragraph written in
http://www.mozilla.org/projects/security/pki/jss/provider_notes.html

The following classes don't work very well:

KeyStore: There are many serious problems mapping the JCA keystore interface 
onto NSS's model of PKCS #11 modules. The current implementation is almost 
useless. Since these problems lie deep in the NSS design and implementation, 
there is no clear timeframe for fixing them. Meanwhile, the 
org.mozilla.jss.crypto.CryptoStore class can be used for some of this 
functionality.

We have a lot of use of keystore in our application.
I didn't understand your observation:
  
As long as you're using using NSS to store your certs and keys you 
should have no problem using JSS.
The Mozilla-JSS provider's keystore implementation is almost useless, 
but you can use CryptoStore as the documentation states.
Using JDK6 SunPKCS11 you may manage to access both the Java keystore and 
NSS's but I have

not tried this so I do not know  what your  issues  will be.
http://java.sun.com/javase/6/docs/technotes/guides/security/p11guide.html#KeyStoreRestrictions


yes NSS supports x509 but does


What did you mean saying "but does"?
  
it was a typo that I didn't edit correctly when I sent the email,  as I 
looked at the time, and realized I had to catch my commuter train.

do disregard the  "but does".

So if NSS supports X509, why do I get the below exception without adding 
another 2 providers?
  

sometimes error messages are not clear.

As well, I wasn't able to run my class with the only dynamically added crypto 
provider, until I enabled both of the following providers in 
jre/lib/security/java.security configuration:

1. security.provider.1=sun.security.pkcs11.SunPKCS11 
${java.home}/lib/security/sunpkcs11-solaris.cfg
2. security.provider.2=sun.security.provider.Sun

These are default providers, you may be able to disable #2, but you 
cannot disable #1 SunPKCS11 if you want

the JDK to talk with NSS's PKCS11.

ie. from your own code:

String configFileName = "/opt/nss/pkcs11.cfg";
java.security.Provider nss = new sun.security.pkcs11.SunPKCS11(configFileName);


If you have an actual issue with JSS or an actual bug with NSS's pkcs11 
implementation you should use this forum.
If you want to get your program working with the JDK's SunPKCS11 then I 
would ask further questions in

http://forum.java.sun.com/index.jspa

have a good day,

glen

Otherwise I got an exception:

Exception in thread "main" java.lang.ExceptionInInitializerError
at javax.crypto.Cipher.getInstance(DashoA13*..)
at decryptPass.main(decryptPass.java:43)
Caused by: java.lang.SecurityException: Cannot set up certs for trusted CAs
at javax.crypto.SunJCE_b.(DashoA13*..)
... 2 more
Caused by: java.security.PrivilegedActionException: 
java.security.cert.CertificateException: X.509 not found
at java.security.AccessController.doPrivileged(Native Method)
... 3 more
Caused by: java.security.cert.CertificateException: X.509 not found
at 
java.security.cert.CertificateFactory.getInstance(CertificateFactory.java:153)
at javax.crypto.SunJCE_b$1.run(DashoA13*..)
... 4 more
Caused by: java.security.NoSuchAlgorithmException: X.509 CertificateFactory not 
available
at sun.security.jca.GetInstance.getInstance(GetInstance.java:142)
at 
java.security.cert.CertificateFactory.getInstance(CertificateFactory.java:148)

Doesn't NSS3.11.4 crypto API support all X.509 stuff?



yes NSS supports x509 but does
  

Best Regards,
Yevgeniy

-----Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Glen Beasley
Sent: Wednesday, June 04, 2008 18:15
To: mozilla's crypto code discussion list
Subject: Re: Cannot encrypt cipher via pkcs11 in nss fips mode

hello,


Your chosen set of operations to be performed is: "DESede/CBC/NoPadding"

DESede is a block cipher and operates on 8-byte blocks. Thus, input to
DESede Cipher with CBC mode and "NoPadding"
scheme should be in multiple of 8 bytes for the encryption/decryption to
succeed.

I was able to get your program working by adding two bytes to the
following line.

   String password = "passwordString!!";  //16 bytes

If you need to have variable lengths of input you need to first pad your
data, then encrypt.
After you decrypt you need to remove the pad.

some links for your review:

http://java.sun.com/javase/6/docs/technotes/guides/security/p11guide.html
http://tools.ietf.org/html/rfc2898
http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf
http://mxr.mozilla.org/security/source/security/jss/org/mozilla/jss/tests/JCASymKeyGen.java

have a good day,

glen


Yevgeniy Gubenko wrote:



Hi,

I'm a new incomer trying to handle keying material

Re: Cannot encrypt cipher via pkcs11 in nss fips mode

2008-06-05 Thread Glen Beasley

Yevgeniy Gubenko wrote:
> Hi Glen,
> Thanks a lot for your detailed reply and the reference to relevant material.
> Your solution worked nice, but I realized that after the decryption, first 8 
> characters were variable, so I had to add 8 characters before the encryption 
> (in my case, 16 after padding, and another 8 for removal after decrypt).
>   
I don't quite follow the above issue.

Instead of trying to work at the PKCS11 layer. Why don't you try to do 
what you want with JSS? The JSS api is higher level and
should be easier to work with then the PKCS11 layer. JSS is FIPS 
compliant as  it  requests  NSS  to  do any and all crypto within
the NSS PKCS11 cryptographic boundary.

http://www.mozilla.org/projects/security/pki/jss/
sample code:
http://mxr.mozilla.org/security/source/security/jss/org/mozilla/jss/tests

-glen

> As well, I wasn't able to run my class with the only dynamically added crypto 
> provider, until I enabled both of the following providers in 
> jre/lib/security/java.security configuration:
>
> 1. security.provider.1=sun.security.pkcs11.SunPKCS11 
> ${java.home}/lib/security/sunpkcs11-solaris.cfg
> 2. security.provider.2=sun.security.provider.Sun
>
> Otherwise I got an exception:
>
> Exception in thread "main" java.lang.ExceptionInInitializerError
> at javax.crypto.Cipher.getInstance(DashoA13*..)
> at decryptPass.main(decryptPass.java:43)
> Caused by: java.lang.SecurityException: Cannot set up certs for trusted CAs
> at javax.crypto.SunJCE_b.(DashoA13*..)
> ... 2 more
> Caused by: java.security.PrivilegedActionException: 
> java.security.cert.CertificateException: X.509 not found
> at java.security.AccessController.doPrivileged(Native Method)
> ... 3 more
> Caused by: java.security.cert.CertificateException: X.509 not found
> at 
> java.security.cert.CertificateFactory.getInstance(CertificateFactory.java:153)
> at javax.crypto.SunJCE_b$1.run(DashoA13*..)
> ... 4 more
> Caused by: java.security.NoSuchAlgorithmException: X.509 CertificateFactory 
> not available
> at sun.security.jca.GetInstance.getInstance(GetInstance.java:142)
> at 
> java.security.cert.CertificateFactory.getInstance(CertificateFactory.java:148)
>
> Doesn't NSS3.11.4 crypto API support all X.509 stuff?
>   
yes NSS supports x509 but does
> Best Regards,
> Yevgeniy
>
> -Original Message-
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Glen Beasley
> Sent: Wednesday, June 04, 2008 18:15
> To: mozilla's crypto code discussion list
> Subject: Re: Cannot encrypt cipher via pkcs11 in nss fips mode
>
> hello,
>
>
> Your chosen set of operations to be performed is: "DESede/CBC/NoPadding"
>
> DESede is a block cipher and operates on 8-byte blocks. Thus, input to
> DESede Cipher with CBC mode and "NoPadding"
> scheme should be in multiple of 8 bytes for the encryption/decryption to
> succeed.
>
> I was able to get your program working by adding two bytes to the
> following line.
>
>String password = "passwordString!!";  //16 bytes
>
> If you need to have variable lengths of input you need to first pad your
> data, then encrypt.
> After you decrypt you need to remove the pad.
>
> some links for your review:
>
> http://java.sun.com/javase/6/docs/technotes/guides/security/p11guide.html
> http://tools.ietf.org/html/rfc2898
> http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf
> http://mxr.mozilla.org/security/source/security/jss/org/mozilla/jss/tests/JCASymKeyGen.java
>
> have a good day,
>
> glen
>
>
> Yevgeniy Gubenko wrote:
>   
>> Hi,
>>
>> I'm a new incomer trying to handle keying material for NSS fips mode.
>> This is the case:
>> I am working with pkcs11 provider on Solaris 10, which is configured
>> to work with mozilla NSS provider.
>> This is my configuration file for pkcs11 provider :
>> name = NSScrypto
>> nssLibraryDirectory = /opt/nss/lib
>> nssSecmodDirectory = /opt/nss/fipsdb
>> nssModule = fips
>>
>> I've created NSS Database and modified it to work in fips module:
>> certutil -N -d /opt/nss/fipsdb
>> modutil -fips true -dbdir /opt/nss/fipsdb
>>
>> Then I created a key in the DB:
>> symkeyutil -K -n test1 -t des3  -d /opt/nss/fipsdb
>>
>> Now let's get to my Java code which should retrieve the key from the
>> DB and use it as a SecretKey to encrypt/decrypt passwords.
>> This is a class which encrypts password:
>>
>> import javax.crypto.SecretKeyFactory;
>>
>> import javax.crypto.spec.DESedeKeySpec;

Re: Cannot encrypt cipher via pkcs11 in nss fips mode

2008-06-04 Thread Glen Beasley

hello,


Your chosen set of operations to be performed is: "DESede/CBC/NoPadding"

DESede is a block cipher and operates on 8-byte blocks. Thus, input to 
DESede Cipher with CBC mode and "NoPadding"
scheme should be in multiple of 8 bytes for the encryption/decryption to 
succeed.

I was able to get your program working by adding two bytes to the 
following line.

   String password = "passwordString!!";  //16 bytes

If you need to have variable lengths of input you need to first pad your 
data, then encrypt.
After you decrypt you need to remove the pad.

some links for your review:

http://java.sun.com/javase/6/docs/technotes/guides/security/p11guide.html
http://tools.ietf.org/html/rfc2898
http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf
http://mxr.mozilla.org/security/source/security/jss/org/mozilla/jss/tests/JCASymKeyGen.java

have a good day,

glen


Yevgeniy Gubenko wrote:
>
> Hi,
>
> I'm a new incomer trying to handle keying material for NSS fips mode.
> This is the case:
> I am working with pkcs11 provider on Solaris 10, which is configured 
> to work with mozilla NSS provider.
> This is my configuration file for pkcs11 provider :
> name = NSScrypto
> nssLibraryDirectory = /opt/nss/lib
> nssSecmodDirectory = /opt/nss/fipsdb
> nssModule = fips
>
> I've created NSS Database and modified it to work in fips module:
> certutil -N -d /opt/nss/fipsdb
> modutil -fips true -dbdir /opt/nss/fipsdb
>
> Then I created a key in the DB:
> symkeyutil -K -n test1 -t des3  -d /opt/nss/fipsdb
>
> Now let's get to my Java code which should retrieve the key from the 
> DB and use it as a SecretKey to encrypt/decrypt passwords.
> This is a class which encrypts password:
>
> import javax.crypto.SecretKeyFactory;
>
> import javax.crypto.spec.DESedeKeySpec;
>
> import javax.crypto.spec.DESKeySpec;
>
> import javax.crypto.SecretKey;
>
> import javax.crypto.Cipher;
>
> import javax.crypto.spec.IvParameterSpec;
>
> import java.security.*;
>
>  
>
> public class encryptPass
>
> {
>
> public static void main(String[] args)
>
> {
>
> try
>
> {
>
>String configFileName = "/opt/nss/pkcs11.cfg";
>
>java.security.Provider nss = new 
> sun.security.pkcs11.SunPKCS11(configFileName);
>
>java.security.Security.insertProviderAt(nss,1);
>
>java.security.KeyStore ks = 
> java.security.KeyStore.getInstance("PKCS11", nss);
>
>char[] nssDBPassword = {'f','i','p','s','1','4','0','-','2'};
>
>ks.load(null, nssDBPassword);
>
>SecretKey key = (SecretKey) ks.getKey("test1", nssDBPassword);
>
>  
>
>  
>
>//iv for CBC mode - note, in practice you don't generate a 
> random iv for decryption :)
>
>byte[] iv = new byte[8];  //64-bit block size for 3DES
>
>SecureRandom sr = SecureRandom.getInstance("PKCS11", nss);
>
>sr.nextBytes(iv);
>
>IvParameterSpec params = new IvParameterSpec(iv);
>
>  
>
>  
>
>Cipher encryptCipher = 
> Cipher.getInstance("DESede/CBC/NoPadding", nss);
>
>encryptCipher.init(Cipher.ENCRYPT_MODE, key, params);
>
>System.out.println("encryptCipher provider: " + 
> encryptCipher.getProvider().getName());
>
>String password = "passwordString";
>
>byte[] passBytes = password.getBytes();
>
>byte[] passBytesEncrypt = encryptCipher.doFinal(passBytes);
>
> }
>
> catch (Exception ex)
>
> {
>
> ex.printStackTrace();
>
> }
>
> }
>
> }
>
>  
>
> The output from the class execution is:
>
>
> encryptCipher provider: SunPKCS11-NSScrypto
>
> java.security.ProviderException: update() failed
>
> at sun.security.pkcs11.P11Cipher.implUpdate(P11Cipher.java:460)
>
> at sun.security.pkcs11.P11Cipher.engineUpdate(P11Cipher.java:391)
>
> at 
> sun.security.pkcs11.P11Cipher.engineDoFinal(P11Cipher.java:422)
>
> at 
> sun.security.pkcs11.P11Cipher.engineDoFinal(P11Cipher.java:409)
>
> at javax.crypto.Cipher.doFinal(DashoA13*..)
>
> at encryptPass.main(encryptPass.java:48)
>
> Caused by: sun.security.pkcs11.wrapper.PKCS11Exception: CKR_DEVICE_ERROR
>
> at sun.security.pkcs11.wrapper.PKCS11.C_EncryptUpdate(Native 
> Method)
>
> at sun.security.pkcs11.P11Cipher.implUpdate(P11Cipher.java:450)
>
> ... 5 more
>
>  
>
> From the other hand I have a symmetric class which decrypts the 
> passwords with the same doFinal method (the difference is that the 
> cipher is initialized in DECRYPT_MODE) and it succeeds to run.
> Any suggestions will be appreciated.
>
>  
>
>  
>
>
> This email and any files transmitted with it are confidential 
> material. They are intended solely for the use of the designated 
> individual or entity to whom they are addressed. If the reader of this 
> message is not the intended recipient, you are hereby notified that 
> any dissemination, use, distribution or copy

Re: JSS setup incorrectly? Cryptomanager will not initialize.

2008-05-27 Thread Glen Beasley


Nelson B Bolyard wrote:

joshuaaa wrote, On 2008-05-24 18:35:

  

I installed jss today and attempted to run a test application with no
luck. I've gone through many previous posts here and read the "using
jss" section multiple times... still haven't figured out what the
problem is. The cryptomanager will not initialize because apparently
my jss4.dll can't find *something*... what ever that happens to be.



Actually, it's trying to load jss4.dll and is saying it can't do so.
Major clues at
http://www.google.com/search?q=java.lang.UnsatisfiedLinkError+jss4.dll

  

The error:

Exception in thread "main" java.lang.UnsatisfiedLinkError: C:\jss\lib\jss4.dll:
The specified procedure could not be found
at java.lang.ClassLoader$NativeLibrary.load(Native Method)

nelson's correct the jss4.dll is not able to load. if the jss4.dll is 
indeed in your path then
jss4.dll library dependencies are not. JSS needs to load the NSS and 
NSPR libraries as well.


Please check your path.

http://www.mozilla.org/projects/security/pki/jss/using_jss.html

A good way to ensure you have your path correct is to use the JSS test 
programs start with


java -cp jss4.jar org.mozilla.jss.tests.SetupDBs . ./passwords

http://mxr.mozilla.org/security/source/security/jss/org/mozilla/jss/tests/SetupDBs.java
where the  format of  the passwords file is
http://mxr.mozilla.org/security/source/security/jss/org/mozilla/jss/tests/passwords

-glen

at java.lang.ClassLoader.loadLibrary0(Unknown Source)
at java.lang.ClassLoader.loadLibrary(Unknown Source)
at java.lang.Runtime.loadLibrary0(Unknown Source)
at java.lang.System.loadLibrary(Unknown Source)
at
org.mozilla.jss.CryptoManager.loadNativeLibraries(CryptoManager.java:1339)
at org.mozilla.jss.CryptoManager.initialize(CryptoManager.java:827)
at org.mozilla.jss.CryptoManager.initialize(CryptoManager.java:800)



The source is seen at

and


  

Environment vars:
CLASSPATH = C:\jss\lib\jss4.jar
PATH = C:\jss\lib\
(have tried the path with and without the trailing \)



If that's really your whole PATH, that's the problem.  In that case,
it seems that you have replaced your normal PATH with the above string,
instead of ADDING the above string to the normal path.  jss4.dll needs
other system shared libraries to load, but can't find them because the
PATH doesn't contain the location of the other system shared libraries.
Try PREPENDING that to the normal path, e.g. in Windows command prompt.
Try

set PATH=C:\jss\lib;%PATH%

or, if you use a UNIX-like shell on Windows, try

PATH="C:/jss/lib;$PATH"; export PATH

  

Operating System: Vista
Java -version:
java version "1.6.0_05"
Java(TM) SE Runtime Environment (build 1.6.0_05-b13)

I have tried WINNT and WIN954 builds for NSS 3.9.2 and NSPR 4.6.4...
what's the difference?
Am I missing something?

All input is welcome and much appreciated.



Disclaimer: I am not the JSS guru.  You may get a better answer from our
JSS guru in a few days.
___
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
  


___
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto

Re: Elliptic Curve Key Generation Parameter Names for Standard Curvesin JSS

2008-05-22 Thread Glen Beasley

mozilla wrote:
> Thanks.  That helps. The referenced Java program implies that 192 and 224
> are recognized values for the kpg initialize method. However, the program
> accepted the parameters to initialize but generated errors when attempting
> to generate the keys. (The program worked for generating pairs using 256,
> 384, and 512.)
>
> Does that error make sense? Are there other limitations on the values
> supported?  Thanks again.
>
One can build two versions of NSS. Basic ECC and extended ECC with the 
flags:

NSS_ENABLE_ECC=1
NSS_ECC_MORE_THAN_SUITE_B=1
and the correct version of
http://mxr.mozilla.org/security/source/security/nss/lib/freebl/ecl/ecl-curve.h

JSS assumes you know which ECC version of NSS you're using.

The basic ECC version of NSS only provides:

NIST_P256, NIST_P384, and NIST_521.

-glen
> Bill Price
> "Glen Beasley"<[EMAIL PROTECTED]>  wrote in message
> news:[EMAIL PROTECTED]
>
>> Bill Price wrote:
>>  
>>> Based on the LXR examples on the JSS test page I appear to be able to
>>> generate Elliptic Curve Pairs. The examples show generation of keys of
>>> various length. However, I would like to generate key pairs using the
>>> standard curves recognized by NIST or included in Suite B. The Java
>>> documentation has an ECGenParameterSpec that takes a string name for the
>>> standard or predefined curve. I tried modifying the programs to accept
>>>
> the
>
>>> parameter and guessing at the names from Suite B without success.
>>>
>>>
> http://java.sun.com/j2se/1.5.0/docs/api/java/security/spec/ECGenParameterSpec.html
>
>> was introduced in J2SE 1.5.
>>
>> JSS cannot provide ECGenParameterSpec at this time since JSS still has
>> to work with J2SE 1.4.2 (so FUN...)
>>
>> but the current implemenation creates the suite B curves by default.
>> Meaning JSS PK11KeyPairGenerator is
>> hard coded for a specific strengh.  To find out the JSS defaults look at:
>>
>>
>>  
> http://lxr.mozilla.org/mozilla/source/security/jss/org/mozilla/jss/pkcs11/PK11KeyPairGenerator.java#617
>
>> so:
>>   kpg = java.security.KeyPairGenerator.getInstance("EC",
>> "Mozilla-JSS");
>>   kpg.initialize(256);
>>   keyPair = kpg.genKeyPair();
>>   System.out.println("Generated 256-bit EC KeyPair!");
>>
>> The 256 key is */NIST P-256 == SECG P-256R1 (TLS-23)/* and JSS is not
>> able to create */SECG P-256K1 (TLS-22)/*
>>
>> hope this helps,
>>
>> glen
>>
>>
>>  
>>> Does JSS have the ability to generate keypairs using the standard
>>>
> curves? If
>
>>> so, is there a list of the recognized names (as Strings)?
>>>
>>> Thanks.
>>>
>>> Bill Price
>>>
>>>
>>>
>>> ___
>>> dev-tech-crypto mailing list
>>> dev-tech-crypto@lists.mozilla.org
>>> https://lists.mozilla.org/listinfo/dev-tech-crypto
>>>
>>>
>
>
> ___
> dev-tech-crypto mailing list
> dev-tech-crypto@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-tech-crypto
>

___
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto

Re: Elliptic Curve Key Generation Parameter Names for Standard Curves in JSS

2008-05-21 Thread Glen Beasley

Bill Price wrote:
> Based on the LXR examples on the JSS test page I appear to be able to
> generate Elliptic Curve Pairs. The examples show generation of keys of
> various length. However, I would like to generate key pairs using the
> standard curves recognized by NIST or included in Suite B. The Java
> documentation has an ECGenParameterSpec that takes a string name for the
> standard or predefined curve. I tried modifying the programs to accept the
> parameter and guessing at the names from Suite B without success.
>
http://java.sun.com/j2se/1.5.0/docs/api/java/security/spec/ECGenParameterSpec.html
 

was introduced in J2SE 1.5.

JSS cannot provide ECGenParameterSpec at this time since JSS still has 
to work with J2SE 1.4.2 (so FUN...)

but the current implemenation creates the suite B curves by default. 
Meaning JSS PK11KeyPairGenerator is
hard coded for a specific strengh.  To find out the JSS defaults look at:

http://lxr.mozilla.org/mozilla/source/security/jss/org/mozilla/jss/pkcs11/PK11KeyPairGenerator.java#617

so:
 kpg = java.security.KeyPairGenerator.getInstance("EC", 
"Mozilla-JSS");
 kpg.initialize(256);
 keyPair = kpg.genKeyPair();
 System.out.println("Generated 256-bit EC KeyPair!");

The 256 key is */NIST P-256 == SECG P-256R1 (TLS-23)/* and JSS is not 
able to create */SECG P-256K1 (TLS-22)/*

hope this helps,

glen


> Does JSS have the ability to generate keypairs using the standard curves? If
> so, is there a list of the recognized names (as Strings)?
>
> Thanks.
>
> Bill Price
>
>
>
> ___
> dev-tech-crypto mailing list
> dev-tech-crypto@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-tech-crypto
>

___
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto

Re: Using RSA in JSS to encrypt/decrypt data

2008-04-03 Thread Glen Beasley

Dean wrote:
> Hi folks,
>
> I've been trying to use the JSS APIs to encrypt and decrypt data using
> an RSA Cipher
JSS supports RSA for signing (and signature verification) and for 
wrapping and unwrapping keys (encrypting and decrypting keys), but not 
for encrypting or encrypting of data.

JSS only supports encrypting of non-Key data using symmetric encryption 
algorithms.

No Internet standard protocols use RSA to encrypt data. They all encrypt 
data with symmetric algorithms and use RSA to encrypt symmetric keys.

JSS should of returned an error stating that it did not support RSA for 
encrypt/decrypt of data. I have opened bug
https://bugzilla.mozilla.org/show_bug.cgi?id=426908

Example of encrypt/decrypt of data with a symmetric key algorithm:
http://mxr.mozilla.org/security/source/security/jss/org/mozilla/jss/tests/JCASymKeyGen.java

Example of signing:
http://mxr.mozilla.org/security/source/security/jss/org/mozilla/jss/tests/JCASigTest.java

Example of key wrapping:
http://mxr.mozilla.org/security/source/security/jss/org/mozilla/jss/tests/KeyWrapping.java
-glen

 
>  but I keep getting an InvalidKeyException.  Invalid key
> type: org.mozilla.jss.pkcs11.PK11RSAPublicKey.
>
> I have a sample that works with our own JCE provider and the JCE
> provider from Bouncy Castle.  I've been googling around trying to get
> a straight answer on whether RSA Cipher is truly supported by JSS and
> don't really see anything definite.  So thought I would ask here.
>
> Here is the sample code.  As I said, it works fine with Bouncy Castle
> and our own JCE provider implementation.  The JSS web pages seem to
> claim that RSA is a supported cipher type, and the getInstance
> certainly works
>
> Any suggestions would be appreciated.
>
> package jsse;
>
> import java.io.File;
> import java.security.KeyPair;
> import java.security.KeyPairGenerator;
> import java.security.Security;
>
> import javax.crypto.Cipher;
>
> import org.bouncycastle.jce.provider.BouncyCastleProvider;
> import org.mozilla.jss.CryptoManager;
> import org.mozilla.jss.crypto.AlreadyInitializedException;
> import org.mozilla.jss.crypto.CryptoToken;
> import org.mozilla.jss.util.Password;
>
> public class TestRSA {
>   public static void main(String[] args) throws Exception {
>
>   Security.addProvider(new BouncyCastleProvider());
>
>   String dir = System.getProperty("java.home")+"./lib/security";
>   new File(dir).mkdirs();
>   CryptoManager.InitializationValues values = new
> CryptoManager.InitializationValues(dir);
>   CryptoManager.initialize(values);
>
>   CryptoManager cm = CryptoManager.getInstance();
>   CryptoToken token = cm.getInternalKeyStorageToken();
>   Password pw = new Password(new char[]{ 'p', 'a', 's', 's', 'w', 
> 'o',
> 'r', 'd' } );
>   cm.setPasswordCallback(pw);
>   try {
>   token.initPassword(pw, pw);
>   } catch (AlreadyInitializedException e) {}
>   token.login(pw);
>
>   byte[] plainText = new byte[53];
>   for (int i = 0; i < plainText.length; i++) {
>   plainText[i] = (byte) i;
>   }
>
>   KeyPairGenerator kpg = KeyPairGenerator.getInstance("RSA", 
> "Mozilla-
> JSS");
>   kpg.initialize(512);
>
>   KeyPair BobKP = kpg.generateKeyPair();
>
>   // Alice send messasge to Bob
>   Cipher cipher = Cipher.getInstance("RSA", "Mozilla-JSS");
>   cipher.init(Cipher.ENCRYPT_MODE, BobKP.getPublic());
>   byte[] cipherText = cipher.doFinal(plainText);
>
> // Bob decrypts message
>   cipher.init(Cipher.DECRYPT_MODE, BobKP.getPrivate());
>   byte[] result = cipher.doFinal(cipherText);
>
>   System.out.print("[");
>   for (int i = 0; i< result.length; i++) {
>   System.out.print(result[i] + ", ");
>   }
>   System.out.println("]");
>   }
> }
>
>
>
> And then the exception that is thrown
>
> Exception in thread "main" java.security.InvalidKeyException: Invalid
> key type: org.mozilla.jss.pkcs11.PK11RSAPublicKey
>   at
> org.mozilla.jss.provider.javax.crypto.JSSCipherSpi.importKey(JSSCipherSpi.java:
> 123)
>   at
> org.mozilla.jss.provider.javax.crypto.JSSCipherSpi.engineInit(JSSCipherSpi.java:
> 161)
>   at
> org.mozilla.jss.provider.javax.crypto.JSSCipherSpi.engineInit(JSSCipherSpi.java:
> 270)
>   at javax.crypto.Cipher.init(DashoA12275)
>   at javax.crypto.Cipher.init(DashoA12275)
>   at jsse.TestRSA.main(TestRSA.java:47)
> ___
> dev-tech-crypto mailing list
> dev-tech-crypto@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-tech-crypto
>   

___
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozill

Re: problems building NSS 3.11.4 on Solaris

2008-02-22 Thread Glen Beasley

Wan-Teh Chang wrote:
> On Fri, Feb 22, 2008 at 2:57 PM, Gatfield, Geoffrey
> <[EMAIL PROTECTED]> wrote:
>   
>> Hello,
>>
>>  I tried running gmake in the directory and it reported the same error.
>>  The shlibsign binary is created but it appears the sign.sh shell script
>>  fails. I am building with Sun Studio compiler and it is using Solaris
>>  Link Editors: 5.9-1.377.
>> 
>
>   
I logged into a Sun 5.9 box and did a checkout of NSS_3_11_4_RTM and 
built successfully
doing a gmake nss_build_all. I used Sun Studio 12 and gmake-3.80.

what version of gmake are you using?

-glen

> OK, I'll need you to add debugging echo commands to sign.sh to find
> out exactly which command in sign.sh fails, and what the error message:
>   /bin/sh: ../../../../dist/SunOS5.9_DBG.OBJ: cannot create
> means.  That's our only clue.
>
> You should also try setting the LD_LIBRARY_PATH environment variable
> to /home/Fips/nss/nss-3.11.4/mozilla/dist/SunOS5.9_DBG.OBJ/lib
> and see if you can run the shlibsign binary manually.
>
> My colleagues at Sun build NSS using Sun Studio, so this should work,
> and it's not clear what the problem is.
>
> Wan-Teh
> ___
> dev-tech-crypto mailing list
> dev-tech-crypto@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-tech-crypto
>   

___
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto

Re: Netscape PKCS #11 Test Suite

2008-02-06 Thread Glen Beasley

Erez wrote:
> Ho can I download Netscape PKCS #11 Test Suite source code? 
>   
no. there is a status summary explaining why on  the  netscape PKCS#11 
test suite page.

http://www.mozilla.org/projects/security/pki/pkcs11/netscape/

* Tools: The tools regress, reporter, and replacer have yet to be
  released.
* The tests suite: The test source code was written to use NSS 2.x,
  not NSS 3.x, and would take a lot of work to make it build and run
  with the current NSS 3.x. Volunteers for this work are welcome.
* Other tests : NSS has two other programs that are used for PKCS#11
  testing. They are pk11mode and pk11util. The sources to both are
  in nss/cmd.

access to pk11util and pk11mode
http://mxr.mozilla.org/security/source/security/nss/cmd/pk11util/pk11util.c
http://mxr.mozilla.org/security/source/security/nss/cmd/pk11mode/pk11mode.c

-glen

>
> ___
> dev-tech-crypto mailing list
> dev-tech-crypto@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-tech-crypto
>   

___
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto

Re: Support for ECDSA in JSS?

2008-01-09 Thread Glen Beasley

Bill Price wrote:
> It appears that JSS supports elliptic curve signatures. If so, are there any 
> documents describing parameters/options or code samples available. Also, 
> what JSS versions support EC? Thanks. 
>
>   
There is no JSS documentation, but you can view code samples in the JSS 
tests directory:
Use the latest JSS version currently JSS 4.2.5.

http://mxr.mozilla.org/security/source/security/jss/org/mozilla/jss/tests/

The JSS automated QA is kicked off by a perl script called all.pl
http://mxr.mozilla.org/security/source/security/jss/org/mozilla/jss/tests/all.pl

you can see the results by viewing the full log results of the tinderbox 
results and searching for all.pl:
http://tinderbox.mozilla.org/showbuilds.cgi?tree=NSS
such as the following link (that will expire):
http://tinderbox.mozilla.org/showlog.cgi?log=NSS/1199910600.1199913585.20469.gz&fulltext=1

Please look at the tinderbox JSS QA results to see samples on how to 
execute the following programs:

http://mxr.mozilla.org/security/source/security/jss/org/mozilla/jss/tests/GenerateTestCert.java
http://mxr.mozilla.org/security/source/security/jss/org/mozilla/jss/tests/JCASigTest.java
http://mxr.mozilla.org/security/source/security/jss/org/mozilla/jss/tests/TestKeyGen.java
http://mxr.mozilla.org/security/source/security/jss/org/mozilla/jss/tests/JSS_SelfServServer.java
http://mxr.mozilla.org/security/source/security/jss/org/mozilla/jss/tests/JSS_SelfServClient.java

-glen






> ___
> dev-tech-crypto mailing list
> dev-tech-crypto@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-tech-crypto
>   

___
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto

Re: Regarding mozilla jss on AIX operating system

2007-12-17 Thread Glen Beasley

hi,

Please build nspr/nss/jss AIX yourself.

http://www.mozilla.org/projects/security/pki/jss/jss_build_4.2.5.html - 
links to the nspr/nss build instructions.

note: when you build JSS 4.2.5 you do not need to request your own code 
signing
certificate. You can build the libjss4.so from the cvs tag
cvs co -r JSS_4_2_5_RTM mozilla/security/jss
Then download the signed jss4.jar  4.2.5 version from
from 
ftp://ftp.mozilla.org/pub/mozilla.org/security/jss/releases/JSS_4_2_5_RTM/

-glen

charan wrote:
> I want to delpoy an application which uses mozilla jss on AIX
> operating systems. I downloaded the latest jss release 4.2.5, but i
> find that supporting nss and nspr libraries compiled for AIX are
> missing. Can any one help me how can i do that. what are the libraries
> needed to be downloaded. I deployed jss 3.1.1 on AIX 5.1, but it is
> not able to initialize the certificate database properly, and read the
> certificates in it, with certutil im able to do that.
>
> Any help is appreciated.
>
> Thanks
> ___
> dev-tech-crypto mailing list
> dev-tech-crypto@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-tech-crypto
>   

___
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto

Re: problem with jss sha1withrsa verify raising exceptions (works in jss 3.3, jss 3.4 but not jss 4.2.5)

2007-11-14 Thread Glen Beasley


> Conclusion is that nss & jss in mixed builds (win9x and winnt) can't work 
> together nicely.
>
> If you consider this a bug I am going to report it.
>
>   
Thanks for the detail analysis and your conclusion is correct, but the 
fact the win9x and winnt builds
don't work together nicely is expected and is not a considered a bug.

-glen

___
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto

Re: jss & firefox compatible build (win32)

2007-11-13 Thread Glen Beasley

hello,

JSS is open source and you're capable of building (also contributing 
to)  JSS yourself.
Please build the WIN95 version yourself.

We provide some binary releases, as a courtesy, to ftp.mozilla.org but 
we cannot
provide all releases, nor all variants of all platforms that can be 
supported.

http://www.mozilla.org/projects/security/pki/jss/
http://www.mozilla.org/projects/security/pki/jss/jss_build_4.2.5.html

If you are using JSS as a JCA provider, read this document to find out 
how JSS supports (and doesn't support) the JCA specifications.
http://www.mozilla.org/projects/security/pki/jss/provider_notes.html

Note: Apply for your own JCE code-signing certificate following the 
procedure at
http://java.sun.com/j2se/1.5.0/docs/guide/security/jce/HowToImplAJCEProvider.html#Step%205

hope this helps,

glen



Matej Spiller-Muys wrote:
> libnspr vs nspr issue seems to be because JSS uses NT build of nspr, while 
> firefox uses win9x version.
>
> Is it possible to compile working jss using win9x version of nspr (due to 
> missing pr_nt_cancelio)?
>
> ftp://ftp.mozilla.org/pub/mozilla.org/nspr/releases/v4.6/README
> WIN95 vs. WINNT
>
> The WIN95 configuration is a generic WIN32 build that works on
> all versions of 32-bit Windows: Windows 95, 98, Me, NT 4.0,
> 2000, XP, and Server 2003.  The WINNT configuration only works
> on the Windows NT series: Windows NT 4.0, 2000, XP, and Server
> 2003.
>
> The WIN95 name is historical; in hindsight we should have named
> that configuration WIN32.  In general we recommend that you use
> the WIN95 configuration in new applications.Matej Spiller-Muys 
>
>
> ___
> dev-tech-crypto mailing list
> dev-tech-crypto@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-tech-crypto
>   

___
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto

Re: problem with jss sha1withrsa verify raising exceptions (works in jss 3.3, jss 3.4 but not jss 4.2.5)

2007-11-13 Thread Glen Beasley

hi,

I was not able to recreate this issue. I only tested on Solaris, I'll 
try other platforms
when I have time. If you still have this issue, please create a bug and
provide as much info as possible.

thanks,

glen


Matej Spiller-Muys wrote:
> Hi,
>
> can someone please confirm the following bug. It seems to be regression in 
> jss.
>
> signatureValue & publicKey & validData1 == valid signature (verify return 
> true in every version of jss)
>
> signatureValue & publicKey & validData2 == invalid signature (verify should 
> return false, since signatureValue is still in the same correct format, but 
> validData2 is different).
>
> Jss 3.3 and Jss 3.4 return true and false ...
>
> Jss 4.2.5 returns true and exception (instead of false)
>
>java.security.SignatureException: Failed to complete verification 
> operation
> at org.mozilla.jss.pkcs11.PK11Signature.engineVerifyNative(Native 
> Method)
> at 
> org.mozilla.jss.pkcs11.PK11Signature.engineVerify(PK11Signature.java:330)
> at org.mozilla.jss.crypto.Signature.verify(Signature.java:156)
> at 
> org.mozilla.jss.provider.java.security.JSSSignatureSpi.engineVerify(JSSSignatureSpi.java:171)
> at java.security.Signature$Delegate.engineVerify(Unknown Source)
> at java.security.Signature.verify(Unknown Source)
>
> please see: 
> http://java.sun.com/j2se/1.5.0/docs/api/java/security/Signature.html#verify(byte[])
> SignatureException - if this signature object is not initialized properly, 
> the passed-in signature is improperly encoded or of the wrong type, if this 
> signature algorithm is unable to process the input data provided, etc.
>
>
>
>
>
> import java.security.InvalidKeyException;
>
> import java.security.NoSuchAlgorithmException;
>
> import java.security.NoSuchProviderException;
>
> import java.security.Signature;
>
> import java.security.SignatureException;
>
>
> import org.apache.xml.security.exceptions.Base64DecodingException;
>
> import org.apache.xml.security.utils.Base64;
>
> import org.mozilla.jss.crypto.InvalidKeyFormatException;
>
>
>
>
>
> String signatureValue = 
> "kxtTIwIASGVZShKBYoRIEjG3ioFmVTi2Esa8dtP+nX71nyWCfPmTwXsjMbI6IMoLygTdDlH/wsjy81XnIPFGjLv8cyW9SCG4+l5pJq5ys1v2YJ+UT5Lb/vZAYZ5tMMHblGSmtzjxgo74zRGjGPfgCuo+SF/06hl6VFphj24F1zw=";
>
> String publicKey = 
> "MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDCfGkiYRb6lJOacUp8NcIbWZQ7sEbKc3+YGyx4\nn6yrIWKLzy0JSt8V84yeMXl43uxHDY41iQb+SJnamRSjGsZANl2WRONqlVsOVIik/PSzZHaRRxmD\nhB7mixO4DKg03Z90rPdml4C+86URxFzD+LxUyq1SXlbzUvWdHs2lPFwFXQIDAQAB";
>
> String validData1 = 
> "PFNpZ25lZEluZm8geG1sbnM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyMiPgo8Q2Fub25pY2FsaXphdGlvbk1ldGhvZCBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnL1RSLzIwMDEvUkVDLXhtbC1jMTRuLTIwMDEwMzE1Ij48L0Nhbm9uaWNhbGl6YXRpb25NZXRob2Q+CjxTaWduYXR1cmVNZXRob2QgQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjcnNhLXNoYTEiPjwvU2lnbmF0dXJlTWV0aG9kPgo8UmVmZXJlbmNlIFVSST0iIj4KPFRyYW5zZm9ybXM+PFRyYW5zZm9ybSBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyNlbnZlbG9wZWQtc2lnbmF0dXJlIj48L1RyYW5zZm9ybT48L1RyYW5zZm9ybXM+CjxEaWdlc3RNZXRob2QgQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjc2hhMSI+PC9EaWdlc3RNZXRob2Q+CjxEaWdlc3RWYWx1ZT5jb2lya1MzOHB1UWg1blhpZEVsQmtIblpTUDA9PC9EaWdlc3RWYWx1ZT4KPC9SZWZlcmVuY2U+CiAgIDwvU2lnbmVkSW5mbz4=";
>
> String validData2 = 
> "PFNpZ25lZEluZm8geG1sbnM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyMiPgo8Q2Fub25pY2FsaXphdGlvbk1ldGhvZCBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnL1RSLzIwMDEvUkVDLXhtbC1jMTRuLTIwMDEwMzE1Ij48L0Nhbm9uaWNhbGl6YXRpb25NZXRob2Q+CjxTaWduYXR1cmVNZXRob2QgQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjcnNhLXNoYTEiPjwvU2lnbmF0dXJlTWV0aG9kPgo8UmVmZXJlbmNlIFVSST0iIj4KPFRyYW5zZm9ybXM+PFRyYW5zZm9ybSBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyNlbnZlbG9wZWQtc2lnbmF0dXJlIj48L1RyYW5zZm9ybT48L1RyYW5zZm9ybXM+CjxEaWdlc3RNZXRob2QgQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjc2hhMSI+PC9EaWdlc3RNZXRob2Q+CjxEaWdlc3RWYWx1ZT5jb2lya1MzOHB1UWg1blhpZEVsQmtIblpTUDA9PC9EaWdlc3RWYWx1ZT4KPC9SZWZlcmVuY2U+CjwvU2lnbmVkSW5mbz4=";
>
>
> System.out.println(new String(Base64.decode(validData1)));
>
> System.out.println(new String(Base64.decode(validData2)));
>
>
> Signature tmp = Signature.getInstance("SHA1withRSA", "Mozilla-JSS");
>
> org.mozilla.jss.pkcs11.PK11PubKey pkConverted = 
> org.mozilla.jss.pkcs11.PK11RSAPublicKey.fromSPKI(Base64.decode(publicKey));
>
> tmp.initVerify(pkConverted);
>
> tmp.update(Base64.decode(validData2));
>
> System.out.println(tmp.verify(Base64.decode(signatureValue)));
>
>
> tmp.initVerify(pkConverted);
>
> tmp.update(Base64.decode(validData1));
>
> System.out.println(tmp.verify(Base64.decode(signatureValue)));
>
>
>
>
>
> Matej Spiller-Muys
>
>
> ___
> dev-tech-crypto mailing list
> dev-tech-crypto@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-tech-crypto
>   

___
dev-tech-crypto mailing lis

Re: Problem with mozilla jss

2007-11-13 Thread glen beasley

charan wrote:
> I want to know whether there is any platform independent way to
> initialize and add certificates to cert7.db
>
>   
I do hope you mean cert8.db since cert7.db has been obsolete for several 
years.

JSS requires NSPR/NSS. your java code is platform independent with the 
understanding
that you're required to install JSS/NSS/NSPR binaries on  the specific 
platform your  running
on. There is no getting around this requirement.

You could  also use Java 5 or 6 and the SunPKCS11 provider but then you 
still have to install/configure
NSPR/NSS/SunPKCS11.

or you could install NSPR/NSS and use certutil binary that is built for 
the platform. :)

have a good day,

glen

> ___
> dev-tech-crypto mailing list
> dev-tech-crypto@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-tech-crypto
>   

___
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto

Re: firefox pkcs storage access from java

2007-11-09 Thread Glen Beasley

Diego Zanga wrote:
> Lo
>
> is there a guide or a complete howto to connect
> pkcs storage of firefox from java?
>   
no, but if anybody has time to write one, please do!

many people have managed to do this by combining information from 
various existing documentation
on applets  and JSS.

http://java.sun.com/applets/
http://java.sun.com/j2se/1.5.0/docs/guide/deployment/deployment-guide/keystores.html

You need to configure your applet so it can load nspr/nss/jss libraries, 
and
have the correct location to the Firefox dbs.

To get the configuration correct work with a small program
such as listing the certificates by modifying
http://mxr.mozilla.org/security/source/security/jss/org/mozilla/jss/tests/ListCACerts.java

you could also choose not to use JSS and use SunPKCS11 to initialize NSS
http://java.sun.com/javase/6/docs/technotes/guides/security/p11guide.html

your applet would have to generate a pkcs11 config file for SunPKCS11
that would specify the location of Firefox's NSS libraries and the 
firefox database directory.

-glen

> i've seen some example from this list, however
> it seems none works. (with firefox 2.0 and java
> 1.6 on windows xp)
>
> [this obviusly means i'm not setting all things
> right]
>
> is there a "basic" guide or some examples about
> how to do it?
>
> cya, thx
>   

___
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto

Re: signed jar

2007-11-09 Thread Glen Beasley

Abraham wrote:
> Hi,
>
> I've downloaded the jss latest version (.jar 4.2.5, windows), but the sign
> appears as caduced (older version too).  Is this so?
>   
I'm not quite sure what "caduced" means but I think you're stating that 
if you
run "jarsigner -verify jss4.jar" you get:
jar verified.

Warning:
This jar contains entries whose signer certificate has expired.

JSS 4.2.5 was signed with a code signing certificate that was valid but 
near expiration.
The jar should still work fine since it was signed when the certificate 
was valid.  jarsigner
was still able to "verified" the jar, and just points out that the code 
signing certificate has
expired.

If there is a problem please open a bug.

We have a new code signing certificate that we will use for the next 
release of JSS.

-glen

> Regards, Abraham.
> ___
> dev-tech-crypto mailing list
> dev-tech-crypto@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-tech-crypto
>   

___
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto

Re: PKCS12 problem with JSS

2007-11-06 Thread Glen Beasley


Could you zip up your test class and db then send to my email.

thank you,

glen


David Stutzman wrote:
> I've created a test class and a db to be used with it that shows the 
> following issues I get while exporting credentials to PKCS12 files using 
> JSS.
>
> 1) FIPS enabled generates PBA key error (this issue was first mentioned 
> in a separate thread)
> 2) 4 of the 8 PBEAlgorithms won't export the EPKI (though I don't really 
> care so much about these personally)
> 3) 3 of the 4 that will export the EPKI(PBEAlgorithm.PBE_SHA1_DES3_CBC 
> works) generate incompatible PKCS12 files (as long as certs area also 
> included with key, see note in code)
> 4) The "default" and supplied CharToByteConverter (PasswordConverter 
> from pkcs12 package) do not work with EPKI's passed back from NSS.  A 
> "custom" one must be written.
>
> I'm just asking here first to see where you want this info.  I filed a 
> bug for the previously mentioned salt size issue but never made one for 
> any of the other problems.  How would you like me to handle this?
>
> Thanks,
> Dave
> ___
> dev-tech-crypto mailing list
> dev-tech-crypto@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-tech-crypto
>   

___
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto

Re: client authentication problem in Ubuntu

2007-10-26 Thread Glen Beasley

Abraham wrote:
> Hi all,
>
> I'm using an applet to sign digital documents. The applet code uses jss
> classes and can load firefox keystore without problems configuring user
> system as this reference explains:
>
> http://java.sun.com/j2se/1.5.0/docs/guide/deployment/deployment-guide/keystores.html
>
> The problem appears if i add client authentication in server configuration.
> In this case, when a user try to access the applet, the java plugin pops up
> a window soliciting to select a cert; i need that window to show a list with
> the certs stored in browser keystore.  Using firefox on windows this works
> as i want but on ubuntu the list is empty (I've checked the java control
> panel options). I think jss is correctly installed because the applet can
> use the jss classes when no client authentication  is configured (or when i
> add a valid cert in java plugin keystore).
> Does anyone know where the problem can be or have tried this? Should I try
> other operating systems (fedora, solaris...)?
>
>   
since it works on Windows, it may be a unix config problem. I have yet 
to use Ubuntu
and really not sure what is going on. Did you try to reproducte on 
fedora or Solaris?

-glen

> Thanks in advance. Regards, Abraham.
> ___
> dev-tech-crypto mailing list
> dev-tech-crypto@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-tech-crypto
>   

___
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto

Re: PKCS12 problem with JSS (more info)

2007-10-18 Thread Glen Beasley

hi David,

you should file two bugs:

JSS has different Salt size than NSS for PBE

NSS appears to only handle PBE_SHA1_DES3_CBC for PKCS12

I will try to work on the bugs shortly.

thanks,

glen



David Stutzman wrote:
> David Stutzman wrote:
>   
>> I'm generating keys in the softoken and then exporting them to PKCS12 
>> files with their freshly issued certs.  I get the private key using the 
>> getEncryptedPrivateKeyInfo method of CryptoStore.
>>
>> This epki is reporting a 16 byte salt but when I ask the algorithm for 
>> its salt size, I get 20.
>>
>> When I try to unwrap the key I get:
>> javax.crypto.BadPaddingException: Given final block not properly padded
>>
>> Using PBEAlgorithm pbeAlgorithm = PBEAlgorithm.PBE_SHA1_DES3_CBC;
>> pbeAlgorithm.getSaltLength() = 20
>>
>> Encrypted private key info's salt: 0x6d469a0e62d57c5482e589562eeb2236
>>
>> I've tried some of the other algorithms and it appears the 
>> getEncryptedPrivateKeyInfo (which is one of the native methods of JSS) 
>> *always* returns an EPKI with 16 bytes of salt and it's confusing other 
>> applications/APIs that are expecting more or less (8 and 20 seem to be 
>> the most popular).
>>
>> Dave
>> 
>
> If it matters...The reason I need to decrypt the key first is that if I 
> just take the EPKI structure and pass it right into the PKCS12, then it 
> can only be read by MS-CAPI and java's keytool.  OpenSSL will not be 
> able to read the resulting PKCS12 file.
> I am also constrained to using PBE_SHA1_DES3_CBC as the other algorithms 
> result in PKCS12 files that are unreadable by anything but NSS itself. 
> That's not a huge issue as that is the algorithm I would like to use 
> anyway, just mentioning it for the compatibility angle.
>
> If I use keytool -list -keystore foo.p12 -storetype PKCS12 then Java can 
> read the resulting PKCS12 even though I can't seem to decrypt the EPKI 
> myself programatically.  keytool reports that it is using the SunJSSE 
> provider for the KeyStore implementation.
>
> When I re-encrypt the key using the SafeBag.createEncryptedPrivateKeyBag 
> method I end up with algorithm parameters that make sense.  The method 
> calls PBEAlgorithm .getSaltLength() and ends up with a 20 byte salt and 
> uses "DEFAULT_ITERATIONS" of 1.  These structures can be handled by all 
> other toolkits I've tested with:
>   100   25: . . . . . . . . . . . . . SEQUENCE {
>  <04 14>
>   102   20: . . . . . . . . . . . . . . OCTET STRING
>   : . . . . . . . . . 11 37 D3 96 E3 DB 55 24.7U$
>   : . . . . . . . . . B4 EA 64 7E 15 B0 CB D6..d~
>   : . . . . . . . . . 8C F3 38 2E..8.
>  <02 01>
>   1241: . . . . . . . . . . . . . . INTEGER 1
>   : . . . . . . . . . . . . . . }
>
> I'm open to tweaking the NSS code, if necessary.  I *think* I see where 
> the salt/iteration count are being obtained in
> http://mxr.mozilla.org/security/source/security/nss/lib/pk11wrap/pk11pbe.c#409
>
> Would I be barking up the wrong tree if I was looking in there for 
> changing the size of the salt?
>
> I guess another question, why does NSS use a different salt size for the 
> same algorithm than JSS?
>
> Thanks,
> Dave
> ___
> dev-tech-crypto mailing list
> dev-tech-crypto@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-tech-crypto
>   

___
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto

Re: java plugin and firefox keystore

2007-09-20 Thread Glen Beasley

Nelson B wrote:
> Abraham wrote:
>
>   
>> I have a problem with client authentication when I try to run an applet. The
>> java plugin requires authentication but shows me a empty list (i suppose it
>> can´t load firefox keystore). Importing certificates with Java Control Panel
>> isn´t a solution because i want to use the browser smartcard support. I´ve
>> installed jss (jss4.dll and jss directory with jss4.jar) but it doesn´t
>> work. 
>> 
>
>   

> In what manner doesn't it work?
>
>   
Does your applet initialize JSS with the location to the FireFox dbs?

After installing JSS your next step would be to initialize JSS and view 
the certificates say modify
the following to work in your applet as test
http://mxr.mozilla.org/security/source/security/jss/org/mozilla/jss/tests/ListCACerts.java


you could also choose not to use JSS and use SunPKCS11 to initialize NSS
http://java.sun.com/javase/6/docs/technotes/guides/security/p11guide.html
your applet would have to generate a pkcs11 config file for SunPKCS11
that would specify the location of Firefox's NSS libraries and the 
firefox database directory

JSS does have an applet but does test the SunPKCS11-NSS
http://mxr.mozilla.org/security/source/security/jss/org/mozilla/jss/tests/all.pl#317
 
- creates pkcs11 config file
http://mxr.mozilla.org/security/source/security/jss/org/mozilla/jss/tests/JSSE_SSLServer.java
 
- can be configured to use Sunpkcs11-NSS

-glen

> Long ago, in the Netscape Communicator 4 days, the Java engine was
> integrated with the browser, and JSS was integral to the browser.
> JSS was *the* means by which Java applet accessed the browser's
> facilities for https and for using certs for signatures, encryption, etc.
>
> But today Java is not so integrated into the browser, and JSS is not a
> standard part of the browser either, IINM.  So today, the JRE has no
> simple access to the browser's crypto capabilities.  Installing JSS
> should still work (I think), but it's separate software that the user
> must install.  The latest JDK/JRE has a new "JCE provider" that works
> with any PKCS#11 module, including NSS's softoken (one of the PKCS#11
> modules built into mozilla browsers).  It might work for you to use
> that PKCS#11 JCE provider to access the certs and keys in the browser's
> PKCS#11 module.
>
> I'll ask our JSS guru to add his own suggestions here.
>
>   
>> Thanks in advance (and sorry for my english :P).
>> 
>
> Your English was perfect.
>
>   
>> Regards, Abraham
>> 
>
>   

___
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto

Re: Building JSS 4.2.5 with Java 1.4.2

2007-09-14 Thread Glen Beasley

[EMAIL PROTECTED] wrote:
> I am trying to build JSS 4.2.5 with Java 1.4.2 and I am having
> troubles. I printed the the build instructions from the website. When
> I run the build it just thrashes and crashes when it run out of
> memroy. Has anyone been able to successfully build this with Java
> 1.4.2 or does anyone know of a place that I can get a 1.4.2 version of
> the jss4.jar?
>   
What platfom and what was your checkout command?

cvs co JSS_4_2_5_RTM mozilla/security/jss

We have been building with Java 1.5 for quite awhile but I just tried 
building with 1.4.2 on Solaris 10 and it worked fine.
Also I have never seen  a build  run  out  of memory,  usually a build 
fails in seconds with compile errors.  What
version of 1.4.2_?

Note if you checked out the trunk

cvs co mozilla/security/jss (will become JSS 4.3)

then some tests programs will fail to compile because they require Java 
1.5 or higher for SunPKCS11 support.
The  JSS class files do not use SunPKCS11 but the JSS test suite now 
configures a JSSE SSL test program that
uses SunPKCS11-NSS.

-glen

> Thanks
> Jason
>
> ___
> dev-tech-crypto mailing list
> dev-tech-crypto@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-tech-crypto
>   

___
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto

Re: error setting FIPS mode of DB when initializing JSS on linux

2007-08-28 Thread Glen Beasley

hi,

we support RHEL4 and nightly QA and tinderbox tests on the platform.

http://tinderbox.mozilla.org/showlog.cgi?log=NSS/1188333120.16322.gz&fulltext=1

David Stutzman wrote:
> Wan-Teh,
>
> Thanks for all the advice.  I checked out and compiled JSS 4.2.5 along 
> with NSS 3.11.4 and NSPR 4.6.4.  Unfortunately I have a new problem.  As 
> soon as I start the program on Linux I get:
> java.security.GeneralSecurityException: Failed to toggle FIPS mode
> Stack Trace:
>  org.mozilla.jss.CryptoManager.enableFIPS(Native Method)
>  org.mozilla.jss.CryptoManager.initialize(CryptoManager.java:856)
>
>   

I think your path to the DBs may be incorrect. If not you can send your 
test program to me privately
and I will run your test.

http://mxr.mozilla.org/security/source/security/jss/org/mozilla/jss/tests/FipsTest.java

note: today NSS obtained the FIPS 140-2 level II certificate.
http://www.mozilla.org/projects/security/pki/nss/fips/

-glen



thanks,
glen


___
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto

Re: Using java to connect to Firefox PKCS11 implementation

2007-07-25 Thread Glen Beasley

[EMAIL PROTECTED] wrote:
> Hi,
>
> there is already a topic which deals with the problem:
> http://osdir.com/ml/mozilla.crypto/2005-07/msg00034.html
>
> Unfortunately the code doesn't work. Here's what I did:
> I used the source code glen beasley posted.
> My pkcs11.cfg looks like this:
> name=NSSSofToken
> library = c:\\Program Files\\Mozilla Firefox\\softokn3.dll
> description=NSS PKCS11 
> nssArgs="configdir='C:\\tip' certPrefix='' keyPrefix='' secmod='secmod.db' 
> flags=readOnly"
>   

/the option configdir needs to point the the directory where the databases 
exists.

I doubt your mozilla databases are in c:\\tip.

on windows in the c:\Documents and settings directory do a dir *.db /s/b and 
you should be able to find the correct location.

-glen




/

> slot=2
>
> When launching the program, I get the following exception:
> Exception in thread "main" java.security.ProviderException: Initialization 
> failed
>   at sun.security.pkcs11.SunPKCS11.(SunPKCS11.java:340)
>   at sun.security.pkcs11.SunPKCS11.(SunPKCS11.java:86)
>   at PKCS11ListCerts.main(PKCS11ListCerts.java:23)
> Caused by: java.io.IOException: Could not find resource
> c:\Program Files\Mozilla Firefox\softokn3.dll
>
> What's wrong with my configuration?
> Enzo Motta or glen beasley if you're reading this, please give me a hint.
> Thanks in advance,
> Mike
> _
> Der WEB.DE SmartSurfer hilft bis zu 70% Ihrer Onlinekosten zu sparen!
> http://smartsurfer.web.de/?mc=100071&distributionid=0066
>
> ___
> dev-tech-crypto mailing list
> dev-tech-crypto@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-tech-crypto
>   

___
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto

Re: PKCS11 quagmire... (JSS question)

2007-06-15 Thread Glen Beasley

David Stutzman wrote:
> Robert Relyea wrote:
>   
>>> The JSS method to create this is:
>>> SignerInfo(SignerIdentifier signerIdentifier, SET signedAttributes, 
>>> SET unsignedAttributes, OBJECT_IDENTIFIER contentType, byte[] 
>>> messageDigest, SignatureAlgorithm signingAlg, PrivateKey signingKey)
>>>   
>>>   
>> So just passing agentPrivateKey here doesn't work?
>> 
>
> I can test it again to see for sure if you'd like, but I think the 
> reason I went through the conversion process in the first place was 
> because the SignerInfo constructor threw an exception complaining that 
> the private key didn't belong to the JSS provider.  Now that I'm working 
> with a hardware token that isn't giving up its keybytes so I can build a 
> key with the JSS provider I'm in trouble.
>   
hi dave,

how did you construct agentPrivateKey ? Is a type PK11PrivKey?

http://mxr.mozilla.org/security/source/security/jss/org/mozilla/jss/pkcs11/PK11PrivKey.java


what happens when you do agentPrivateKey.getOwningToken().getName()
does it refer to your hardware token ?

you should be able to pass in agentPrivateKey to the JSS method
http://mxr.mozilla.org/security/source/security/jss/org/mozilla/jss/pkcs7/SignerInfo.java#292


-glen

> That's why I'm thinking I might be stuck building the SignerInfo from 
> scratch.  That way I can use the Sun/Java signature methods/provider to 
> do the signature and insert the raw data into the ASN1 structure.  I'm 
> just sure it's going to be very confusing for me.
>
> For instance I'm making progress on parsing the CMC Response and I was 
> working on verifying the signature on the response and I had to do the 
> following:
> EncapsulatedContentInfo eci = response.getContentInfo();
> OCTET_STRING content = eci.getContent();
> and then pass content.toByteArray() to the MessageDigest object.  I got 
> that from here:
> http://www.redhat.com/docs/manuals/cert-system/sdk/7.1/samples/servlets/processors/index.html
> I *never* would have thought to do that.  I was trying to hash 
> "ASN1Util.encode(eci)" and that wasn't working.
>
> Dave
> ___
> dev-tech-crypto mailing list
> dev-tech-crypto@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-tech-crypto
>   

___
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto

Re: export Certificate with JSS to PCKS12

2007-06-01 Thread Glen Beasley

[EMAIL PROTECTED] wrote:
> Does anyone know, how to export an Certificate to PKCS12 with JSS.
> I have found a Code-Sample, but this doesnt work, because the Metho
> privateKey.getEncoded() allways returns null.
>
>   
most private keys store on a token do not support encoding and therefore 
null is correctly returned. 
You would need to wrap the private key take a look at

http://mxr.mozilla.org/security/source/security/jss/org/mozilla/jss/tests/KeyWrapping.java
http://www.mozilla.org/projects/security/pki/jss/javadoc/org/mozilla/jss/pkcs12/PFX.html


Rather than attempting to  do this with JSS why not just
use the NSS tool pk12util?

hope this helps,

glen

> Thank for hints
>
> ___
> dev-tech-crypto mailing list
> dev-tech-crypto@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-tech-crypto
>   

___
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto

Re: Can't find JSS 4.x

2007-05-24 Thread glen beasley

Anders Rundgren wrote:
> Thank you very much guys!
>
> I'm a little bit surprised that the Java "KeyStore" class always seem
> to have problems except for JKS and PKCS #12 key stores.
> Otoh, PKCS #11 and Capi seem to have similar issues.
>   
The Mozilla-JSS keystore implementation is currently not supported see:

http://www.mozilla.org/projects/security/pki/jss/provider_notes.html

You should try using the SunPKCS#11 provider with NSS (see section 2.3)

http://java.sun.com/javase/6/docs/technotes/guides/security/p11guide.html

Also, I will update JSS release notes for JSS 4.2.5.

hope this helps,

glen


 

> Anders
>
> - Original Message - 
> From: "Wan-Teh Chang" <[EMAIL PROTECTED]>
> To: 
> Sent: Monday, May 14, 2007 18:46
> Subject: Re: Can't find JSS 4.x
>
>
> Glen Beasley wrote:
>   
>> Anders Rundgren wrote:
>> 
>>> http://www.mozilla.org/projects/security/pki/jss/
>>>
>>> The links to the newer releases appear dead.
>>>
>>>   
>>>   
>> ftp://ftp.mozilla.org/pub/mozilla.org/security/jss/releases/JSS_4_2_RTM/
>>
>> works okay for me? We should be putting JSS 4_2_5 up soon.
>> 
>
> I guess that Anders Rundgren was referring to the links to the
> version-specific documentation at
> http://www.mozilla.org/projects/security/pki/jss/#version_docs
>
> Wan-Teh
> ___
> dev-tech-crypto mailing list
> dev-tech-crypto@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-tech-crypto
>   

___
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto

Re: Can't find JSS 4.x

2007-05-14 Thread Glen Beasley

Anders Rundgren wrote:
> http://www.mozilla.org/projects/security/pki/jss/
>
> The links to the newer releases appear dead.
>
>   
ftp://ftp.mozilla.org/pub/mozilla.org/security/jss/releases/JSS_4_2_RTM/

works okay for me? We should be putting JSS 4_2_5 up soon.

> A question: If you would do a Firefox XPI plugin what would you have
> to add in order to use JSS except the JSS JAR file(s)?  Do the paths
> to the native code work directly out of the box?  The instructions
> seem to apply to standalone usage which is something else.
>   
you need to set your path correct so that it finds Firefox's NSPR/NSS 
libraries.

-glen

> Anders Rundgren
> ___
> dev-tech-crypto mailing list
> dev-tech-crypto@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-tech-crypto
>   

___
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto

Re: JSS - Open Multiple Truststores

2007-04-23 Thread Glen Beasley

Dennis Sinelnikov wrote:
> Hello,
>
> Is there a way to open more than 1 NSS truststore using JSS? 
> Specifically, within the same lifecycle of the java application.
>   

At this time no.  The database NSS currently uses, can't be used by 
multiple processes.

The multiaccess database feature is planned but is not expected until 
NSS 3.13. Once
implemented JSS would then be able to use this feature.

http://wiki.mozilla.org/NSS:Roadmap#SQLite-Based_Multiaccess_Certificate_and_Key_Databases

-glen

___
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto

Re: how to know which algorithms are enabled in Firefox?

2007-04-23 Thread Glen Beasley

Ash wrote:
> On Apr 20, 2:30 pm, Gervase Markham <[EMAIL PROTECTED]> wrote:
>   
>> Nelson B wrote:
>> 
>>> But I have no idea what version of NSS was used in that version of FF,
>>> and I know of no way to find out, other than to download and install that
>>> version of FF, and then inspect the NSS files to see what version they are.
>>>   
>> You can consult my handy table 
>> here:http://spreadsheets.google.com/pub?key=p49SW32nNYX3LqMK-jeDzfg
>>
>> That tells me that Firefox 1.5.0.10 used NSS 3.11.5.
>>
>> Gerv
>> 
>
> Thanks all for the info provided.
>
> Though I hadn't found, exactly which cryptography algorithms are in
> there. For time being I will do with the NSS version only.
If by "cryptographic algorithms" you mean  "cipher-suites".

It is possible for you to query the cipher-suites implemented by NSS?

Example using JSS:

int ciphers[] =
org.mozilla.jss.ssl.SSLSocket.getImplementedCipherSuites();
/* find all the ciphers-suites that are turned "ON"  */
for (int i = 0; i < ciphers.length; i++) {
   
try {
if (SSLSocket.getCipherPreferenceDefault(ciphers[i])) {
 
System.out.println(Integer.toHexString(ciphers[i]));
 
I will complete https://bugzilla.mozilla.org/show_bug.cgi?id=378332
for jss 4.2.5. There will be sample code of the above that outputs the
text name of the cipher-suite rather than the hex value in the tests 
directory.

-glen




> ___
> dev-tech-crypto mailing list
> dev-tech-crypto@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-tech-crypto
>   

___
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto

Re: Issue reloading certificates from pkcs#11 devices

2007-04-23 Thread Glen Beasley

hi,

This should be fixed in JSS 4.2.5 which we should release  sometime next 
month.

https://bugzilla.mozilla.org/show_bug.cgi?id=367235

-glen

j.fabre wrote:
> Hi Manuel,
>
> I had the same problem as you, and my answer at the moment is that I 
> have no way to recover the certificates of a token plugged after 
> initializing CryptoManager´s instance.
> On the other hand, I cannot get another "updated" Cryptomanager´s 
> instance because it is already initialized (I get an exception which 
> points me that CryptoManager is already initialized) with the certs and 
> keys that were in Firefox´s cert8.db and key3.db at first initialization.
>
> Regards,
> Jesús el tuty.
>
> [EMAIL PROTECTED] escribió:
>   
>> Hi. I am using JSS in order to access to crypto operations on an applet 
>> and everything seems to be ok, but I have found some problems in a 
>> particular case. 
>> When I detect Mozilla from the applet I get a CryptoManager's instance. 
>> Some of the capabilities of the applet is signing so I ask internalTokens 
>> and externalTokens for available certificates. If we have any PKCS#11 
>> device at the moment of cryptoManager's instantiation we can get the 
>> PKCS11 certificates with no problem but when we insert the pkcs11 token 
>> after instantiation, we can't no more get the certificates from it. Is 
>> there any way to reload new tokens (as our just plugged PKCS11 token) in 
>> our cryptoManager? 
>> I think a solution could be getting the instance again, but I am not sure 
>> about security problems or even if it could work. 
>>
>> Regards,
>> Manuel Reyes
>> ___
>> dev-tech-crypto mailing list
>> dev-tech-crypto@lists.mozilla.org
>> https://lists.mozilla.org/listinfo/dev-tech-crypto
>>
>>   
>> 
> ___
> dev-tech-crypto mailing list
> dev-tech-crypto@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-tech-crypto
>   

___
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto

Re: JSS + Windows: UnsatisfiedLinkError

2007-04-23 Thread Glen Beasley

Gervase Markham wrote:
> Bruno Telstar wrote:
>   
>> Exception in thread "main" java.lang.UnsatisfiedLinkError: no jss4 in
>> java.library.path
>> 
>
> It's looking for the .dll, not the .jar. On Linux, one would set 
> LD_LIBRARY_PATH to the directory in which the DLL lives. Not sure about 
> Windows.
>   
set PATH=;%PATH%

-glen

> Gerv
> ___
> dev-tech-crypto mailing list
> dev-tech-crypto@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-tech-crypto
>   

___
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto

Re: JSS questions: how to decode extensions?

2007-04-20 Thread Glen Beasley

Glen Beasley wrote:
> Gervase Markham wrote:
>   
>> I've been feeling my way around the JSS API. The "Using JSS" document, 
>> the FAQ and the test code are (just) enough to get going. But I've come 
>> across several points where the API seems really low-level. I was 
>> wondering if I've missed something?
>>
>> I can go through the following long chain to find out about a cert, 
>> knowing the nickname:
>>
>>CryptoManager.initialize(dbdir);
>>CryptoManager cm = CryptoManager.getInstance();
>>X509Certificate x509Cert = cm.findCertByNickname(nickname);
>>Certificate cert =
>> (Certificate)ASN1Util.decode(Certificate.getTemplate(),
>>  x509Cert.getEncoded());
>>CertificateInfo info = cert.getInfo();
>>
>> (Phew!)
>>
>>   
>> 
> note there can be multiple certs with the same nickname it is better to use
> cm.findCertsByNickname(nickname);
>
>   
>> 1) Then, I can get the Subject with:
>>
>>Name subject = info.getSubject();
>>
>> This Name class seems to have ways of adding each of the individual 
>> components of the Name (O, OU, CN etc.) but not ways of getting them 
>> individually as Strings. Have I missed something?
>> http://www.mozilla.org/projects/security/pki/jss/javadoc/org/mozilla/jss/pkix/primitive/Name.html
>>
>> 2) There don't seem to be any useful constants for the obvious values 
>> for some of the calls. So I can call:
>>
>>OBJECT_IDENTIFIER sigalg = info.getSignatureAlgId().getOID();
>>
>> but I then have to compare it like this:
>>
>>if (!sigalg.toString().equals("{1 2 840 113549 1 1 5}"))
>>   
>> 
>
> import org.mozilla.jss.crypto.SignatureAlgorithm;
>
> if 
> (!sigalg.toString().equals(SignatureAlgorithm.RSASignatureWithSHA1Digest.toOID()))
>
>
>   
>> 3) I seem to be left entirely on my own when attempting to look at 
>> Extensions:
>>
>>SEQUENCE extensions = info.getExtensions();
>>for (int i = 0; i < extensions.size(); i++) {
>>  Extension ext = (Extension)extensions.elementAt(i);
>>  String extId = ext.getExtnId();
>>  OCTET_STRING value = ext.getExtnValue();
>>}
>>
>>   
>> 
>
>   
>> What am I supposed to do with that OCTET_STRING? Do manual ASN.1 
>> decoding on it according to my supposed knowledge of the internals of 
>> this particular Extension?
>>   
>> 
> at this time yes.
>   
>> Can anyone give me some guidance?
>>
>>   
>> 
> Did you look at isExtensionPresent or getExtension?
> http://mxr.mozilla.org/security/ident?i=isExtensionPresent
> http://mxr.mozilla.org/security/source/security/jss/org/mozilla/jss/pkix/cert/CertificateInfo.java#294
>
> I made a bug
> JSS needs support for known x.509 v3 certificate extension
>   
The bug: https://bugzilla.mozilla.org/show_bug.cgi?id=378233

Also in my first reply I made a mistake. JSS will tell you if the 
extension is critical or not.

SEQUENCE extensions = info.getExtensions();
for (int i = 0; i < extensions.size(); i++) {
Extension ext = (Extension)extensions.elementAt(i);
OBJECT_IDENTIFIER oid = ext.getExtnId();
OCTET_STRING value = ext.getExtnValue();
System.out.println("Extension " + oid.toString());
if (ext.getCritical()) {
System.out.println("Critical extension");
} else {
System.out.println("not a Critical extension");
}
}


>   
>
> -glen
>
>
>
>   
>> Thanks :-)
>>
>> Gerv
>> ___
>> dev-tech-crypto mailing list
>> dev-tech-crypto@lists.mozilla.org
>> https://lists.mozilla.org/listinfo/dev-tech-crypto
>>   
>> 
>
> ___
> dev-tech-crypto mailing list
> dev-tech-crypto@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-tech-crypto
>   

___
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto

Re: JSS questions: how to decode extensions?

2007-04-20 Thread Glen Beasley

Gervase Markham wrote:
> I've been feeling my way around the JSS API. The "Using JSS" document, 
> the FAQ and the test code are (just) enough to get going. But I've come 
> across several points where the API seems really low-level. I was 
> wondering if I've missed something?
>
> I can go through the following long chain to find out about a cert, 
> knowing the nickname:
>
>CryptoManager.initialize(dbdir);
>CryptoManager cm = CryptoManager.getInstance();
>X509Certificate x509Cert = cm.findCertByNickname(nickname);
>Certificate cert =
> (Certificate)ASN1Util.decode(Certificate.getTemplate(),
>  x509Cert.getEncoded());
>CertificateInfo info = cert.getInfo();
>
> (Phew!)
>
>   
note there can be multiple certs with the same nickname it is better to use
cm.findCertsByNickname(nickname);

> 1) Then, I can get the Subject with:
>
>Name subject = info.getSubject();
>
> This Name class seems to have ways of adding each of the individual 
> components of the Name (O, OU, CN etc.) but not ways of getting them 
> individually as Strings. Have I missed something?
> http://www.mozilla.org/projects/security/pki/jss/javadoc/org/mozilla/jss/pkix/primitive/Name.html
>
> 2) There don't seem to be any useful constants for the obvious values 
> for some of the calls. So I can call:
>
>OBJECT_IDENTIFIER sigalg = info.getSignatureAlgId().getOID();
>
> but I then have to compare it like this:
>
>if (!sigalg.toString().equals("{1 2 840 113549 1 1 5}"))
>   

import org.mozilla.jss.crypto.SignatureAlgorithm;

if 
(!sigalg.toString().equals(SignatureAlgorithm.RSASignatureWithSHA1Digest.toOID()))


> 3) I seem to be left entirely on my own when attempting to look at 
> Extensions:
>
>SEQUENCE extensions = info.getExtensions();
>for (int i = 0; i < extensions.size(); i++) {
>  Extension ext = (Extension)extensions.elementAt(i);
>  String extId = ext.getExtnId();
>  OCTET_STRING value = ext.getExtnValue();
>}
>
>   

> What am I supposed to do with that OCTET_STRING? Do manual ASN.1 
> decoding on it according to my supposed knowledge of the internals of 
> this particular Extension?
>   
at this time yes.
> Can anyone give me some guidance?
>
>   
Did you look at isExtensionPresent or getExtension?
http://mxr.mozilla.org/security/ident?i=isExtensionPresent
http://mxr.mozilla.org/security/source/security/jss/org/mozilla/jss/pkix/cert/CertificateInfo.java#294

I made a bug
JSS needs support for known x.509 v3 certificate extensions

also if you I am not sure what info you want and maybe you can add that 
to the bug, but
here is code to list the critical and non-critical extensions, but 
converting the JSS
certificate to java.security.cert.X509Ceritificate

CertificateFactory cf = CertificateFactory.getInstance("X.509");
ByteArrayInputStream bais = new 
ByteArrayInputStream(x509Cert.getEncoded());
java.security.cert.X509Certificate jdkCert =
(java.security.cert.X509Certificate)  
cf.generateCertificate(bais);
bais.close();

 System.out.println("SN " + jdkCert.getSerialNumber());

/* non critical extensions */
Set nonCritSet = jdkCert.getNonCriticalExtensionOIDs();
if (nonCritSet != null && !nonCritSet.isEmpty()) {
for (Iterator i = nonCritSet.iterator(); i.hasNext();) {
String oid = (String)i.next();
System.out.println(oid);
}
} else { System.out.println("no non Critical Extensions"); }
   
/* critical extensions */
Set critSet = jdkCert.getCriticalExtensionOIDs();
if (critSet != null && !critSet.isEmpty()) {
System.out.println("Set of critical extensions:");
for (Iterator i = critSet.iterator(); i.hasNext();) {
String oid = (String)i.next();
System.out.println(oid);
}
} else { System.out.println("no Critical Extensions"); }



-glen



> Thanks :-)
>
> Gerv
> ___
> dev-tech-crypto mailing list
> dev-tech-crypto@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-tech-crypto
>   

___
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto

Re: Getting cert pem format out of pkcs12?

2007-04-13 Thread glen beasley




Jana Nguyen wrote:
> Hi,
>
> I've been using the NSS pkcs12util to get the credential out of the
> browser in pkcs12 format.  But I now need to get the public and
> private key out of pkcs12 and into "PEM" format.  Is this possible
> with mozilla tool out there?
>
> Or is it possible for NSS tool to get the credential out of the
> browser in "PEM" format instead of pkcs12?
>   
no it is not possible. 

take your PKCS#12 formatted file and convert it to a pem file using openssl

http://www.openssl.org/docs/apps/pkcs12.html

Parse a PKCS#12 file and output it to a file:

openssl pkcs12 -in file.p12 -out file.pem


-glen

> Thanks.
> ___
> dev-tech-crypto mailing list
> [EMAIL PROTECTED]
> https://lists.mozilla.org/listinfo/dev-tech-crypto
>   

___
dev-tech-crypto mailing list
[EMAIL PROTECTED]
https://lists.mozilla.org/listinfo/dev-tech-crypto

Re: Problem configuring JSS with Firefox 2 and JRE 1.5.10

2007-02-11 Thread Glen Beasley


Hello Jesús,

What output do you get in the java console related to JSS?

After installing the JSS package you also have to go to Java control 
panel, "Advanced tab", under "security", check on the box:

"Use certificate and keys in browser keystore".

http://java.sun.com/j2se/1.5.0/docs/guide/deployment/deployment-guide/jcp.html

If you cannot get this to work please create a JSS bug and attach your 
sample applet with the steps you have taken

so far and I will do my best to look at it as soon as possible.

https://bugzilla.mozilla.org/enter_bug.cgi?product=JSS

thank you,

glen





j.fabre wrote:

Hi all,

I´m trying to configure JSS 4 and Firerfox in Ubuntu, but I cannot 
find the way to integrate both to use JSS for HTTPS client 
authentication.
My intentions are use JSS access to Firefox certificate´s repository 
for applet´s client authentication.

I followed these instructions but don´t give me a solution:

http://java.sun.com/j2se/1.5.0/docs/guide/deployment/deployment-guide/keystores.html 



Also I tried to configure LD_LIBRARY_PATH, MOZILLA_HOME pointing to 
libjss4.so


and CLASSPATH pointing to jss4.jar, but it doesn´t work neither.

I´m totally lost and disoriented. ¿anybody could help me?

Thanks for yout time.
Jesús.
___
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto


___
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto

Re: create db with JSS?

2007-02-08 Thread Glen Beasley


David Stutzman wrote:
Is it possible to create a security DB using JSS?  I can't find any 
methods that look like they fit.  I found mention of something in the 
comments of 
http://mxr.mozilla.org/security/source/security/jss/org/mozilla/jss/tests/TestKeyGen.java#47 



that says:
47  *   run the test 'TokenAccessTest'
48  *which will create db with the password 'netscape'.

But I can't find any mention of that in the rest of the JSS sources.

Is this something that can only be done from NSS?

Thanks,
Dave
___
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto

You can use JSS,

http://lxr.mozilla.org/security/source/security/jss/org/mozilla/jss/tests/SetupDBs.java

example:
java org.mozilla.jss.tests.SetupDBs  

also take a look at
http://lxr.mozilla.org/security/source/security/jss/org/mozilla/jss/tests/all.pl
http://lxr.mozilla.org/security/source/security/jss/org/mozilla/jss/tests/passwords 




Quick instructions to use all.pl
set JAVA_HOME
cvs co mozilla/security/nss mozilla/security/jss 
mozilla/security/coreconf mozilla/nsprpub mozilla/dbm mozilla/security/dbm
cd mozilla/security/nss 
gmake nss_build_all   (I assume your environment is set to build NSS)

cd ../jss
gmake
cd org/mozilla/jss/tests
perl all.pl dist 

Some tests will fail since you won't have the JCA code signing 
certificate to sign the JSS jar.


-glen


___
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto

Re: JSS doesn't recognize aladdins token

2007-02-05 Thread Glen Beasley


Igor Delacroix wrote:

Good Day to All

I'm added manually on secmoddb the driver of Aladdin and Rainbow tokens.

when a try do list all tokens inserted i receive just the rainbow tokens.

I'm using jss 4

somebody already had this problem?
what has been done?

Thanks in advance
Igor Delacroix
___
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto

the bug has not been fixed.

https://bugzilla.mozilla.org/show_bug.cgi?id=367235


We have not had time to work on it, but will make some time in the near 
future.


note: As a work around instead of using JSS you could use
the Sun PKCS#11 Provider in J2SE 5 or J2SE 6.

http://java.sun.com/javase/6/docs/technotes/guides/security/p11guide.html
http://developers.sun.com/prodtech/appserver/reference/techart/keymgmt.html

-glen

___
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto

Re: token "refresh" works in NSS but not JSS

2007-01-16 Thread Glen Beasley


could you please create a JSS bug.

https://bugzilla.mozilla.org/enter_bug.cgi?product=JSS

and enter as much info as possible. Note JSS is open source, since you 
have also used NSS, you're welcome to contribute.


-glen


David Stutzman wrote:
I am having basically the same problem as posted by Igor Delacroix and 
"shinigami" back in September.  The problem I run into is that JSS 
only presents the available tokens it sees when it is initialized and 
it doesn't seem to respond to the reload methods that are available.  
I've done similar to Igor in JSS by printing out all available tokens, 
sleeping for a bit, inserting a token, then grabbing an enumeration of 
all the modules available again, calling the method to reload the 
tokens and re-printing the list of available tokens.  I end up with 
the same results.


I've just attempted to do similar actions using NSS and that ends up 
working just fine:


Trying to get listing of all slots...

PK11_GetTokenName: Builtin Object Token
PK11_GetTokenName: NSS Certificate DB
PK11_GetTokenName: NSS Generic Crypto Services

slotCount: 3

sleeping...

done sleeping...grabbing slot info again

PK11_GetTokenName: Builtin Object Token
PK11_GetTokenName: NSS Certificate DB
PK11_GetTokenName: NSS Generic Crypto Services
PK11_GetTokenName: Rainbow iKey 2032
PK11_GetTokenName: Datakey SignaSure 380

slotCount: 5

I believe Igor and his co-worker were using Rainbow iKeys which use 
the same middleware and have the same functionality as the keys I 
have.  I also have iKeys here and the same thing happens in both JSS 
and NSS.


Do any of you NSS/JSS devs have experience with any of the Datakey 
stuff?  I'm using CIP 4.7 (the latest since the smartcard side of 
Datakey got sold off to SafeNet) and PKCS#11 module dkck201.dll.


I can supply PKCS11 trace from the middleware's logging if that would 
help anyone out.


Thanks,
Dave
___
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto


___
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto

Re: nickname and FIPS mode password length restrictions

2006-09-20 Thread glen beasley


Nelson B wrote:

David Stutzman wrote:
  
Hopefully these will be relatively easy questions for you guys.  I'm 
asking about the internal softtoken.


Is there a max length for a cert nickname?



I think NSS imposes no maximum.  I suspect that values longer than
about 15KB will not work.  :)  In practice the name should be short
enough to be easily displayed on one line in a cert selection dialog.

  
What is the min/max password length when the module is operating in FIPS 
140-2 mode?



Wan-Teh will have to answer that.  I think it has changed recently.
It seems that the requirements have changed since the last time NSS was
FIPS 140 evaluated, or at least our new test lab interprets them very
differently.
  

see: http://wiki.mozilla.org/Security_Policy#Specification_of_Roles

In FIPS mode, the NSS cryptographic module imposes the following 
requirements on the password.


   * The password must be at least seven characters long.
   * The password must consist of characters from three or more 
character classes. We define five character classes: digits (0-9), ASCII 
lowercase letters, ASCII uppercase letters, ASCII non-alphanumeric 
characters (such as space and punctuation marks), and non-ASCII 
characters. If an ASCII uppercase letter is the first character of the 
password, the uppercase letter is not counted toward its character 
class. Similarly, if a digit is the last character of the password, the 
digit is not counted toward its character class.



  
I've read in the past somewhere something about needing to enforce the 
minimum password length for FIPS mode in the future as it's not being 
done now.  I have some modules in FIPS mode and when I query the minimum 
password length with PK11_GetMinimumPwdLength it reports 7 but I am 
currently using a password of length 4 and everything is working just 
fine.  



That doesn't sound right (to me).
Are you sure you're running in FIPS mode?

  
I just want to make sure things will work ok in the future when 
the final FIPS approved version of NSS comes out.



  


___
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto

Re: why NSS can't build in windowsxp?

2006-08-30 Thread glen beasley


hi,

It appears you are missing NSPR. Getting the build environment on 
windows correct is
a pain for anyone the first time, but with some patience it can 
certainly be accomplished.

step 3:

cvs co -r NSPR_4_4_1_RTM mozilla/nsprpub
cvs co -r DBM_1_61_RTM mozilla/dbm mozilla/security/dbm
cvs co -r NSS_3_9_RTM mozilla/security/coreconf mozilla/security/nss

and 
step 4:


 cd mozilla/security/nss (or, on Windows, cd mozilla\security\nss)
 gmake nss_build_all - this will fist build NSPR

 If you still have failures, then first review your configuration.

 http://www.mozilla.org/projects/security/pki/nss/nss-3.9/nss-3.9-build.html
 http://developer.mozilla.org/en/docs/Windows_Build_Prerequisites#ss2.2


-glen





lihb wrote:

Hello again,

I want to built NSS,and find the article
http://www.mozilla.org/projects/security/pki/nss/nss-3.9/nss-3.9-build.html.
i do it step by step ,but i see error :
gcc -o 
WINNT5.1_gcc_DBG.OBJ/quickder.o -c -g -mno-cygwin -mms-bitfields -W3 -nol

ogo -GT -DXP_PC -DDEBUG -D_DEBUG -UNDEBUG -DDEBUG_lihb -DWIN32 -D_WINDOWS -D_X86
_ -DWINNT -I../../../../dist/WINNT5.1_gcc_DBG.OBJ/include  -I../../../../dist/pu
blic/nss -I../../../../dist/private/nss -I../../../../dist/public/dbm 
quickder.

c
gcc: unrecognized option `-nologo'
gcc: unrecognized option `-GT'
In file included from quickder.c:40:
secasn1.h:45:21: plarena.h: No such file or directory
In file included from secasn1.h:47,
 from quickder.c:40:
seccomon.h:47:21: prtypes.h: No such file or directory
In file included from seccomon.h:58,
 from secasn1.h:47,
 from quickder.c:40:
secport.h:113:39: prlog.h: No such file or directory
secport.h:115:19: plstr.h: No such file or directory
In file included from seccomon.h:58,
 from secasn1.h:47,
 from quickder.c:40:
secport.h:138: error: parse error before '*' token
secport.h:138: warning: data definition has no type or storage class
secport.h:139: error: parse error before '*' token
secport.h:140: error: parse error before '*' token
secport.h:141: error: parse error before '*' token
secport.h:142: error: parse error before '*' token
secport.h:144: error: parse error before '*' token
secport.h:145: error: parse error before '*' token
secport.h:146: error: parse error before '*' token
secport.h:147: error: parse error before '*' token
secport.h:230: error: parse error before '*' token
secport.h:230: error: parse error before "toUnicode"
secport.h:233: error: `PRBool' declared as function returning a function
secport.h:235: error: parse error before '*' token
secport.h:244: error: parse error before "convFunc"
secport.h:245: error: parse error before "convFunc"
secport.h:248: error: `PORT_UCS4_UTF8Conversion' declared as function 
returning

a function
secport.h:252: error: `PORT_UCS2_ASCIIConversion' declared as function 
returning

 a function
secport.h:253: error: parse error before "convFunc"
secport.h:256: error: `PORT_UCS2_UTF8Conversion' declared as function 
returning

a function
secport.h:259: error: parse error before 
"sec_port_ucs4_utf8_conversion_function

"
secport.h:267: warning: data definition has no type or storage class
secport.h:270: error: parse error before 
"sec_port_ucs2_utf8_conversion_function

"
secport.h:278: warning: data definition has no type or storage class
In file included from quickder.c:40:
secasn1.h:62: error: parse error before '*' token
secasn1.h:88: error: parse error before '*' token
secasn1.h:92: error: parse error before '*' token
secasn1.h:96: error: parse error before '*' token
secasn1.h:141: error: parse error before '*' token
secasn1.h:144: error: parse error before '*' token
secasn1.h:147: error: parse error before '*' token
In file included from quickder.c:41:
secitem.h:44:20: plhash.h: No such file or directory
In file included from quickder.c:41:
secitem.h:60: error: parse error before '*' token
secitem.h:71: error: parse error before '*' token
secitem.h:82: error: `SECITEM_ItemsAreEqual' declared as function returning 
a fu

nction
secitem.h:87: error: parse error before '*' token
secitem.h:100: error: parse error before '*' token
secitem.h:112: error: parse error before "PR_CALLBACK"
secitem.h:112: warning: data definition has no type or storage class
secitem.h:114: error: parse error before "PR_CALLBACK"
secitem.h:114: warning: data definition has no type or storage class
quickder.c: In function `MatchComponentType':
quickder.c:147: error: `PR_FALSE' undeclared (first use in this function)
quickder.c:147: error: (Each undeclared identifier is reported only once
quickder.c:147: error: for each function it appears in.)
quickder.c:167: error: `PR_TRUE' undeclared (first use in this function)
quickder.c: In function `CheckSequenceTemplate':
quickder.c:322: error: function `foundAmbiguity' is initialized like a 
variable

quickder.c:322: error: `PR_FALSE' undeclared (first use in this function)
quickder.c:337: error: `PR_TRUE' undeclared (f

Re: how do make importCertToPerm

2006-08-24 Thread Glen Beasley


Primo It wrote:

Hi,

I`m trying to do it too.

I want to insert a certificate (a file *.cer selected in the machine) into 
the Permanent Certificates DB by the CryptoManager.importCertToPerm(...), 
but for it, i need to create an instance of 
org.mozilla.jss.crypto.X509Certificate from this selected file.


is there a way to do it?
  

http://www.mozilla.org/projects/security/pki/jss/faq.html
*How do I convert org.mozilla.jss.crypto.X509Certificate to 
org.mozilla.jss.pkix.cert.Certificate?*


   import java.io.ByteArrayInputStream;

   [...]

   Certificate cert = (Certificate) ASN1Util.decode(
   Certificate.getTemplate(),x509Cert.getEncoded() );
   



http://lxr.mozilla.org/mozilla/source/security/jss/org/mozilla/jss/tests


somehow like the CertificateFactory from the Sun

CertificateFactory cf = CertificateFactory.getInstance("X.509");
cert = (X509Certificate) cf.generateCertificate (new FileInputStream(new 
File("c:/teste.cer")));


"shinigami" <[EMAIL PROTECTED]> escreveu na mensagem 
news:[EMAIL PROTECTED]
  

http://lxr.mozilla.org/mozilla/source/security/jss/org/mozilla/jss/tests/VerifyCert.java

-glen


Hi,
E want install a cert in a db. But my cert when i receive from outside is 
a java.security.cert.X509Certificate, and the method importCertToPerm 
can´t do it. I need to cast this cert to 
org.mozilla.jss.crypto.X509Certificate. Or exist other way to do this??








___
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
  


___
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto

Re: how do make importCertToPerm

2006-08-23 Thread glen beasley


David Stutzman wrote:

shinigami wrote:

Hi,
E want install a cert in a db. But my cert when i receive from 
outside is a java.security.cert.X509Certificate, and the method 
importCertToPerm can´t do it. I need to cast this cert to 
org.mozilla.jss.crypto.X509Certificate. Or exist other way to do this??


Try these 2 methods:

call getEncoded on the java.security.cert.X509Certificate (method 
inherited from java.security.cert.Certificate) to get the encoded DER 
of the cert
http://java.sun.com/j2se/1.5.0/docs/api/java/security/cert/Certificate.html#getEncoded() 



And then importCertPackage to create a 
org.mozilla.jss.crypto.X509Certificate:
http://www.mozilla.org/projects/security/pki/jss/javadoc/org/mozilla/jss/CryptoManager.html#importCertPackage(byte[],%20java.lang.String) 




http://www.mozilla.org/projects/security/pki/jss/faq.html

How do I convert org.mozilla.jss.crypto.X509Certificate to 
org.mozilla.jss.pkix.cert.Certificate?


   import java.io.ByteArrayInputStream;

   [...]

   Certificate cert = (Certificate) ASN1Util.decode(
   Certificate.getTemplate(),x509Cert.getEncoded() );


and some of the test/example progams in
http://lxr.mozilla.org/mozilla/source/security/jss/org/mozilla/jss/tests

note: if you want to add to these example/tests please do so.

-glen


Dave
___
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto


___
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto

1 2 >

1 - 100 of 105 matches

Mail list logo