Re: failed to generate key using window.crypto.generateCRMFRequest() method
Subrata Mazumdar wrote: Thanks Wan-Teh for the suggestion. No, requiring custom version of Firefox to use ECC key based certificate enrollment is not realistic. It just does not seem right to disable access to all licensed ECC implementation just because Mozilla wants to disable the ECC implementation in the NSS soft-token. But, I am not go to question developer's decision because they have to live with the consequences. -- Subrata Wan-Teh Chang wrote: If it is an option for you to use custom-built NSS libraries with Firefox, you can follow the instructions at http://pki.fedoraproject.org/wiki/ECC_Capable_NSS to build a version of NSS that doesn't have a built-in ECC implementation but can be configured to use a third-party ECC implementation with no crippled functionality. That wiki page is intended for exactly your scenario. Technically, he's only suggesting you build a custom set of NSS libraries. You don't really need to do a full custom Firefox. I can attest that the linked wiki directions do work as I've used them myself to enable (ready for a laugh?) a Certicom ECC capable PKCS#11 module. Dave -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: failed to generate key using window.crypto.generateCRMFRequest() method
Thanks Wan-Teh for the suggestion. No, requiring custom version of Firefox to use ECC key based certificate enrollment is not realistic. It just does not seem right to disable access to all licensed ECC implementation just because Mozilla wants to disable the ECC implementation in the NSS soft-token. But, I am not go to question developer's decision because they have to live with the consequences. -- Subrata Wan-Teh Chang wrote: On Thu, May 14, 2009 at 8:53 PM, Subrata Mazumdar wrote: I just have another question. According to the source code (http://mxr.mozilla.org/security/source/security/nss/lib/cryptohi/secsign.c#92) signing with EC key is disabled irrespective of underlying security device. What about if I am using a Smart Card with licensed ECC implementation, such as Athena's ASECard? If it is an option for you to use custom-built NSS libraries with Firefox, you can follow the instructions at http://pki.fedoraproject.org/wiki/ECC_Capable_NSS to build a version of NSS that doesn't have a built-in ECC implementation but can be configured to use a third-party ECC implementation with no crippled functionality. That wiki page is intended for exactly your scenario. Wan-Teh -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: failed to generate key using window.crypto.generateCRMFRequest() method
On Thu, May 14, 2009 at 8:53 PM, Subrata Mazumdar wrote: > > I just have another question. According to the source code > (http://mxr.mozilla.org/security/source/security/nss/lib/cryptohi/secsign.c#92) > signing with EC key is disabled irrespective of underlying security device. > What about if I am using a Smart Card with licensed ECC implementation, such > as Athena's ASECard? If it is an option for you to use custom-built NSS libraries with Firefox, you can follow the instructions at http://pki.fedoraproject.org/wiki/ECC_Capable_NSS to build a version of NSS that doesn't have a built-in ECC implementation but can be configured to use a third-party ECC implementation with no crippled functionality. That wiki page is intended for exactly your scenario. Wan-Teh -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: failed to generate key using window.crypto.generateCRMFRequest() method
Subrata Mazumdar wrote, On 2009-05-14 20:53: > I just have another question. According to the source code > (http://mxr.mozilla.org/security/source/security/nss/lib/cryptohi/secsign.c#92) > > signing with EC key is disabled irrespective of underlying security > device. What about if I am using a Smart Card with licensed ECC > implementation, such as Athena's ASECard? That doesn't help with the "normal" Firefox build. As you can see, unless NSS is built with "NSS_ECC_MORE_THAN_SUITE_B", it will disallow the creation of a signature (through this code path) with ECC regardless of the underlying implementation. Such is the grip of fear over the patents. -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: failed to generate key using window.crypto.generateCRMFRequest() method
Nelson B Bolyard wrote: Kaspar Brand wrote, On 2009-05-13 22:16: Subrata Mazumdar wrote: As I have said in the earlier message, I have no problem in generating EC key-pair. I get error when I try to sign the request using the private key. Maybe you're falling prey to this bug? https://bugzilla.mozilla.org/show_bug.cgi?id=367577 I think that must be it. Thanks - it now make sense why the generateCRMFRequest() mmethod did not work for EC keys. I just have another question. According to the source code (http://mxr.mozilla.org/security/source/security/nss/lib/cryptohi/secsign.c#92) signing with EC key is disabled irrespective of underlying security device. What about if I am using a Smart Card with licensed ECC implementation, such as Athena's ASECard? -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: failed to generate key using window.crypto.generateCRMFRequest() method
Kaspar Brand wrote, On 2009-05-13 22:16: > Subrata Mazumdar wrote: >> As I have said in the earlier message, I have no problem in generating >> EC key-pair. I get error when I try to sign the request using the >> private key. > > Maybe you're falling prey to this bug? > > https://bugzilla.mozilla.org/show_bug.cgi?id=367577 I think that must be it. -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: failed to generate key using window.crypto.generateCRMFRequest() method
Subrata Mazumdar wrote: > As I have said in the earlier message, I have no problem in generating > EC key-pair. I get error when I try to sign the request using the > private key. Maybe you're falling prey to this bug? https://bugzilla.mozilla.org/show_bug.cgi?id=367577 Kaspar -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: failed to generate key using window.crypto.generateCRMFRequest() method
Subrata Mazumdar wrote, On 2009-05-13 17:58: > Nelson B Bolyard wrote: >> That's strange. Your DSA test code should NOT have worked. I wonder >> how it could have worked, given that you supplied no "params". > According to the source code > (http://mxr.mozilla.org/mozilla-central/source/security/manager/ssl/src/nsCrypto.cpp#610), > > if keyParams is given, it returns error for DSA. It seems that the a > default keyparams generated for all cases. Thanks for spotting that. That's seriously brain dead. No real issuer of DSA certs would ever fail to specify the params. So, the useless case works, and the useful case fails. I'll add a note to bug 488059. > As I have said in the earlier message, I have no problem in generating > EC key-pair. I get error when I try to sign the request using the > private key. When *You* do that? Do you mean when generateCRMFRequest does that? > Since KEYGEN tag also generates signed CRMF request string, and it works > for you, I will try harder to figure out what I am doing wrong. KEYGEN generates a different format request, an SPKAC, not a CRMF request. But the crypto methods involved are similar. > The key generation dialog comes up for EC key type but no CRMF request > object is generated. Here is the HTTP message (that I have captured > using 'Live HTTP headers' add-on) that is sent to the server : > [...] > > Content-Type: application/x-www-form-urlencoded > Content-Length: 44 > EC+public+key=High+Grade&createcert=Generate > ^^ > Actual Base-64 CRMF request string should be in place of > 'High+Grade'. I get the same error for DSA key type. Interesting. > When I use the KEYGEN link for RSA key type, I see the complete Base64 > CRMF request string. SPKAC request string. Please file Bugzilla bugs on these issues. Product=Core, Component=Security:PSM -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: failed to generate key using window.crypto.generateCRMFRequest() method
Nelson B Bolyard wrote: Subrata Mazumdar wrote, On 2009-05-13 06:45 PDT: The key genartion now works for RSA and DSA key types but it still fails for EC key type. else if (keyType == "dsa") { keyGenAlg = "dsa-sign-nonrepudiation"; keyParams = null; } According to the source code (http://mxr.mozilla.org/mozilla-central/source/security/manager/ssl/src/nsCrypto.cpp#610), if keyParams is given, it returns error for DSA. It seems that the a default keyparams generated for all cases. That's strange. Your DSA test code should NOT have worked. I wonder how it could have worked, given that you supplied no "params". Is key generation for EC type is supported on Firefox 3.0.10? I believe so. I was able to generate an EC key pair with . I don't know why it would fail with CRMF if it works with KEYGEN. As I have said in the earlier message, I have no problem in generating EC key-pair. I get error when I try to sign the request using the private key. Since KEYGEN tag also generates signed CRMF request string, and it works for you, I will try harder to figure out what I am doing wrong. The main reason I testing this method is I failed to generate key for DSA and EC tyeps using keygen tag. The fact that DSA is broken is a known bug. Bug 488059. I have tried all three links at the bottom this page: https://developer.mozilla.org/En/HTML/HTML_Extensions/KEYGEN_Tag. I only see key-generation dialog for RSA key type. Well, the dialog only stays up as long as the operation takes, and the operation is VERY fast for all but RSA. But just tried those links with FF 3.0.10 and also with FF 3.5 Beta , and I did see it (briefly) for EC, as well as for RSA. The key generation dialog comes up for EC key type but no CRMF request object is generated. Here is the HTTP message (that I have captured using 'Live HTTP headers' add-on) that is sent to the server : POST /cgi-bin/ce1.php HTTP/1.1 Host: bug474958.bugzilla.mozilla.org User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.10) Gecko/2009042315 Firefox/3.0.10 Ubiquity/0.1.4 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 300 Connection: keep-alive Referer: https://bug474958.bugzilla.mozilla.org/attachment.cgi?id=372342 Cookie: __utma=150903082.2014591713.1195935669.1230593626.1235229387.47; dloadday=198.152.12.67.121665331661; __utmz=150903082.1235229387.47.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none) Content-Type: application/x-www-form-urlencoded Content-Length: 44 EC+public+key=High+Grade&createcert=Generate ^^ Actual Base-64 CRMF request string should be in place of 'High+Grade'. I get the same error for DSA key type. When I use the KEYGEN link for RSA key type, I see the complete Base64 CRMF request string. By the way those 3 links are actually links to attachments to bug 474958. Perhaps the next logical step is to construct some similar test pages for generateCRMFRequest. -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: failed to generate key using window.crypto.generateCRMFRequest() method
Subrata Mazumdar wrote, On 2009-05-13 06:45 PDT: > The key genartion now works for RSA and DSA key types but it still fails > for EC key type. >>else if (keyType == "dsa") { >>keyGenAlg = "dsa-sign-nonrepudiation"; >>keyParams = null; >>} That's strange. Your DSA test code should NOT have worked. I wonder how it could have worked, given that you supplied no "params". > Is key generation for EC type is supported on Firefox 3.0.10? I believe so. I was able to generate an EC key pair with . I don't know why it would fail with CRMF if it works with KEYGEN. >> The main reason I testing this method is I failed to generate key for >> DSA and EC tyeps using keygen tag. The fact that DSA is broken is a known bug. Bug 488059. >> I have tried all three links at the bottom this page: >> https://developer.mozilla.org/En/HTML/HTML_Extensions/KEYGEN_Tag. >> I only see key-generation dialog for RSA key type. Well, the dialog only stays up as long as the operation takes, and the operation is VERY fast for all but RSA. But just tried those links with FF 3.0.10 and also with FF 3.5 Beta , and I did see it (briefly) for EC, as well as for RSA. By the way those 3 links are actually links to attachments to bug 474958. Perhaps the next logical step is to construct some similar test pages for generateCRMFRequest. -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: failed to generate key using window.crypto.generateCRMFRequest() method
Thanks David. For EC, if no curve name is given then the type of keysize is used to pick either P-256 or P-384 curve. I tried with and without curve name - it fails both cases. I also looked into the source code (.../security/manager/ssl/src/nsCrypto.cpp) of PSM for FF3. The support for EC seems to be enabled. There are no #ifdef for NS_ENABLE_ECC any more. I even tried with FF3.5beta - it still does not work. Actually, the key generation part works but the signing of the public key does not work. I have verified this through separate key generation and signing steps. -- Subrata David Stutzman wrote: Subrata Mazumdar wrote: On further testing and reading the description of generateCRMFRequest() method doc, I figured out why the key generation was failing. I have to pass keySize as integer type not string type. The key genartion now works for RSA and DSA key types but it still fails for EC key type. Is key generation for EC type is supported on Firefox 3.0.10? EC keys need a curve (for instance the NIST P-256 or P-384 prime curves), not an integer keysize, so they probably need something different for that param. Unfortunately, I don't know anything specific about the generateCRMFRequest() method so I can't tell you exactly what you need to do. Depending on how the NSS for that firefox was compiled, it may or may not support ECC at all. Dave -- Subrata -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: failed to generate key using window.crypto.generateCRMFRequest() method
On Wed, May 13, 2009 at 08:16:39AM -0400, Subrata Mazumdar wrote: > Hi, > I am not able generate key using window.crypto.generateCRMFRequest() check: https://developer.mozilla.org/En/JavaScript_crypto/GenerateCRMFRequest this works for me: m=crypto.generateCRMFRequest("CN=vvv", "regToken", null, null, 'f' , 1024, null, "rsa-dual-use") -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: failed to generate key using window.crypto.generateCRMFRequest() method
Subrata Mazumdar wrote: On further testing and reading the description of generateCRMFRequest() method doc, I figured out why the key generation was failing. I have to pass keySize as integer type not string type. The key genartion now works for RSA and DSA key types but it still fails for EC key type. Is key generation for EC type is supported on Firefox 3.0.10? EC keys need a curve (for instance the NIST P-256 or P-384 prime curves), not an integer keysize, so they probably need something different for that param. Unfortunately, I don't know anything specific about the generateCRMFRequest() method so I can't tell you exactly what you need to do. Depending on how the NSS for that firefox was compiled, it may or may not support ECC at all. Dave -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: failed to generate key using window.crypto.generateCRMFRequest() method
On further testing and reading the description of generateCRMFRequest() method doc, I figured out why the key generation was failing. I have to pass keySize as integer type not string type. function testKeyGeneration() { doGenerateCRMFCSRByCryptoTest("cn=xxx,o=abc.com", "rsa', parseInt("1024")); doGenerateCRMFCSRByCryptoTest("cn=xxx,o=abc.com", "dsa', parseInt("1024")); doGenerateCRMFCSRByCryptoTest("cn=xxx,o=abc.com", "ec', parseInt("1024")); } The key genartion now works for RSA and DSA key types but it still fails for EC key type. Is key generation for EC type is supported on Firefox 3.0.10? -- Subrata Subrata Mazumdar wrote: Hi, I am not able generate key using window.crypto.generateCRMFRequest() method. I have tried all there possible types : rsa, dsa, and ec. I am attached my test code fragment. I am running the test within an add-on - on Firefox 3.0.10/Fedora8. I am getting NS_ERROR_FAILURE in exception message. function testKeyGeneration() { doGenerateCRMFCSRByCryptoTest("cn=xxx,o=abc.com", "rsa', "1024"); doGenerateCRMFCSRByCryptoTest("cn=xxx,o=abc.com", "dsa', "1024"); doGenerateCRMFCSRByCryptoTest("cn=xxx,o=abc.com", "ec', "1024"); } var crmfObject = null; function doGenerateCRMFCSRByCryptoTest (subject, keyType, keySize) { // For more info: https://developer.mozilla.org/En/JavaScript_crypto/GenerateCRMFRequest var reqDN = subject;// argv[0] var regTokenArg = null; // argv[1] var authenticatorArg = null;// argv[2] var escrowCertArg = null; // argv[3] var jsCallbackArg = doGenerateCRMFCSRByCryptoCB(); // argv[4] var keyParams = null; var keyGenAlg = null; // var keyGenAlg = "rsa-dual-use"; if (keyType == "rsa") { keyGenAlg = "rsa-dual-use"; keyParams = null; } else if (keyType == "dsa") { keyGenAlg = "dsa-sign-nonrepudiation"; keyParams = null; } if (keyType == "ec") { keyGenAlg = "ec-dual-use"; // ec-sign-nonrepudiation | ec-sign | ec-nonrepudiation | ec-ex keyParams = "curve=secp256r1"; } try { crmfObject = window.crypto.generateCRMFRequest( subject, regTokenArg, authenticatorArg, escrowCertArg, jsCallbackFuncArg, keySize, keyParams, keyGenAlg ); } catch (ex) { dump("doGenerateCRMFCSRByCryptoTest(): window.crypto.generateCRMFRequest() failed - " + ex + "\n"); return; } alert("crmfObject.request: " + crmfObject.request); } function doGenerateCRMFCSRByCryptoCB() { dump("uploadCRMFCSRForm.js: doGenerateCRMFCSRByCryptoDummyCB(): ..Start.\n"); dump("uploadCRMFCSRForm.js: doGenerateCRMFCSRByCryptoDummyCB(): ..End.\n"); } What am I doing wrong? It used to work for RSA key type on Firefox 1.5. I have not used the code since then. The main reason I testing this method is I failed to generate key for DSA and EC tyeps using keygen tag. So I thiought that I will see if the key generation work using the window.crypto.generateCRMFRequest() method. I have tried all three links at the bottom this page: https://developer.mozilla.org/En/HTML/HTML_Extensions/KEYGEN_Tag. I only see key-generation dialog for RSA key type. For other two cases, keys are not generated - instead the choice name (HIGH or MEDIUM) is used for the key. Any help will be greatly appreciated. Thanks. -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
failed to generate key using window.crypto.generateCRMFRequest() method
Hi, I am not able generate key using window.crypto.generateCRMFRequest() method. I have tried all there possible types : rsa, dsa, and ec. I am attached my test code fragment. I am running the test within an add-on - on Firefox 3.0.10/Fedora8. I am getting NS_ERROR_FAILURE in exception message. function testKeyGeneration() { doGenerateCRMFCSRByCryptoTest("cn=xxx,o=abc.com", "rsa', "1024"); doGenerateCRMFCSRByCryptoTest("cn=xxx,o=abc.com", "dsa', "1024"); doGenerateCRMFCSRByCryptoTest("cn=xxx,o=abc.com", "ec', "1024"); } var crmfObject = null; function doGenerateCRMFCSRByCryptoTest (subject, keyType, keySize) { // For more info: https://developer.mozilla.org/En/JavaScript_crypto/GenerateCRMFRequest var reqDN = subject;// argv[0] var regTokenArg = null; // argv[1] var authenticatorArg = null;// argv[2] var escrowCertArg = null; // argv[3] var jsCallbackArg = doGenerateCRMFCSRByCryptoCB(); // argv[4] var keyParams = null; var keyGenAlg = null; // var keyGenAlg = "rsa-dual-use"; if (keyType == "rsa") { keyGenAlg = "rsa-dual-use"; keyParams = null; } else if (keyType == "dsa") { keyGenAlg = "dsa-sign-nonrepudiation"; keyParams = null; } if (keyType == "ec") { keyGenAlg = "ec-dual-use"; // ec-sign-nonrepudiation | ec-sign | ec-nonrepudiation | ec-ex keyParams = "curve=secp256r1"; } try { crmfObject = window.crypto.generateCRMFRequest( subject, regTokenArg, authenticatorArg, escrowCertArg, jsCallbackFuncArg, keySize, keyParams, keyGenAlg ); } catch (ex) { dump("doGenerateCRMFCSRByCryptoTest(): window.crypto.generateCRMFRequest() failed - " + ex + "\n"); return; } alert("crmfObject.request: " + crmfObject.request); } function doGenerateCRMFCSRByCryptoCB() { dump("uploadCRMFCSRForm.js: doGenerateCRMFCSRByCryptoDummyCB(): ..Start.\n"); dump("uploadCRMFCSRForm.js: doGenerateCRMFCSRByCryptoDummyCB(): ..End.\n"); } What am I doing wrong? It used to work for RSA key type on Firefox 1.5. I have not used the code since then. The main reason I testing this method is I failed to generate key for DSA and EC tyeps using keygen tag. So I thiought that I will see if the key generation work using the window.crypto.generateCRMFRequest() method. I have tried all three links at the bottom this page: https://developer.mozilla.org/En/HTML/HTML_Extensions/KEYGEN_Tag. I only see key-generation dialog for RSA key type. For other two cases, keys are not generated - instead the choice name (HIGH or MEDIUM) is used for the key. Any help will be greatly appreciated. Thanks. -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto