ECDSA certs?
|
View:
New views
20 Messages
—
Rating Filter:
Alert me
|
| < Prev | 1 - 2 | Next > |
 |
ECDSA certs?
by Paul Hoffman
::
Rate this Message:
Greetings. I'm running NSS 3.11.4 and would like write / read ECDSA
certificates. Does the current version support ECDSA? I have no problem creating, for example, DSA cert requests, but trying to use "-k ecdsa" fails with: certutil -k: ecdsa is not a recognized type. _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@... https://lists.mozilla.org/listinfo/dev-tech-crypto |
|
|
|
|
|
Re: ECDSA certs?
by Paul Hoffman
::
Rate this Message:
At 9:41 AM -0800 1/8/07, Nelson B wrote:
>Paul Hoffman wrote: >> Greetings. I'm running NSS 3.11.4 and would like write / read ECDSA >> certificates. Does the current version support ECDSA? I have no >> problem creating, for example, DSA cert requests, but trying to use >> "-k ecdsa" fails with: >> certutil -k: ecdsa is not a recognized type. > >Try: -k ec Nope: # certutil -R -s "CN=ECDSA" -o ecdsareq.req -k ec certutil -k: ec is not a recognized type. Other thoughts? _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@... https://lists.mozilla.org/listinfo/dev-tech-crypto |
|
|
|
|
|
Re: ECDSA certs?
by Paul Hoffman
::
Rate this Message:
At 12:47 PM -0800 1/8/07, Nelson B wrote:
>ECC is an optional feature of NSS. NSS can be built with or without ECC. >You must have a build that was built without ECC. Did you built it yourself? No, I was using the pre-built FreeBSD port. I'm now trying to coax that port into building from source, much less using ECC. Thanks for the pointer. _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@... https://lists.mozilla.org/listinfo/dev-tech-crypto |
|
|
Re: ECDSA certs?
by Paul Hoffman
::
Rate this Message:
At 12:47 PM -0800 1/8/07, Nelson B wrote:
>Paul Hoffman wrote: >> At 9:41 AM -0800 1/8/07, Nelson B wrote: >>> Paul Hoffman wrote: >>>> Greetings. I'm running NSS 3.11.4 and would like write / read ECDSA >>>> certificates. Does the current version support ECDSA? I have no >>>> problem creating, for example, DSA cert requests, but trying to use >>>> "-k ecdsa" fails with: >>>> certutil -k: ecdsa is not a recognized type. >>> Try: -k ec >> >> Nope: >> >> # certutil -R -s "CN=ECDSA" -o ecdsareq.req -k ec >> certutil -k: ec is not a recognized type. >> >> Other thoughts? > >ECC is an optional feature of NSS. NSS can be built with or without ECC. Could you explain how? I have now built the FreeBSD port, which is pulled directly from ftp://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_11_4_RTM/src/, and I still get the same error. There is nothing in the FreeBSD port Makefile that looks like it turns off ECC, and I see nothing in the tarball's Makefile that says anything about turning off or on ECC. Any help would be appreciated. _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@... https://lists.mozilla.org/listinfo/dev-tech-crypto |
|
|
|
|
|
Re: ECDSA certs?
by Paul Hoffman
::
Rate this Message:
At 3:50 PM -0800 1/10/07, Nelson Bolyard wrote:
>Paul Hoffman wrote: >Numerous optional features of NSS builds are controlled through make >variables. Make variables may be set on the gmake command line, e.g. > gmake variable=value variable=value target1 target2 >or defined in the environment, e.g. (for posix shells) > variable=value; export variable > gmake target1 target2 > >Here are some (not all) of the make variables that affect NSS builds: > >BUILD_OPT IF set to 1, means do optimized non-DEBUG build. > Default is DEBUG, non-optimized build > >USE_DEBUG_RTL If set to 1, on windows, causes build with debug version > of the c runtime. > >NS_USE_GCC On platforms where gcc is not the native compiler, tells > NSS to build with gcc instead of the native compiler. > Default is to build with the native compiler. > >USE_64 On platforms that support both 32-bit and 64-bit ABIs, > tells NSS to build for the 64-bit ABI. Default is 32-bit ABI, > except on platforms that do not support a 32-bit ABI. > >MOZ_DEBUG_SYMBOLS tells NSS to build with debug symbols, even in an > optimized build. On windows, in both DEBUG and optimized > builds, when using MSVC, tells NSS to put symbols in a > .pdb file. Required to build with MSVC 8 (2005 Express). > Default is not to put debug symbols into optimized builds, > and for MSVC, is to put symbols into the .exe or .dll file. > >NSS_ENABLE_ECC If set to 1, includes optional ECC features in NSS > >These variables should be either undefined, or set to "1". >Results are undefined for variables set to "0". Is there a list of these somewhere? I couldn't find any documentation on this with grep. I am particularly interested in what NSS_ECC_MORE_THAN_SUITE_B does, and in any other switched needed for doing Suite B. --Paul Hoffman _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@... https://lists.mozilla.org/listinfo/dev-tech-crypto |
|
|
Re: ECDSA certs?
by Paul Hoffman
::
Rate this Message:
Closer, but still not there. After building with NSS_ENABLE_ECC=1, I
tried again. # certutil -R -s "CN=ECDSA" -o ecdsareq.req -k ec A random seed must be generated that will be used in the creation of your key. One of the easiest ways to create a random seed is to use the timing of keystrokes on a keyboard. To begin, type keys on the keyboard until this progress meter is full. DO NOT USE THE AUTOREPEAT FUNCTION ON YOUR KEYBOARD! Continue typing until the progress meter is full: |************************************************************| Finished. Press enter to continue: Unrecognized elliptic curve (null) certutil: unable to generate key(s) : error 0 # Do I need to build with another make variable, or do I need to call certutil with an additional argument? --Paul Hoffman _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@... https://lists.mozilla.org/listinfo/dev-tech-crypto |
|
|
|
|
|
Re: ECDSA certs?
by David Stutzman-6
::
Rate this Message:
Nelson B wrote:
> You need to specify the curve with "-q curvename" > See output of certutil -H for a list of curve names. > Unfortunately, that list is wrong. It includes many curve names that > are not implemented presently. There are only 3 available right now. > They're the same ones used by Microsoft. > I don't have the right 3 names handy. trial and error will find them. I gleaned this from a presentation by a Microsoft employee at the Certicom ECC Conference: ECC Details in Vista • Using implementation from MS Research • NIST ECC prime curves support – P-256, P-384, P-521 • ECDSA: Signature • ECDH: Secret agreement • Not Supported (out of the box) – Point compression – Binary curves – ECMQV – Koblitz curves – Custom curves So the answer to the curves question is the 3 NIST primes 256,384 and 512 (I think he made a typo saying 521). Dave _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@... https://lists.mozilla.org/listinfo/dev-tech-crypto |
|
|
Re: ECDSA certs?
by Paul Hoffman
::
Rate this Message:
At 9:20 AM -0800 1/11/07, Nelson B wrote:
>Paul Hoffman wrote: > >> Is there a list of these somewhere? > >Not to my knowledge. That's why I wrote that list in previous email. Ah. Thanks for that then! > > I am particularly interested in what NSS_ECC_MORE_THAN_SUITE_B does, > >It is incomplete. Doesn't work in its present state. That's why I didn't >mention it. Understood. >You need to specify the curve with "-q curvename" >See output of certutil -H for a list of curve names. >Unfortunately, that list is wrong. It includes many curve names that >are not implemented presently. There are only 3 available right now. >They're the same ones used by Microsoft. >I don't have the right 3 names handy. trial and error will find them. Actually, it didn't. I wrote a Perl script to try them all, and every instance reported: : An I/O error occurred during security authorization. More clues? --Paul Hoffman _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@... https://lists.mozilla.org/listinfo/dev-tech-crypto |
|
|
Re: ECDSA certs?
by Wan-Teh Chang
::
Rate this Message:
David Stutzman wrote:
> > I gleaned this from a presentation by a Microsoft employee at the > Certicom ECC Conference: > > ECC Details in Vista > • Using implementation from MS Research > • NIST ECC prime curves support > – P-256, P-384, P-521 > • ECDSA: Signature > • ECDH: Secret agreement > • Not Supported (out of the box) > – Point compression > – Binary curves > – ECMQV > – Koblitz curves > – Custom curves > > So the answer to the curves question is the 3 NIST primes 256,384 and > 512 (I think he made a typo saying 521). Thank you, David. 521 is not a typo. The curve is P-521. Wan-Teh _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@... https://lists.mozilla.org/listinfo/dev-tech-crypto |
|
|
|
|
|
Re: ECDSA certs?
by Paul Hoffman
::
Rate this Message:
At 6:33 AM -0500 1/12/07, David Stutzman wrote:
>Paul Hoffman wrote: >>: An I/O error occurred during security authorization. >> >>More clues? > >I got that error trying to do a keygen myself when the security >database didn't have a master password set. > >reference: >http://groups-beta.google.com/group/mozilla.dev.tech.crypto/browse_frm/thread/f8870108996c4b9e/49c7587b29872093 > >You can change the password using modutil if you think this might be >your problem. Well, it seems to be part of the problem; the error message seems to be another part. When I did that, I got different results for the following than for the rest: nistp256 nistp384 nistp521 secp256r1 secp384r1 secp521r1 In those, I get "certutil: signing of data failed: security library: invalid algorithm.". For the rest, I get ": An I/O error occurred during security authorization." I take that to mean that the six listed above are the "real" algorithms and the others are not. However, I still can't get a signature. More clues would be helpful. And, yes, I am volunteering to write all this up for the web page and so on after I am successful. --Paul Hoffman _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@... https://lists.mozilla.org/listinfo/dev-tech-crypto |
|
|
|
|
|
Re: ECDSA certs?
by Paul Hoffman
::
Rate this Message:
At 10:51 AM -0800 1/12/07, Nelson B wrote:
>Some of those names are synonyms. Yup, understood. >OTOH, this creates the impression that we support twice as many curves as >we really do. It caused our QA department to do twice as much testing as >needed. So, I invite input on the desirability / wisdom of listing each >curve by all of its names. I'm neutral on this. It could be better to list things as "nistp256 (synonym: secp256r1)" > > In those, I get "certutil: signing of data failed: security library: > > invalid algorithm.". For the rest, I get ": An I/O error occurred >> during security authorization." > >Sounds like something isn't right. Those 3 curves definitely work in >SSL/TLS. OK, how do I figure what what "isn't right". If there is a debugging mode I can turn on during the build, that's fine. --Paul Hoffman _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@... https://lists.mozilla.org/listinfo/dev-tech-crypto |
|
|
|
|
|
Re: ECDSA certs?
by Kaspar Brand-2
::
Rate this Message:
|
