TLS logout in Firefox

Hi, I can't help it, but TLS client cert auth is really a very crappy system when used in browsers. I was a little bit surprised once when I logged on to the Swedish tax department, then did logout, and returned still being logged in! Microsoft "solved" this years ago by offering a document.execCommand('ClearAuthenticationCache') non-standard extension. What non-standard quirky thing works in Firefox? Anders

NSS 3.12.6 is RTM.

This is a cryptographically signed message in MIME format. --------------ms070201060705020103030306 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable The NSS team has just RTM'ed NSS 3.12.6. The primary feature of NSS 3.12.6 is support for the TLS Renegotiation In= dication Extension, RFC 5746. Release notes are forthcoming with other additions and bug fixes. In addition, a new version of JSS has been released, JSS 4.3.2 which allo= ws application to control the default behaviors in using the extension. For JSS 4.3.2 see: https://bugzill

popChallengeResponse sample code?

Hello I consider writing a SASL plugin for performing certificate-based browser to LDAP directeory authentication, over an unprivilegied web application. The idea is that the LDAP directroy would send a nonce, and the browser should send it back signed. popChallengeResponse seems do do what I need: https://developer.mozilla.org/en/PopChallengeResponse But there is not a lot of information about that function. Is there any sample code using it? -- Emmanuel Dreyfus http://hcpnet.free.fr/pubz manu@netbsd.org

marvendas@gmail.com Kit completo de Solenoides ( solenoid ) + chicote Para Cambio automatico 01M hidramatico Audi A3 Vw Golf gti turbo 00799

Contato: marvendas@gmail.com marvendas @ gmail.com marvendas no gmail.com Kit completo de solenoides para Volkswagem e Audi. O kit contem: 5 solenoides 2 Epc ( solenoides de pressao ) 1 Chicote Serve para qualquer modelo VW ou Audi fabricados de 1995 ate hoje com o cambio automatico de 4 marchas � 01M Pre�o: R$ 1900.00 Temos outras tipos de solenoides e artigos importados, nao deixe de fazer uma consulta antes de comprar! Audi a3 automatico Audi a3 1.8 t automatico Audi a3 1.8 turbo automatico VW Golf gti automatico VW Golf 2.0 automatico VW Golf 1.8 turbo auto

List/remove cached S/MIME capabilities

HI! I'm using Seamonkey 2.0.3 under Linux. Is there a way to list and tweak the cached S/MIME capabilities for certain recipients? Ciao, Michael. -- Michael Str�der E-Mail: michael@stroeder.com http://www.stroeder.com

Using NSS TLS renegotiation fix when using SunJSSE

hi, I'm using SunPKCS11 provider which is associated with NSS (NSS version 3.12.5). the SunPKCS11 provider is configured to be used as the provider of a Tomcat server. SSL/TLS renegotiation is disabled by default in NSS 3.12.5, but i'm still getting indication that the TLS renegotiation is enabled. (using Nessus tool) how should i configure Tomcat or Sun provider to use NSS capability to disable the SSL/TLS renegotiation? should i use JSS socket within my Tomcat's socket factory to achieve that? Thanks, abarak -- View this message in context: http://old.nabble.com/U

Does anyone make Mozilla JSS 4.3.1/NSS 3.12.4 work at Android ?

--000e0ce0d6360c70b2047f65158b Content-Type: text/plain; charset=ISO-8859-1 Hi, Does anyone make Mozilla JSS 4.3.1/NSS 3.12.4 work at Android ? Best regards. mli --000e0ce0d6360c70b2047f65158b Content-Type: text/html; charset=ISO-8859-1 Hi,<br> <br> Does anyone make Mozilla JSS 4.3.1/NSS 3.12.4 work at Android ?<br> <br> Best regards.<br> mli --000e0ce0d6360c70b2047f65158b--

Firefox does not show "Choose Security Device" when requesting certificate

Hello, We have been developing a PKCS#11 DLL for our smart card. Recently we are testing it in Firefox 3.6. When we try to request a certificate in GlobalSign (http://secure.globalsign.net/phoenixng/verify.cfm? id=1126660234&reset=yes) The "Choose Security Device" box is not shown and it automatically generates the Key-pair in the "Software Security Device". We can say this since after the e-mail verification and installation, viewing the newly requested certificate in Firefox says its stored in "Software Security Device" We can say that our PKCS#11 is working fine since this scen

CKA_SIGN and CKA_VERIFY

Hi, In the sample that I am working on, I need to decrypt the mac appended plaintext. But while verifying the MAC, I am using the below context to call PK11_DigestFinal. PK11_CreateContextBySymKey(CKM_MD5_HMAC, CKA_VERIFY, mk, &noParams); (where mk is MAC key.) But the call PK11_DigestFinal is returning -8191 (Library failure). The code is failing at the below place in security/nss/lib/pk11wrap/pk11cxt.c case CKA_VERIFY: crv=PK11_GETTAB(context->slot)->C_VerifyFinal(context->session, data,len); Can someone please advi

can't seem to init SQLite db with JSS 4.3.1

I recently built NSS 3.12.5/NSPR4.8.2 and JSS 4.3.1 on a RHEL4.8 system (SUN JDK 1.6u18). certutil works fine with -d sql:., but JSS tosses an exception when I try to initialize pointing to a (freshly created with certutil) SQLite DB whereas it will initialize with the legacy db format. Exception in thread "main" java.lang.SecurityException: Unable to initialize security library at org.mozilla.jss.CryptoManager.initializeAllNative(Native Method) at org.mozilla.jss.CryptoManager.initialize(CryptoManager.java:919) at org.mozilla.jss.CryptoManager.initial

How to get CKA_ID from a symmetric key?

Hi, I am looking at https://bugzilla.mozilla.org/show_bug.cgi?id=490238 and working on writing these sample programs. For one of the sample programs (#3) listed, I need to find a way to get CKA_ID from a symmetric key and display. Is there any public API to get the CKA_ID from a symmetric key ? I could use the below 2 APIs to get CKA_ID but they are not listed in security/nss/lib/nss/nss.def PK11_FindObjectsFromNickname pk11_GetLowLevelKeyFromHandle Please advise. Thanks, Shailendra

Accessing Certificate "Issuer" and "Issued to" in mozilla using JS

Hi, How can i access the "Issuer" and "Issued to" of the selected digital certificate in JavaScript in firefox? For Internet Explorer, CAPICOM provides API to do this but for firefox i'm not able to. I've tried using window.crypto. Example Java Script code: try { result = window.crypto.signText("Something to sign","ask"); if(result == 'error:userCancel' || result == 'error:internalError' || result == 'error:noMatchingCert'){ // alert(" Result="+result+". Staying back. "); return null ; } } catch(ex) { } There's one way. if siging is successfu

Certificate Extensions

--000e0cdfd95237cfb6047d2275ef Content-Type: text/plain; charset=ISO-8859-1 Hi, I was looking over Tech Note 3 ( http://www.mozilla.org/projects/security/pki/nss/tech-notes/tn3.html) about certificate extensions. Could anyone comment on the new values in SECCertUsageEnum (certUsageUserCertImport, certUsageProtectedObjectSigner, certUsageAnyCA) and how they might affect key usages and cert types. Thanks, Kai --000e0cdfd95237cfb6047d2275ef Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Hi,<br><br>I was looking over Tech Note 3 (<a

Memory leak in handshake

--Apple-Mail-48--507180599 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=us-ascii Hello, Attempting to find a memory leak in my application, I wrote a simple = test server to narrow the leak down to the NSS code. It seems that if I = call SSL_ConfigSecureServer() on the client socket rather than the = listener, it leaks memory during every handshake. My socket listener = code accepts client connections natively, then passes the file = descriptors off to my NSS code, which wraps them using SSL_ImportFD() = and SSL_ConfigSecureServer(). =46rom

Defining custom token objects: CKO_DATA or derive from CKO_VENDOR_DEFINED class?

Hi, I've been debugging openCryptoki for compatibility problems with Mozilla NSS, and I noted that, when creating a certificate using certutil, Mozilla NSS tries to create a token object with CKA_CLASS=0xce534353, which is the 'vendor defined' class CKO_NSS_TRUST, defined as ((CKO_VENDOR_DEFINED|NSSCK_VENDOR_NSS) + 3). This breaks openCryptoki as it is not expecting to be able to create custom objects (via C_CreateObject) using a 'vendor defined' class type (but only CKO_DATA objects apparently). Checking the spec (particularly v2.11 which ock implements), it reads: "

NSS build (pk12utils) with release option problem

Hello everyone, I'd like to use tool called pk12utils (I want to import certificate from console) however when I compile NSS with mozilla-build I always get debug build so when I copy all the program to machine without debug libraries I got an error that system cant open the file. I'm using windows and visual 2008 that's variables with I set with console: set OS_TARGET=WINNT set BUILD_OPT=1 make nss_build_all but I still get debug build. Where is the problem? Am I missing something? Thanks for all answers Gordon

My new role in 2010

Dear readers of dev-tech-crypto (and others BCC'ed): For over 13 years now I've been employed to work full time as a developer of NSS and NSPR, but beginning in January 2010, I shall have a new job where NSS is not part of my job description. Consequently, I will have very much less time per week to devote to NSS and NSPR than I've had at any time in the last decade. I will probably only have a little time on nights and weekends to devote to it. I intend to complete the implementation of the new TLS renegotiation specification, hopefully before the end of January. After that, m

Looks like ECC sign/verify has a bug.

Hello. I have noticed, the following method is used in the ECC sign/verify routines to derive 'e' integer from a digest: ----( begin cite )---- /* In the definition of EC signing, digests are truncated * to the length of n in bits. * (see SEC 1 "Elliptic Curve Digit Signature Algorithm" section 4.1.*/ if (digest->len*8 > ecParams->fieldID.size) { /* u1 = HASH(M') */ mpl_rsh( &u1, &u1, digest->len*8 - ecParams->fieldID.size ); } ----( end cite )---- See the same at cvs blame: http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/securit

Re: cert extension: authority key identifier (AKI)

Hi all, I found it here http://www.mozilla.org/projects/security/certs/policy/ thank you very much for all the explanations, especially the one with the "silent upgrade" by Jean-Marc. I still don't understand Mozilla's requirement in case "silent" upgrade is not required (furthermore, prohibited by some other regulations) and if we are careful about the dates of expirations of the CA's and end's certificates. Why is it "incorrect extension" or almost always a "huge mistake"? (authority key IDs that include both the key ID and the issuer's issuer name and serial number)". I think t

heads up for compilation of JSS using mozilla-build (MSYS) on Win32

I just ran into this error and was about to post saying wtf but figured out my issue and am posting this in case someone else runs into the same problem. If the JAVA_HOME isn't set properly, something in the build process might eat a slash and the jss4.dll can't be built. This happened a little ways into running (g)make: <snip> cd jss; make libs make[3]: Entering directory `/c/Users/dstutzman/mozilla-build/nss-3.12.4-with-nspr-4.8/mozilla/security/jss/org/mozilla/jss' cl -FoWINNT6.0_OPT.OBJ/CryptoManager.obj -c -O2 -W3 -nologo -D_CRT_SECURE_NO_WARNINGS -MD -we4002 -we4003 -

NSS 3.12.5 release notes

I am pleased to announce that the NSS 3.12.5 release notes are available at https://developer.mozilla.org/NSS_3.12.5_release_notes . NSS 3.12.5 requires NSS 4.8 or above. We tested NSS 3.12.5 with NSPR 4.8.2. You can find NSPR 4.8.2 release notes at http://www.mozilla.org/projects/nspr/release-notes/nspr482.html . Christophe Ravel.

Question about NSS initialization for using SHA_256 in my library

--_000_EA4A6093842E4B46B5ACA97901DCFE1A02F346FB3Apdsmsx502ccrc_ Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Hi, I am planning to use the HASH_HashBuf (HASH_AlgSHA256...) in my own library= for SHA256 computing. Currently I encountered an initialization issue. Cou= ld someone kindly give me some suggestions? Thanks in advance! There is code like below: inited_by_myself =3D false; if (NSS_IsInitialized()) { NSS_NoDB_Init (""); inited_by_myself =3D true; } HASH_HashBuf(); if (inited_by_myself) { NSS_Shutdown();

S/MIME with SHA-256

HI! Are Outlook and Outlook Express currently capable of verifying S/MIME signed e-mails where SHA-256 is used as hash algorithm? Ciao, Michael.

Informally announcing NSS 3.12.5

NSS version 3.12.5 has been released in source code form from the master upstream CVS repository with the CVS NSS_3_12_5_RTM. Sun made NSS 3.12.5 publicly available as a binary patch for some platforms. See http://sunsolve.sun.com/search/document.do?assetkey=1-66-273350-1 The main reason this release was made at this time was to make available immediate relief for bug 526689, the recently discovered SSL/TLS renegotiation vulnerability. See https://bugzilla.mozilla.org/show_bug.cgi?id=526689 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-3555 The relief consists of dis

Building ECC-enabled NSS RHEL5 src-rpm

--00151750de047fef580479d8c4fa Content-Type: text/plain; charset=ISO-8859-1 I downloaded "nss-3.12.3.99.3-1.el5_3.2.src.rpm" from redhat.com and am trying to build an ECC-enabled RHEL5 rpm with a modified spec file. I uncomment in "/usr/src/redhat/SPEC/nss.spec: NSS_ENABLE_ECC=1 export NSS_ENABLE_ECC just before "# first, build freebl and softokn shared libraries" on line 207. I noticed that it is not commented out along with "NSS_MORE_THAN_SUITE_B" after "# Allow pluggable ECC" at line line 230. cd /usr/src/redhat/SOURCES rpmbuild -bb ../SPECS/nss.spec When build

Where to compile ECC support conditionally (NSS_ENABLE_ECC) ?

Hello. Almost everywhere across NSS the ECC-specific executable code is compiled conditionally: #ifndef NSS_ENABLE_ECC /* ECC-specific executable code ... */ #endif .... but not everywhere. For example, seckey_ExtractPublicKey() @ cryptohi/seckey.c http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/security/nss/lib/cryptohi/seckey.c&rev=1.51&mark=1695-1702,1125-1138#1105 SECKEY_CopyPublicKey() @ cryptohi/seckey.c http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/security/nss/lib/cryptohi/seckey.c&rev=1.51&mark=1695-1702,1125-1138#1687 PK11_Imp

How to sign generateCRMFRequest() with PHP and/or OpenSSL?

Hello, My goal is to get user signed into my site with a client login certificate. Some sites like OpenID or cacert.org do it, so it must be possible :) First I tried to generate the client certificate at the server side (generate CSR, sign CSR, export into x509, pack keys and certificate into PKCS12, send that file to the user) and it works. However I feel this is not the right way to do it. The sites I've mentioned generate the certificate on the client's machine with that JavaScript function: generateCRMFRequest() then send the CSR to the server and the server processess it in som

Firefox Certificate window

Hello everybody, I am wondering how can I show a X509Certificate with javascript or something like that in the Firefox certificate window? Is this possible with window.crypto? Thank you in advance. Best regards, Stefan Jordanov

Building NSS for OpenCSW (Solaris)

Hello dev-tech-crypto, I'm working on a Solaris NSS package for the OpenCSW[1] project. I'm compiling it using Sun Studio 11, on standard OpenCSW buildfarm. I'm using the standard OpenCSW build system, GAR. The source code of the build file I'm writing is similar to BSD ports, and can be found in a source code repository[2] together with patches I wrote[3]. I'm currently stuck at the problem of aborting shlibsign: gmake[5]: Leaving directory `/home/maciej/src/opencsw/pkg/nss/trunk/work/build-isa-sparcv8/nss-3.12.4-with-nspr-4.8/mozilla/security/nss/cmd/shlibsign/mangle' cd Su

NSS: Certificate mangement without certdb

--00151743f7545144370478beb9ba Content-Type: text/plain; charset=ISO-8859-1 Hi, Is there a way to do certificate operations in NSS without using the cert8.db? I was looking at a post at mail-archive.com ( http://www.mail-archive.com/dev-tech-crypto@lists.mozilla.org/msg00245.html) that suggested all this would now be internal to the PKCS #11 module, removing dependence on cert8.db. Does that mean I can use the certdb library to handle certificate operations? Thanks, Kai --00151743f7545144370478beb9ba Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding:

cert extension: authority key identifier (AKI)

I would like to ask for an explanation of mozilla trust cert. store requirement for adding CA. Why correct authority key identifier (AKI) can not include both the key ID and the issuer's issuer name and serial number. We have an authority that adds to its certificates such AKI and till now I thought it is a valid X. 509 certificate according to RFC 5280. regards, Daniel

slow DB access with lots (6000+) of certs/keys

I've recently had a case where I have a DB with around 6700 certs/keys in it and a call to get the list of certs takes something like 20 minutes to complete. I'm primarily using JSS (specifically the call to CryptoToken.getCryptoStore().getCertificates()), but the same happens with certutil on the command line. I've switched from using the old DBM format to SQLite and it doesn't appear to have changed the behavior much, if at all. I'm currently using NSS 3.12.4 (BUILD_OPT=1, NSS_ENABLE_ECC=1, built on Vista 32bit using mozilla-build). Is there anything I can do to speed thi

Elliptic Curves in NSS

--00032555a89a7d8d170478096b6b Content-Type: text/plain; charset=ISO-8859-1 Hi, I'm using NSS 3.12.4 with NSPR 4.8 release on Fedora 10. I want to generate keys and certs with the basic supported ECC curves (nistp256, nistp384, nistp521) included when NSS is compiled with the "NSS_ENABLE_ECC" flag. I would greatly appreciate it if one could point out anything missing or incorrect in the provided steps below as I keep receiving this error: tar -xvf nss-3.12.4-with-nspr-4.8.tar. gz NSS_ENABLE_ECC=1; export NSS_ENABLE_ECC cd nss-3.12.4-with-nspr-4.8/mozilla/security/nss make n

Re: Certificate usage guide

This is an S/MIME signed message generated with Gmail S/MIME. --gmsm0.4.3eqg1nvhxy6okeztgdj4v2 Content-Type: text/plain; format=flowed Let's see. Difficulties: Everything. Management of expired certificates, both your own and others'. Management of revoked certificates, both your own and others'. Management of keys. Management of certificate requests. Management of multiple certificates with differing Subjects, on a browser you use for multiple purposes. Servers: I've yet to see any way to rekey or even recertify an Apache httpd process without requiring a shutdown/restart (

SSH 2.0 Keys and NSS in FIPS mode

I have an application that includes an implementation of SSH in Java. It currently uses the Sun JCE and I'm trying to make use of the SunPKCS11 provider which wraps calls to NSS (3.12.4) to take advantage of NSS's FIPS compliance. (We won't be shipping this until after 3.12.4 has completed the process.) I'm stuck at the point where the SSH key exchange creates the first session key and attempts to encrypt with it. After a couple days of digging I found the following seems to prevent me from using any key that wasn't randomly generated by NSS. in fipstokn.c: /* FIPS can't c

CRL revocation check implementation

Hi , I am writing a client which connects to a secure server. I need to verify the certificate obatined from the server for CRL Revocation. Could some one please tell which NSS api's are available. These are the steps i am following currently I extracted the CRL url from distribution points and then downloaded the CRL. After reading the downloaded CRL file , i tried CERT_CacheCRL() but it gives SEC_ERROR_BAD_DER everytime. Also PK11_ImportCRL() only imports the CRL which are binary and not the one those begin with ".....Begin CERTIFICATE" Could some one please tell me if i

SunPKCS11 and NSS 3.11.4

Initializing SunPKCS11 for utilization of NSS 3.11.4 capabilities yields the following exception: java.security.ProviderException: Could not initialize NSS at sun.security.pkcs11.SunPKCS11.<init>(SunPKCS11.java:183) at sun.security.pkcs11.SunPKCS11.<init>(SunPKCS11.java:90) at test.TripleDESTest.main(TripleDESTest.java:112) Caused by: java.io.IOException: The specified version of NSS is incompatible, 3.7 or later required at sun.security.pkcs11.Secmod.initialize(Secmod.java:190) at sun.security.pkcs11.SunPKCS11.<init>(SunPKCS11.java:179) ... 2 more The version I am using i

Details of saving pkcs#11 attribs to the default {cert8,key3} database.

Hello. It looks somewhat strange how default (so-called legacydb) database allows upper layer (softoken) to manipulate key's attributes. [ http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/security/nss/lib/softoken/legacydb/lgattr.c&rev=1.9&mark=1630-1641#1601 ] ---- lg_SetPrivateKeyAttribute() @ lib/softoken/legacydb/lgattr.c ---- ......... case CKA_VALUE: case CKA_PRIVATE_EXPONENT: case CKA_PRIME_1: case CKA_PRIME_2: case CKA_EXPONENT_1: case CKA_EXPONENT_2: case CKA_COEFFICIENT: /* We aren't really changing these values, we are just tr

How to build nspr+nss on Windows with VS 2008 (VC++ 9.0)

VC++ 9.0 now requires either a manifest or Side-by-Side assembly (the vc redist package) in order for .dlls and .exes to find the VC runtime DLL. http://support.microsoft.com/default.aspx/kb/326922 I would like to build nspr and nss such that I can run tools like certutil.exe without having to have the user install the VC redist package. Is this possible with VC++ 9.0? Looking at https://developer.mozilla.org/En/Developer_Guide/Build_Instructions/Windows_Prerequisites under Common Problems, Hints and Restrictions it says If you intend to distribute your build to others, and

NSS non-blocking mode and long computations

Hi, I'm using NSS in non-blocking mode. To perform a handshake on a SSL socket, I use SSL_ForceHandshake (if it returns PR_WOULD_BLOCK_ERROR I retry when the SSL socket becomes readable). It works, but I've noticed that SSL_ForceHandshake sometimes takes a long time to return (around 100 ms). I suppose this is because of all the computations involved. As my program is single-threaded (built on a reactor), it cannot respond to anything else while in a long SSL_ForceHandshake call, which causes latency problems with other I/O my program does. Is possible to forbid SSL_ForceHandshake fro

smime mail notification

hi all, I want to listen for smime formated messages at TB. Is there any notification about it?

Error 126 : NSS_Initialize Failed While adding certificate using certutil

Hi there, Just to give you a brief about. The objective is to build latest NSS/ NSPR/c-SDK so that "certutil" command can be used to create cert8.db file to add certificate into that. I built the following modules using MozillaBuild 1.4 on Windows platform. 1.Drectory - c-sdk - mozldap-6.0.6 Link: ftp://ftp.mozilla.org/pub/mozilla.org/directory/c-sdk/releases/v6.0.6/src/mozldap-6.0.6.tar.gz 2. NSS-3.12 With NSPR-4.7 Link: ftp://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_12_RTM/src/nss-3.12-with-nspr-4.7.tar.gz I was able to build complete code base (i.e. NS

Firefox PKCS#12 export of personal certs versus OpenSSL

--00504502d33528f4030476390fbf Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Hi I'm wondering if anyone could enlighten me on why the PKCS#12 exported certificate from Firefox under Ubuntu isn't identical to the certificate that I can generate from OpenSSL like this: $ openssl pkcs12 -in yourCertificate.p12 -out yourCertificate.pem $ openssl pkcs12 -export -in yourCertificate.pem -out youCertificateFixed.p12 Does the NSS implementation of ASN.1 differ from OpenSSL implementation, or why wouldn't the results be identical? The reason is

need help cross compiling nss

I'm using WindRiver Linux 2.0 to cross compile nss to a PowerPC. The 3.11.4 build instructions and troubleshooting don't cover something like this. Can someone point me to documentation that would describe how to set the compiler, flags, install location, etc...?

Making OCSP soft fail smarter

Firefox uses OCSP but, by default, any response other than a definite "is revoked" response is treated as "is not revoked". There is a user pref that allows the user to change that, so that any response other than "is not revoked" is treated as "is revoked". IMO, we need to be smarter about that. Here's a straw man: OK: 200 response with OK No response (network problems) Not OK: 200 response with revocation 400 response (OCSP responder actively denying response) 500 response (OCSP responder broken) What do people think? Putting 400 and 500 in "not OK" makes it harder to

How to "log out" of SDR?

This is probably PSM again, but I hope someone here can answer it, or point me somewhere. We have a both menuitem and a dialog that logs you out of the SDR, so that you need to reenter your Master Password to gain access to your stored certificates and other encrypted material, such as the login manager's password store. This works fine when you actually have a Master Password. However when you do not have a Master Password then it does not seem possible to log in again. Is this a case of: a) sdr.logoutAndTeardown(); is the wrong API to log out b) we're using the wrong A

Decoding DER: can I save tag-length prefixes in decoded items?

Hello. One more question about decoding DER structures. Some PKCS#11 mechanisms (namely, CKM_GOSTR3410 ) accept DER-encoded parameters, which include DER tag-length prefix. I dissect these parameters from some wrapping DER structure by SEC_QuickDERDecodeItem. Unfortunately, I could not find an option to ask decoder to put tag-length prefix together with item. To handle this, I adjust decoded SECItems after decoding: SECItem t; t.len += 2; t.data -= 2; This works for now, because parameters are OIDS which fits in a 128-byte limit. But this is unsafe. Please, adv

Which way to decode DER ASN1 CHOICE ?

Hello. I need to decode some DER-encoded ASN1 CHOICE, but I can't manage this in a reasonable way. This is how I have managed this at the moment (pseudo-code): ---( begin code )--------- struct { SECItem choice1; SECItem choice2; ... SECItem choiceN; } decodedChoice; SEC_ASN1Template choiceTemplate[] = { { SEC_ASN1_CHOICE }, { SEC_ASN1_INTEGER, offsetof( decodedChoice, choice1 ) }, { SEC_ASN1_NULL, offsetof( decodedChoice, choice2 ) }, ... { SEC_ASN1_BOOLEAN, offsetof( decodedChoice, choiceN ) },

How to display the cause of an SSL client authentication failure

Hi all, I've enabled client authentication in Sun One Web Server 6.1 and it does work fine when the client certificate is valid. I would like to present the user with a good error message instead of the generic one when his certificate is not valid. In this case, the user has currently no clue of what happened, wether his certificate has expired, is revoked, is false (bad signature), was provided by a not trusted certificate authority, and so on. This is very frustrating for non tec users as they don't know what to do. Is there a trick to display client certificate authenticatio

security/nss/lib/nss/utilwrap.c and USE_UTIL_DIRECTLY

Hello. I have a couple of related questions. 1) If I am adding a function into the "util" library, should I care about placing a wrapper in the "utilwrap.c" ? 2) Is the USE_UTIL_DIRECTLY really just an option ? It looks like it couldn't be turned off, because "softokn" is using *_Util. Turning USE_UTIL_DIRECTLY off will cause dependency of "softokn" from "nss" lib. I have read bug 286642 discussion, but it doesn't make things clearer. Best regards, -- Konstantin Andreev, software engineer. Swemel JSC