Re: NSS, AIA, Bridge

[Nelson Bolyard]

I previously replied to this but my reply hasn't shown up here in the
newsgroup, apparently, so ...

On 2009-07-14 06:44 PDT, dmorford wrote:
 Is Firefox the program that you're trying to get to use AIAs and CDPs?
 Firefox does not do that yet, not even when it has NSS 3.12.
 Firefox 3 does not yet use this new feature.
 
 Any chance Firefox 3.5 supports AIA path processing and CDPs?  You wrote
 above that Firefox 3 does not.  I didn't see anything related in the 3.5
 release notes, but just wanted to see if it was put in.  If not, any idea
 when Firefox will support it?

FF 3.5.0 and FF 3.5.1 do not support fetching of certs from AIA extension
URIs, nor fetching of CRLs from CDP extension URIs.  The code to fetch
certs from AIA URIs is present, but Firefox has not yet put it into use.
The code to do CRL fetching is not yet present in FF 3.5.0 or 3.5.1, but
has been made available in a new version of NSS that is not yet being
used in FF 3.5.x.  I expect this will change before the end of 2009,
and CDP fetching will be put to use.  I expect that will happen sooner
than the fetching of certs from AIA URIs.
-- 
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto

Re: NSS, AIA, Bridge

[dmorford]

 Is Firefox the program that you're trying to get to use AIAs and CDPs?
 Firefox does not do that yet, not even when it has NSS 3.12.
 Firefox 3 does not yet use this new feature.

Any chance Firefox 3.5 supports AIA path processing and CDPs?  You wrote
above that Firefox 3 does not.  I didn't see anything related in the 3.5
release notes, but just wanted to see if it was put in.  If not, any idea
when Firefox will support it?
-- 
View this message in context: 
http://www.nabble.com/NSS%2C-AIA%2C-Bridge-tp23866532p24479697.html
Sent from the Mozilla - Cryptography mailing list archive at Nabble.com.

-- 
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto

Re: NSS, AIA, Bridge

[Néric]

Hi Nelson,

First of all, thank you very much for your time and for the quality answers.

I’ve understood everything except but one thing:

Did you really mean that I could have 2 versions of NSS on my computer?
One for Debian and one specific to Mozilla products.

And then what would exactly the purpose of Debian NSS?

Also, if there are 2 libraries, do they use the same keystore???
(For example, in a Windows environment there is Windows Key store and one
specific to firefox (mozilla), is it the same for Linux, one general
keystore and one specific to Mozilla?)


I have installed Firefox 3 through my debian packet synaptic manager (so
firefox3 is specific to debian!).
Does Firefox 3 is always built with the NSS 3.x library (are the two 3
related) or could I have a Firefox 3 with a NSS 2.y?
How can I know the version of my NSS???

Thanks a lot, have a nice week end


Eric

-- 
View this message in context: 
http://www.nabble.com/NSS%2C-AIA%2C-Bridge-tp23866532p23885714.html
Sent from the Mozilla - Cryptography mailing list archive at Nabble.com.

-- 
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto

Re: NSS, AIA, Bridge

[Néric]

Hi Nelson,

Excuse me, I meant can I have a Firefox3 with an NSS 3.11?

Because Firefox 3, on my test environment,  is not able to fetch the missing
certificates! That means that I don't have NSS 3.12 or (sadly) that NSS 3.12
is not well implemented (hope not).

Once again, with the same bridge configuration, PKI configuration ...
Windows is able to fetch missing certificates!

Thank you,

Eric

-- 
View this message in context: 
http://www.nabble.com/NSS%2C-AIA%2C-Bridge-tp23866532p23887310.html
Sent from the Mozilla - Cryptography mailing list archive at Nabble.com.

-- 
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto

Re: NSS, AIA, Bridge

[Nelson B Bolyard]

On 2009-06-05 03:16 PDT, Néric wrote:
 
 Hi Nelson,
 
 First of all, thank you very much for your time and for the quality
 answers. I’ve understood everything except but one thing:
 Did you really mean that I could have 2 versions of NSS on my computer?
 One for Debian and one specific to Mozilla products.

Yes. Since they have different file names and may live in separate
directories, you can have two flavors at once.

 And then what would exactly the purpose of Debian NSS?

It is used by Debian's version of mozilla-derived products.  For example,
if I'm not mistaken, Debian has products named IceApe and IceWeasel
which are derived by Debian from Firefox and Thunderbird sources.  They
use Debian's special NSS.

 Also, if there are 2 libraries, do they use the same keystore???

They could.  I'm not aware of any changes that would make the DB files
incompatible between the two versions.

 (For example, in a Windows environment there is Windows Key store and
 one specific to firefox (mozilla), is it the same for Linux, one general 
 keystore and one specific to Mozilla?)

I can't speak for all Linux distros, but I believe the answer for Debian
is Yes.

 I have installed Firefox 3 through my debian packet synaptic manager (so 
 firefox3 is specific to debian!).

Is Firefox the program that you're trying to get to use AIAs and CDPs?
Firefox does not do that yet, not even when it has NSS 3.12.  Recall that
I wrote:

 NSS 3.12 has a new cert path validation function that will pay
 attention to those extensions, if you tell it to do so in the function
 arguments.  Any program written to use NSS before 3.12 was released
 does not use the new feature.

Firefox 3 does not yet use this new feature.

 Does Firefox 3 is always built with the NSS 3.x library (are the two
 3 related) or could I have a Firefox 3 with a NSS 2.y?

No, the two 3's are not related.  When built by the folks at Mozilla,
Firefox 3 always uses NSS 3.12.x.  Firefox 2 always uses NSS 3.11.x.
There are some other parties that build their own versions of Firefox
that use other versions of NSS than the version used by Mozilla.

NSS 2.x was a closed source version of NSS that existed back when it was a
crime in the US to open source crypto code.  It was replaced by NSS 3.x in
the year 2000 when the rules changed.  All open source versions of NSS are
have version number 3.x.y for some x and y.

 How can I know the version of my NSS???

First, you must know which NSS files are being used by your program.
Then, when you know that, you can find the version number of those NSS files.

The ldd program will tell you which particular NSS file is used by your
program.  For firefox, you may need to run it on the executable and also
on each of Firefox's shared libraries to find the one that uses NSS.

Then once you have found the pathname of the NSS shared library, you can
run the ident program on that shared library file.  If that doesn't work,
you can try this command:
   strings /foo/libnss3.so | fgrep 3.1
where /foo/libnss3.so is replaced by the pathname for your copy as revealed
by the ldd program.

 Thanks a lot, have a nice week end


-- 
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto

Re: NSS, AIA, Bridge

[Nelson B Bolyard]

On 2009-06-04 02:23 PDT, Néric wrote:
 Context:
 
 I am working on PKI cross certification using a PKI bridge.
 To fetch missing certificates, I use the following AIA certificate
 extension:
 
 CA Issuer: URI : http://_...@ftp_server__/.../bundle.p7c
 
 where bundle.p7c contains the missing certificates (pkcs7 format).

 Mozilla's NSS seems to ignore the AIA extension and doens'nt fetch the
 bundle.

All version of NSS up to (not including) 3.12 do ignore the AIA extension,
and the CRLDP extension, too.  NSS 3.12 has a new cert path validation
function that will pay attention to those extensions, if you tell it to do
so in the function arguments.  Any program written to use NSS before 3.12
was released does not use the new feature.

The currently release version of NSS is 3.12.3.  Version 3.12.4 is
undergoing a FIPS 140-2 evaluation, and will be released when it has been
accepted for FIPS.

 Question:
 
 I found a library on the internet called libpathfinder-nss-1
 (http://packages.debian.org/fr/lenny/libpathfinder-nss-1).
 +++
 Pathfinder is designed to provide a mechanism for any program to perform
 RFC3280-compliant path validation of X.509 certificates, even when some of
 the intermediate certificates are not present on the local machine. It will
 automatically download any such certificates (and their CRLs) from the
 Internet as needed using the AIA and CRL distribution point extensions of
 the certificate it is processing.
 
 This package contains the shared library to allow LibNSS based programs to
 use Pathfinder for their Certificate validation. 
 +++
 
 It seems that this package enables a Debian distribution to do exactly what
 i want! Yet I have installed this library and nothing changed.
 
 Would you have any complementary information on this package?

No.  I have not even heard of it until I read your email.

 It says that it allows LibNSS based programs to use PathFinder, 

It *IS* pathfinder, is it not?  I can well imagine that the pathfinder
library uses pathfinder.  :)

 Does NSS is based on LibNSS(is it really the same thing)?

In Unix/Linux, there are two separate libraries known as NSS.  One of them
is the Name Services Switch which decides whether to use DNS or NIS or
LDAP for host name lookup, and the other is Network Security Services
which is the crypto libraries used for SSL by Firefox.

I am guessing that LibNSS (as used in the text you quoted above) refers to
the latter.  Below I will use NSS to refer only to the crypto libraries.
libNSS may be Debian's name for their version of the NSS crypto libraries.

Debian has made numerous changes to NSS.  They've changed the names of
NSS's shared libraries, and certain other things, such as the directories
in which the NSS shared libraries are placed.  I believe they've even
changed the names of many of the public NSS functions.  Consequently, AFAIK,
the only code that works with Debian's NSS is code that was specifically
written (or modified) to work with that.  Code that compiles
and runs with Mozilla's NSS will require modification to build and run with
Debian's NSS, or so I have been led to believe.  Any programs you download
directly from Mozilla will not use Debian's version of NSS.  If you have
downloaded a browser from Mozilla, you probably have two flavors of NSS
installed, one that uses the original file and function names, and Debian's
modified copy.  Debian has its own modified versions of the Mozilla
products (with different names), and those use Debian's modified NSS.

Since you found this PathFinder on a Debian web site, it probably is
written to work with Debian's modified NSS and not with unmodified original
NSS.  So, if your program uses NSS as obtained from Mozilla, it doesn't
surprise me that PathFinder had no effect on it.

 Do i have to change something in my NSS module to allow this library to be
 called or recognized??

I have no idea.

 My last question would be to know if all other X.509 certificate extensions
 were supported (policy mapping, ..)

NSS 3.12's new cert path validation function fully processes all standard
extensions related to certificate policies, if you tell it to do so.
-- 
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto