Peter Djalaliev wrote:
ftp://ftp.compaq.com/pub/products/security/embedded_security_-_implementation.pdf
...and as the ProtectTools implementation white-paper explains, their
Embeded Security Manager uses the TPM to create wrapping keys, which
are then used to encrypt the private keys of the
Nelson Bolyard написа:
I would expect that these details all go on beneath the PKCS#11 API layer,
and are all hidden inside of the PKCS#11 module. I suspect that the wrapped
keys (wherever they physically reside) still appear as PKCS#11 objects in
the PKCS#11 slot or token, and would be
Oh, well, I understood that Dave used his Mozilla browser only to
navigate to the CA website and click the Buy Now button, not to
generate his own private key and CSR.
Can Firefox generate private keys? I though that none of the NSS
functionality (except for signing and verifying text) was
Nelson Bolyard wrote:
You generated the key pair on a PC that didn't have the TPM chip.
So the private key couldn't have been generated in the TPM chip,
and when you generated it, mozilla (FF/TB/SM) didn't ask you which
device you wanted to use to generate the keypair because, on that
More information on how the TPM enables protected storage can be found
starting on p. 145 of the TCPA specification (v. 1.1):
https://www.trustedcomputinggroup.org/specs/TPM/TCPA_Main_TCG_Architecture_v1_1b.pdf
Regards,
Peter
___
dev-tech-crypto
More information on how the TPM enables protected storage can be found
starting on p. 145 of the TCPA specification (v. 1.1):
https://www.trustedcomputinggroup.org/specs/TPM/TCPA_Main_TCG_Architecture_v1_1b.pdf
Regards,
Peter
___
dev-tech-crypto
ftp://ftp.compaq.com/pub/products/security/embedded_security_-_implementation.pdf
...and as the ProtectTools implementation white-paper explains, their
Embeded Security Manager uses the TPM to create wrapping keys, which
are then used to encrypt the private keys of the user. The wrapped
keys are
Thanks for doing some research on this, Peter. I am comforted by the
participation of several dedicated and generous souls in the
investigation of this problem.
It is currently 9:20 pm here in Sydney; I will attempt to contact a
techie at HP tomorrow, to see if I can get some answers.
I
Not sure whether this will help, but I think you can write a function like the
one given below.
Have a look at security/manager/ssl/src/nsPKCS12Blob.cpp.
nsresult nsPKCS12Blob::ImportSSLCertsFromFile(nsILocalFile *file) {
nsNSSShutDownPreventionLock locker;
nsresult rv;
SECStatus srv =
certutil is the standard Mozilla utility to do this; but
since certutil cannot see your certificate, you should
attempt to see if the certificate is in the Windows
certificate-store (it is more likely that the cert is
there than in the Mozilla cert-store).
Two ways of verifying this:
1) a)
Well, you are in luck, Dave - your foresight has worked in
your favor. You do have the Private Key; it is inside the
P12 file you created (I made the incorrect assumption that
the key was generated in the TCP chip and could not be
exported).
If you enrolled for the certificate using IE, then
Dave Pinn wrote:
Is there a Mozilla utility with which I can attempt to import a
certificate *into* my PKCS#11 module?
___
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
If you are
This thread makes me want to buy a laptop or PC
with a TPM to play with. I'm glad that HP provides
a PKCS #11 library for the TPM.
Dave, do you need to enter a PIN or password to use
the private key stored in the TPM?
Wan-Teh
___
dev-tech-crypto
Dave
One thing that isn't clear to me: how (with what program, by what exact steps)
did you originally generate your pair of keys and get your certificate?
I'm thinking now that perhaps you did it with some tool that did not use
your TPM, and consequently, the private key was never in the TPM.
Wan-Teh Chang wrote:
Dave, do you need to enter a PIN or password to use
the private key stored in the TPM?
Yes, Thunderbird asks me for my password to the Embedded Security Chip,
presumably as part of its interaction with the TPM via PKCS#11.
___
Nelson B wrote:
So, assuming that you're the first of many future HP TPM users, please help
us to understand exactly how you got that private key in the first place.
With pleasure:
On a desktop PC, I opened Mozilla Firefox, and navigated to
Dave Pinn wrote:
Nelson B wrote:
Best bet is to get a formatted listing of the certificate itself,
showing all the extensions and their criticality.
OK, here goes:
Non-critical X.509 version 3 extensions:
* CRL Distribution Points
* Authority Key Identifier
* Subject Key Identifier
Nelson B Bolyard wrote:
...
1) use modutil to get a listing of all the PKCS#11 modules that have been
configured into Thunderbird. If your new laptop's PKCS#11 module is not
among them, that's the first thing to fix.
...
I downloaded the NSS 3.11 binary build for WINNT5.0 - there were no
I created the .netscape directory, and plonked into it the following
files from my Thunderbird profile directory:
1. cert8.db
2. key3.db
3. secmod.db
I then ran modutil -list, which produced the following output:
Listing of PKCS #11 Modules
I ran certutil -L, which produced the following output (some lines
deleted to protect my privacy):
Gatekeeper TYPE 3 CA - eSign Australia CT,C,C
Gatekeeper Grade 3 Individual CA - eSign Australia CT,C,C
Gatekeeper Root CA - eSign Australia
Dave Pinn wrote:
Nelson B Bolyard wrote:
...
1) use modutil to get a listing of all the PKCS#11 modules that have been
configured into Thunderbird. If your new laptop's PKCS#11 module is not
among them, that's the first thing to fix.
...
I downloaded the NSS 3.11 binary build for
Nelson Bolyard wrote:
Try
certutil -L -h all
to get a list of all certs in all slots.
X:\ThunderbirdProfilecertutil -L -h all -d .
Enter Password or Pin for Embedded Security Chip:
Gatekeeper Root CA - eSign Australia CT,C,C
Gatekeeper Grade 3 Individual CA - eSign
Dave Pinn wrote:
or try wiht the token name
certutil -L -h Embedded Security Chip
X:\ThunderbirdProfilecertutil -L -h Embedded Security Chip -d .
Enter Password or Pin for Embedded Security Chip:
X:\ThunderbirdProfile
That cannot be good, and Yes, I'm sure that I got the password
23 matches
Mail list logo
