RE: SSLKEYLOGFILE always enabled

2014-07-16 Thread Jonathan Schulze-Hewett
Does having this enabled violate the FIPS 140 requirements on exposing key materials in the clear? Sincerely, Jonathan -Original Message- From: dev-tech-crypto [mailto:dev-tech-crypto-bounces+schulze-hewett=infoseccorp@lists.mozilla.org] On Behalf Of Ryan Sleevi Sent: Tuesday, Jul

Re: certutil - iPaddress SubjectAltName extension

2014-07-16 Thread Kai Engert
On Mon, 2014-07-14 at 23:38 +0200, Bernhard Thalmayr wrote: > Is there any documentation available for '--extSAN' parameter? Mr. > Google did not find any helpful resource. Look at the help output that certutil produces with the -H command: --extSAN type:name[,type:name]... Create a Sub

Re: certutil - iPaddress SubjectAltName extension

2014-07-16 Thread Chris Newman
--On July 16, 2014 17:32:22 +0200 Kai Engert wrote: > On Mon, 2014-07-14 at 23:38 +0200, Bernhard Thalmayr wrote: >> Is there any documentation available for '--extSAN' parameter? Mr. >> Google did not find any helpful resource. > > Look at the help output that certutil produces with the -H com

Re: SSLKEYLOGFILE always enabled

2014-07-16 Thread Robert Relyea
On 07/16/2014 07:31 AM, Jonathan Schulze-Hewett wrote: Does having this enabled violate the FIPS 140 requirements on exposing key materials in the clear? No, because the key logging fails if you are in FIPS mode (It used the PK11_ExtractKeyValue() to get the key, which will return an error in

Re: How to export private key in RSA format from NSS

2014-07-16 Thread Robert Relyea
On 07/15/2014 08:05 PM, Chuck Lee wrote: Yes, but it doesn't work because it also calls PK11_ExportPrivKeyInfo() to get the RSA private key info. Now I am trying to decrypt key exported by PK11_ExportEncryptedPrivKeyInfo() with method SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_40_BIT_RC4 directly,

Re: How to export private key in RSA format from NSS

2014-07-16 Thread Chuck Lee
於 2014/7/17 上午 06:41, Robert Relyea 提到: On 07/15/2014 08:05 PM, Chuck Lee wrote: Yes, but it doesn't work because it also calls PK11_ExportPrivKeyInfo() to get the RSA private key info. Now I am trying to decrypt key exported by PK11_ExportEncryptedPrivKeyInfo() with method SEC_OID_PKCS12_

Re: SSLKEYLOGFILE always enabled

2014-07-16 Thread Falcon Darkstar Momot
When it comes to key material, it's an outstanding idea to err on the side of caution. Does anyone actually require this feature in a non-debug build? If not, then it's completely unreasonable to leave it in such builds, even if it's not the weakest link and even if it doesn't break compliance.