Search completed in 1.02 seconds.
66 results for "pkcs11":
Your results are loading. Please wait...
NSS PKCS11 Functions
this is only applicable if the loaded module is actually a moduledb rather than a pkcs #11 module (see pkcs11_module_specs).
...more information about module spec is available at pkcs11_module_specs.
... for more info on module strings see pkcs11_module_specs.
...And 3 more matches
Window.pkcs11 - Web APIs
WebAPIWindowpkcs11
summary returns the pkcs11 object, which is used to install drivers and other software associated with the pkcs11 protocol.
... if pkcs11 isn't supported, this property returns null.
...for more information on installing pkcs11 modules, see installing pkcs11 modules.
... syntax objref = window.pkcs11 example window.pkcs11.addmodule(smod, secpath, 0, 0); notes see nsidompkcs11 for more information about how to manipulate pkcs11 objects.
PKCS11 module installation
extensions can programmatically manage pkcs #11 modules using the nsipkcs11 programming interface.
...older versions of firefox may support the window.pkcs11 property for installing pkcs #11 modules.
... provisioning pkcs #11 modules using the pkcs11 api starting with firefox 58, extensions can use the pkcs11 browser extension api to enumerate pkcs #11 modules and make them accessible to the browser as sources of keys and certificates.
PKCS11 FAQ
MozillaProjectsNSSPKCS11FAQ
pkcs11 faq questions and answers general questions after plugging in an external pkcs #11 module, how do you use the certificate available on the token?
...nss uses installed random number generators if pkcs11_mech_random_flag is set in the installer script.
PKCS11
pkcs #11 information for implementors of cryptographic modules: implementing pkcs11 for nss pkcs11 faq using the jar installation manager to install a pkcs #11 cryptographic module pkcs #11 conformance testing ...
Index
the file could be named secmod.db, but in newer database generations a file named pkcs11.txt is used.
... 168 nss pkcs11 functions nss this chapter describes the core pkcs #11 functions that an application needs for communicating with cryptographic modules.
... 170 enc dec mac output public key as csr generates encryption/mac keys and outputs public key as certificate signing request 171 enc dec mac using key wrap certreq pkcs10 csr generates encryption/mac keys and outputs public key as pkcs11 certificate signing request 172 encdecmac using token object - sample 3 encdecmac, html, ncc, ncc article, web, web development no summary!
...And 19 more matches
sslfnc.html
ssl configuration callback configuration ssl configuration ssl_importfd ssl_optionset ssl_optionget ssl_cipherprefset ssl_cipherprefget ssl_configsecureserver ssl_seturl ssl_setpkcs11pinarg ssl_importfd imports an existing nspr file descriptor into ssl and returns a new ssl socket.
... ssl_setpkcs11pinarg sets the argument passed to the password callback function specified by a call to pk11_setpasswordfunc.
... syntax #include "ssl.h" int ssl_setpkcs11pinarg(prfiledesc *fd, void *a); parameters this function has the following parameters: fd a pointer to the file descriptor for the ssl socket.
...And 7 more matches
JavaScript crypto - Archive of obsolete content
if you choose to implement these flags, your module must supply the following additional functions for each flag: pkcs11_mech_flag: must support ckm_rsa_pkcs and ckm_rsa_x_509 and the following functions: c_wrapkey, c_encrypt, c_sign, c_decrypt, c_unwrapkey, c_verifyrecover, c_verify, c_generatekeypair (2048, 1024, 512) size pkcs11_mech_dsa_flag: must support ckm_dsa and the following functions: c_sign, c_verify, c_generatekeypair pkcs11_mech_rc2_flag: must support ckm_rc2_cbc and ckm_rc2_ecb and the following fu...
...nctions: c_generatekey, c_encrypt, c_decrypt, c_wrapkey, c_unwrapkey pkcs11_mech_rc4_flag: must support ckm_rc4_cbc and ckm_rc4_ecb and the following functions: c_generatekey, c_encrypt, c_decrypt, c_wrapkey, c_unwrapkey pkcs11_mech_des_flag: must support ckm_cpmf_cbc, ckm_des_cbc, ckm_des3_cbc, ckm_cpmf_ecb, ckm_des_ecb, ckm_des3_ecb and the following functions: c_generatekey, c_encrypt, c_decrypt, c_wrapkey, c_unwrapkey pkcs11_mech_dh_flag: must support ckm_dh_pkcs_derive and ckm_dh_key_pair_gen and the following functions: c_derivekey, c_generatekeypair pkcs11_mech_md5_flag: hashing must be able to function without authentication.
... pkcs11_mech_sha1_flag: hashing must be able to function without authentication.
...And 5 more matches
NSS_Initialize
this is necessary if another piece of code is using the same pkcs#11 modules that nss is accessing without going through nss, for example, the java sunpkcs11 provider.
...this is necessary if another piece of code is using the same pkcs#11 modules that nss is accessing without going through nss, for example, java sunpkcs11 provider.
...this may be necessary in order to ensure continuous operation and proper shutdown sequence if another piece of code is using the same pkcs#11 modules that nss is accessing without going through nss, for example, java sunpkcs11 provider.
...And 2 more matches
nss tech note2
to enable the module logger, you must set the environment variable nss_debug_pkcs11_module to the name of the target module.
... for example, to log the softoken, use: nss_debug_pkcs11_module="nss internal pkcs #11 module" note: in the command prompt on windows, do not quote the name of the target module, otherwise the quotes are considered part of the name.
... for example, to log the softoken on windows, use: set nss_debug_pkcs11_module=nss internal pkcs #11 module the logger is available by default in debug builds.
... for optimized builds, nss must be built with the variable debug_pkcs11 set.
nss tech note5
you can find a list of cipher mechanisms in security/nss/lib/softoken/pkcs11.c - grep for ckf_en_de_.
...you can find a list of digest mechanisms in security/nss/lib/softoken/pkcs11.c - grep for ckf_digest.
...you can find a list of hmac mechanisms in security/nss/lib/softoken/pkcs11.c - grep for ckf_sn_vr, and choose the mechanisms that contain hmac in the name ck_mechanism_type hmacmech = ckm_md5_hmac; <big>(for example)</big> choose a slot on which to to do the operation pk11slotinfo* slot = pk11_getbestslot(hmacmech, null); or pk11slotinfo* slot = pk11_getinternalkeyslot(); /* always returns int slot, may not be optimal */ prepare the key if u...
...you can find a list of key generation mechanisms in security/nss/lib/softoken/pkcs11.c - grep for ckf_generate.
NSS tools : modutil
modutil supports two types of databases: the legacy security databases (cert8.db, key3.db, and secmod.db) and new sqlite databases (cert9.db, key4.db, and pkcs11.txt).
... o the metainfo tag for this is pkcs11_install_script.
...if so, the metainfo file for signtool includes a line such as this: + pkcs11_install_script: pk11install the script must define the platform and version number, the module name and file, and any optional information like supported ciphers and mechanisms.
...these new databases provide more accessibility and performance: o cert9.db for certificates o key4.db for keys o pkcs11.txt, which is listing of all of the pkcs #11 modules contained in a new subdirectory in the security databases directory because the sqlite databases are designed to be shared, these are the shared database type.
sslerr.html
t function failed." ssl_error_mac_computation_failure -12213 "message authentication code computation failed." ssl_error_sym_key_context_failure -12212 "failure to create symmetric key context." ssl_error_sym_key_unwrap_failure -12211 "failure to unwrap the symmetric key in client key exchange message." ssl_error_iv_param_failure -12209 "pkcs11 code failed to translate an iv into a param." ssl_error_init_cipher_suite_failure -12208 "failed to initialize the selected cipher suite." ssl_error_session_key_gen_failure -12207 "failed to generate session keys for ssl session." on a client socket, indicates a failure of the pkcs11 key generation function.
...wn version number." sec_error_crl_v1_critical_extension -8044 "issuer's v1 certificate revocation list has a critical extension." sec_error_crl_unknown_critical_extension -8043 "issuer's v2 certificate revocation list has an unknown critical extension." sec_error_unknown_object_type -8042 "unknown object type specified." sec_error_incompatible_pkcs11 -8041 "pkcs #11 driver violates the spec in an incompatible way." sec_error_no_event -8040 "no new slot event is available at this time." sec_error_crl_already_exists -8039 "crl already exists." sec_error_not_initialized -8038 "nss is not initialized." sec_error_token_not_logged_in -8037 "the operation failed because the pkcs#11 to...
...p_response -8029 "server returned a bad ldap response." sec_error_failed_to_encode_data -8028 "failed to encode data with asn.1 encoder." sec_error_bad_info_access_location -8027 "bad information access location in certificate extension." sec_error_libpkix_internal -8026 "libpkix internal error occurred during cert validation." sec_error_pkcs11_general_error -8025 "a pkcs #11 module returned ckr_general_error, indicating that an unrecoverable error has occurred." sec_error_pkcs11_function_failed -8024 "a pkcs #11 module returned ckr_function_failed, indicating that the requested function could not be performed.
... trying the same operation again might succeed." sec_error_pkcs11_device_error -8023 "a pkcs #11 module returned ckr_device_error, indicating that a problem has occurred with the token or slot." sec_error_bad_info_access_method -8022 "unknown information access method in certificate extension." sec_error_crl_import_failed -8021 "error attempting to import a crl." sec_error_unknown_pkcs11_error -8018 "unknown pkcs #11 error." (unknown error value mapping) ...
NSS tools : modutil
MozillaProjectsNSStoolsmodutil
modutil supports two types of databases: the legacy security databases (cert8.db, key3.db, and secmod.db) and new sqlite databases (cert9.db, key4.db, and pkcs11.txt).
... o the metainfo tag for this is pkcs11_install_script.
...if so, the metainfo file for signtool includes a line such as this: + pkcs11_install_script: pk11install the script must define the platform and version number, the module name and file, and any optional information like supported ciphers and mechanisms.
...these new databases provide more accessibility and performance: o cert9.db for certificates o key4.db for keys o pkcs11.txt, which is listing of all of the pkcs #11 modules contained in a new subdirectory in the security databases directory because the sqlite databases are designed to be shared, these are the shared database type.
JSS
MozillaProjectsNSSJSS
java provides a jce provider called sunpkcs11 (see java pkcs#11 reference guide.) sunpkcs11 can be configured to use the nss module as the crytographic provider.
... if you are planning to just use jss jce provider as a bridge to nss's fips validated pkcs#11 module, then the sunpkcs11 jce provider may do all that you need.
...a current limitation to the configured sunpkcs11-nss bridge configuration is if you add a pkcs#11 module to the nss database such as for a smartcard, you won't be able to access that smartcard through the sunpkcs11-nss bridge.
NSS_3.12.2_release_notes.html
new in nss 3.12.2 new functions in the nss shared library: sec_pkcs12addcertorchainandkey (see p12.h) new pkcs11 errors (see secerr.h) sec_error_pkcs11_general_error sec_error_pkcs11_function_failed sec_error_pkcs11_device_error bugs fixed the following bugs have been fixed in nss 3.12.2.
... bug 200704: pkcs11: invalid session handle 0 bug 205434: fully implement new libpkix cert verification api from bug 294531 bug 302670: use the installed libz.so where available bug 305693: shlibsign generates pqg for every run bug 311483: exposing includecertchain as a parameter to sec_pkcs12addcertandkey bug 390527: get rid of pkixerrormsg variable in pkix_error bug 391560: libpkix does not consistently return pkix_validatenode tree that truly represent failure reasons bug 408260: certutil usage doesn't give enough information about trust arguments bug 412311: replace pr_interval_no_wait with pr_interval_no_timeout in client initialization calls bug 423839: add multiple pkcs#11 token password command line option to nss tools.
... bug 456854: cert_decodecertpackage does not set nspr error code upon error bug 457980: hundreds of kilobytes of useless strings in libpkix bug 457984: enable pkcs11 module logging in optimized builds bug 458905: memory leaks in pkix bridge certificates.
NSS_3.12_release_notes.html
in pkcs11n.h, all the _netscape_ macros are renamed with _nss_ for example, cko_netscape_crl becomes cko_nss_crl.
... new for pkcs #11 (see pkcs11t.h for details): ckk: keys ckk_camellia ckm: mechanisms ckm_sha224_rsa_pkcs ckm_sha224_rsa_pkcs_pss ckm_sha224 ckm_sha224_hmac ckm_sha224_hmac_general ckm_sha224_key_derivation ckm_camellia_key_gen ckm_camellia_ecb ckm_camellia_cbc ckm_camellia_mac ckm_camellia_mac_general ckm_camellia_cbc_pad ckm_camellia_ecb_encrypt_data ckm_camellia_cbc_encrypt_data ckg: mfgs ckg_mgf1_sha224 new error codes (see secerr.h): sec_error_not_initialized sec_error_token_not_logged_in sec_error_ocsp_responder_cert_invalid sec_error_ocsp_bad_signature sec_error_out_of_search_limits sec_error_invalid_policy_mapping sec_error_policy_validation_failed sec_error_unknown_aia_location_type sec_error_bad_http_response sec_error_bad_ldap_response sec_error_failed_to_encode_data sec_e...
... 353742: klocwork null ptr dereference in ocsp_decoderesponsebytes bug 353748: klocwork null ptr dereferences in pki3hack.c bug 353760: klocwork null pointer dereference in p7decode.c bug 353763: klocwork null ptr dereferences in pk11cert.c bug 353773: klocwork null ptr dereferences in pk11nobj.c bug 353777: klocwork null ptr dereferences in pk11obj.c bug 353780: klocwork null ptr dereferences in pkcs11.c bug 353865: klocwork null ptr deref in softoken/pk11db.c bug 353888: klockwork ids for ssl3con.c bug 353895: klocwork null ptr derefs in pki/pkibase.c bug 353902: klocwork bugs in stanpcertdb.c bug 353903: klocwork oom crash in softoken/keydb.c bug 353908: klocwork oom crash in tdcache.c bug 353909: klocwork ptr dereference before null check in devutil.c bug 353912: misc klocwork bugs in lib/ck...
NSS 3.52 release notes
alternatively, defining nss_pkcs11_2_0_compat will yield the old definition.
... bug 1629105 - add pkcs11 v3.0 functions to module debug logger.
... bug 1612281 - maintain pkcs11 c_getattributevalue semantics on attributes that lack nss database columns.
NSS API Guidelines
pkcs #11 lib/fortcrypt cryptint.h, fmutex.h, fortsock.h, fpkcs11.h, fpkcs11f.h, fpkcs11t.h, fpkmem.h, fpkstrs.h, genci.h, maci.h freebl provides the api to actual cryptographic operations.
...the pkcs11wrap library provides functions for selecting/finding pkcs #11 modules and slots.
... pkcs #11: implementation lib/softoken keydbt.h, keylow.h, keytboth.h, keytlow.h, secpkcs5.h, pkcs11.h, pkcs11f.h, pkcs11p.h, pkcs11t.h, pkcs11u.h ssl provides an implementation of the ssl protocol using nss and nspr.
NSS tools : certutil
certutil supports two types of databases: the legacy security databases (cert8.db, key3.db, and secmod.db) and new sqlite databases (cert9.db, key4.db, and pkcs11.txt).
... creating new security databases certificates, keys, and security modules related to managing certificates are stored in three related databases: * cert8.db or cert9.db * key3.db or key4.db * secmod.db or pkcs11.txt these databases must be created before certificates or keys can be generated.
...these new databases provide more accessibility and performance: * cert9.db for certificates * key4.db for keys * pkcs11.txt, which is listing of all of the pkcs #11 modules contained in a new subdirectory in the security databases directory because the sqlite databases are designed to be shared, these are the shared database type.
NSS tools : pk12util
pk12util supports two types of databases: the legacy security databases (cert8.db, key3.db, and secmod.db) and new sqlite databases (cert9.db, key4.db, and pkcs11.txt).
... return codes o 0 - no error o 1 - user cancelled o 2 - usage error o 6 - nls init error o 8 - certificate db open error o 9 - key db open error o 10 - file initialization error o 11 - unicode conversion error o 12 - temporary file creation error o 13 - pkcs11 get slot error o 14 - pkcs12 decoder start error o 15 - error read from import file o 16 - pkcs12 decode error o 17 - pkcs12 decoder verify error o 18 - pkcs12 decoder validate bags error o 19 - pkcs12 decoder import bags error o 20 - key db conversion version 3 to version 2 error o 21 - cert db conversion version 7 to version 5 error o 22 - cert and key dbs patch error o 23 - get defau...
...these new databases provide more accessibility and performance: o cert9.db for certificates o key4.db for keys o pkcs11.txt, which is listing of all of the pkcs #11 modules contained in a new subdirectory in the security databases directory because the sqlite databases are designed to be shared, these are the shared database type.
pkfnc.html
this pointer is set with ssl_setpkcs11pinarg during ssl configuration.
...this pointer is set with ssl_setpkcs11pinarg during ssl configuration.
...when nss libraries call the password callback function, the value they pass in the third parameter is determined by ssl_setpkcs11pinarg.
certutil
certutil supports two types of databases: the legacy security databases (cert8.db, key3.db, and secmod.db) and new sqlite databases (cert9.db, key4.db, and pkcs11.txt).
... creating new security databases certificates, keys, and security modules related to managing certificates are stored in three related databases: o cert8.db or cert9.db o key3.db or key4.db o secmod.db or pkcs11.txt these databases must be created before certificates or keys can be generated.
...these new databases provide more accessibility and performance: o cert9.db for certificates o key4.db for keys o pkcs11.txt, which is listing of all of the pkcs #11 modules contained in a new subdirectory in the security databases directory because the sqlite databases are designed to be shared, these are the shared database type.
NSS tools : pk12util
pk12util supports two types of databases: the legacy security databases (cert8.db, key3.db, and secmod.db) and new sqlite databases (cert9.db, key4.db, and pkcs11.txt).
... return codes o 0 - no error o 1 - user cancelled o 2 - usage error o 6 - nls init error o 8 - certificate db open error o 9 - key db open error o 10 - file initialization error o 11 - unicode conversion error o 12 - temporary file creation error o 13 - pkcs11 get slot error o 14 - pkcs12 decoder start error o 15 - error read from import file o 16 - pkcs12 decode error o 17 - pkcs12 decoder verify error o 18 - pkcs12 decoder validate bags error o 19 - pkcs12 decoder import bags error o 20 - key db conversion version 3 to version 2 error o 21 - cert db conversion version 7 to version 5 error o 22 - c...
...these new databases provide more accessibility and performance: o cert9.db for certificates o key4.db for keys o pkcs11.txt, which is listing of all of the pkcs #11 modules contained in a new subdirectory in the security databases directory because the sqlite databases are designed to be shared, these are the shared database type.
NSS tools : signtool
using the -m option to list smart cards you can use the -m option to list the pkcs #11 modules, including smart cards, that are available to signtool: signtool -d "c:\netscape\users\jsmith" -m using certificate directory: c:\netscape\users\username listing of pkcs11 modules ----------------------------------------------- 1.
... signtool -d "c:\netscape\users\jsmith" -m using certificate directory: c:\netscape\users\jsmith listing of pkcs11 modules ----------------------------------------------- 1.
... key and certificate services token: communicator certificate db ----------------------------------------------- this unix example shows that netscape signing tool is using a fips-140-1 module: signtool -d "c:\netscape\users\jsmith" -m using certificate directory: c:\netscape\users\jsmith enter password or pin for "communicator certificate db": [password will not echo] listing of pkcs11 modules ----------------------------------------------- 1.
JSS FAQ
MozillaProjectsNSSJSSJSS FAQ
is it possible to use jss to access cipher functionality from pkcs11 modules?
... cryptomanager.importcertpackage() is it possible to use jss to acces cipher functionality from pkcs11 modules?
NSS 3.12.5 release_notes
these are equivalent to the parameters for pk11_configurepkcs11().
... pk11_configurepkcs11 (see nss.h) the name of some parameters have been slightly changed ("des" became "desc").
NSS 3.21 release notes
new types in pkcs11t.h ck_tls12_master_key_derive_params{_ptr} - parameters {or pointer} for ckm_tls12_master_key_derive ck_tls12_key_mat_params{_ptr} - parameters {or pointer} for ckm_tls12_key_and_mac_derive ck_tls_kdf_params{_ptr} - parameters {or pointer} for ckm_tls_kdf ck_tls_mac_params{_ptr} - parameters {or pointer} for ckm_tls_mac in sslt.h sslhashtype - identifies a hash functio...
...n state prior to handshake completion new macros in nss.h nss_rsa_min_key_size - used with nss_optionset and nss_optionget to set or get the minimum rsa key size nss_dh_min_key_size - used with nss_optionset and nss_optionget to set or get the minimum dh key size nss_dsa_min_key_size - used with nss_optionset and nss_optionget to set or get the minimum dsa key size in pkcs11t.h ckm_tls12_master_key_derive - derives tls 1.2 master secret ckm_tls12_key_and_mac_derive - derives tls 1.2 traffic key and iv ckm_tls12_master_key_derive_dh - derives tls 1.2 master secret for dh (and ecdh) cipher suites ckm_tls12_key_safe_derive and ckm_tls_kdf are identifiers for additional pkcs#12 mechanisms for tls 1.2 that are currently unused in nss.
NSS 3.22 release notes
enforce an external policy on nss from a config file (bug 1009429) you can now add a config= line to pkcs11.txt (assuming you are using sql databases), which will force nss to restrict the application to certain cryptographic algorithms and protocols.
... new macros in nss.h nss_rsa_min_key_size nss_dh_min_key_size nss_dsa_min_key_size nss_tls_version_min_policy nss_tls_version_max_policy nss_dtls_version_min_policy nss_dtls_version_max_policy in pkcs11t.h ckp_pkcs5_pbkd2_hmac_gostr3411 - prf based on hmac with gostr3411 for pbkdf (not supported) ckp_pkcs5_pbkd2_hmac_sha224 - prf based on hmac with sha-224 for pbkdf ckp_pkcs5_pbkd2_hmac_sha256 - prf based on hmac with sha-256 for pbkdf ckp_pkcs5_pbkd2_hmac_sha384 - prf based on hmac with sha-256 for pbkdf ckp_pkcs5_pbkd2_hmac_sha512 - prf based on hmac with sha-256 for pbkdf ...
NSS 3.31 release notes
in pkcs11uri.h pk11uri_createuri - create a new pk11uri object from a set of attributes.
... new macros in pkcs11uri.h several new macros that start with pk11uri_pattr_ for path attributes defined in rfc7512.
NSS Sample Code sample2
indicate the key was unwrapped - which is what should be done * normally anyway - using raw keys isn't a good idea */ symkey = pk11_importsymkey(slot, ciphermech, pk11_originunwrap, cka_encrypt, &keyitem, null); if (symkey == null) { fprintf(stderr, "failure to import key into nss (err %d)\n", pr_geterror()); goto out; } /* set up the pkcs11 encryption paramters.
... * when not using cbc mode, ivitem.data and ivitem.len can be 0, or you * can simply pass null for the iv parameter in pk11_paramfromiv func */ ivitem.type = sibuffer; ivitem.data = giv; ivitem.len = sizeof(giv); secparam = pk11_paramfromiv(ciphermech, &ivitem); if (secparam == null) { fprintf(stderr, "failure to set up pkcs11 param (err %d)\n", pr_geterror()); goto out; } /* sample data we'll encrypt and decrypt */ strcpy(data, "encrypt me!"); fprintf(stderr, "clear data: %s\n", data); /* ========================= start section ============================= */ /* if using the the same key and iv over and over, stuff before this */ /* section and after this section needs to be done only once */ /* encrypt data into buf1.
PKCS #11 Module Specs
this data is currently stored in secmod.db or pkcs11.txt.
... sample file: library= name="netscape internal crypto module" parameters="configdir=/u/relyea/.netscape certprefix= secmod=secmod.db" nss="flags=internal,pkcs11module trustorder=1 cipherorder=-1 ciphers= slotparams={0x1=[slotflags='rsa,dsa,dh,rc4,rc2,des,md2,md5,sha1,ssl,tls,publiccerts,random'] 0x2=[slotflags='rsa' askpw=only]}" library=dkck32.dll name="datakey signasure 3600" nss="trustorder=50 ciphers= " library=swft32.dll name="netscape software fortezza" parameters="keyfile=/u/relyea/keyfile" nss="trustorder=50 ciphers=fortezza slotparams=0x1=[slotf...
NSS environment variables
3.12.3 nss_debug_pkcs11_module string (module name) name the pkcs#11 module to be traced.
... before 3.0 nss_no_pkcs11_bypass string (1 to enable) disables at compile-time the ns ssl code to bypass the pkcs11 layer.
NSS functions
ssl_restarthandshakeaftercertreq mxr 3.2 and later ssl_restarthandshakeafterservercert mxr 3.2 and later ssl_revealcert mxr 3.2 and later ssl_revealpinarg mxr 3.2 and later ssl_revealurl mxr 3.2 and later ssl_securitystatus mxr 3.2 and later ssl_setmaxservercachelocks mxr 3.4 and later ssl_setpkcs11pinarg mxr 3.2 and later ssl_setsockpeerid mxr 3.2 and later ssl_seturl mxr 3.2 and later ssl_shutdownserversessionidcache mxr 3.7.4 and later deprecated ssl functions the following ssl functions have been replaced with newer versions.
... pk11_authenticate mxr 3.2 and later pk11_blockdata mxr 3.2 and later pk11_changepw mxr 3.2 and later pk11_checkuserpassword mxr 3.2 and later pk11_cipherop mxr 3.2 and later pk11_clonecontext mxr 3.2 and later pk11_configurepkcs11 mxr 3.2 and later pk11_convertsessionprivkeytotokenprivkey mxr 3.6 and later pk11_convertsessionsymkeytotokensymkey mxr 3.6 and later pk11_copytokenprivkeytosessionprivkey mxr 3.11 and later pk11_createcontextbysymkey mxr 3.2 and later pk11_createdigestcontex...
sslcrt.html
some of the pk11 functions require a pin argument (see ssl_setpkcs11pinarg for details), which must be specified in the wincx parameter.
...some of the pk11 functions require a pin argument (see ssl_setpkcs11pinarg for details), which must be specified in the wincx parameter.
NSS Tools
many tools implement private versions of pkcs11init(), opencertdb(), etc.
... source, documentation, dbck 1.0 analyze and repair certificate databases (not working in nss 3.2) source, tasks/plans modutil 1.1 manage the database of pkcs11 modules (secmod.db).
NSS Tools modutil
the metainfo tag for this is pkcs11_install_script.
...if so, the metainfo file for the netscape signing tool would include a line such as this: + pkcs11_install_script: pk11install the sample script file could contain the following: forwardcompatible { irix:6.2:mips sunos:5.5.1:sparc }platforms { winnt::x86 { modulename { "fortezza module" } modulefile { win32/fort32.dll } defaultmechanismflags{0x0001} defaultcipherflags{0x0001} files { win32/setup.exe { executable relativepath { %temp%/setup.exe } } win32/setup.hlp { relativepath { %temp%/setup.hlp } ...
NSS tools : signver
MozillaProjectsNSStoolssignver
signver supports two types of databases: the legacy security databases (cert8.db, key3.db, and secmod.db) and new sqlite databases (cert9.db, key4.db, and pkcs11.txt).
...these new databases provide more accessibility and performance: o cert9.db for certificates o key4.db for keys o pkcs11.txt, which is listing of all of the pkcs #11 modules contained in a new subdirectory in the security databases directory because the sqlite databases are designed to be shared, these are the shared database type.
Index - Web APIs
WebAPIIndex
4980 window.pkcs11 api, html dom, needsexample, needsmarkupwork, needsspectable, obsolete, property, reference, window returns the pkcs11 object, which is used to install drivers and other software associated with the pkcs11 protocol.
... if pkcs11 isn't supported, this property returns null.
2006-10-06 - Archive of obsolete content
problem looping c_opensession problem in thunderbird christian bongiorno has run into a problem developing a pkcs11 module for a new card.
An overview of NSS Internals
the file could be named secmod.db, but in newer database generations a file named pkcs11.txt is used.
Cryptography functions
pk11_authenticate mxr 3.2 and later pk11_blockdata mxr 3.2 and later pk11_changepw mxr 3.2 and later pk11_checkuserpassword mxr 3.2 and later pk11_cipherop mxr 3.2 and later pk11_clonecontext mxr 3.2 and later pk11_configurepkcs11 mxr 3.2 and later pk11_convertsessionprivkeytotokenprivkey mxr 3.6 and later pk11_convertsessionsymkeytotokensymkey mxr 3.6 and later pk11_copytokenprivkeytosessionprivkey mxr 3.11 and later pk11_createcontextbysymkey mxr 3.2 and later pk11_createdigestcontex...
4.3 Release Notes
release date: 01 april 2009 introduction network security services for java (jss) 4.3 is a minor release with the following new features: sqlite-based shareable certificate and key databases libpkix: an rfc 3280 compliant certificate path validation library pkcs11 needslogin method support hmacsha256, hmacsha384, and hmacsha512 support for all nss 3.12 initialization options jss 4.3 is tri-licensed under mpl 1.1/gpl 2.0/lgpl 2.1.
JSS Provider Notes
securerandom supported algorithms notes pkcs11prng this invokes the nss internal pseudorandom number generator.
Mozilla-JSS JCA Provider notes
securerandom supported algorithms notes pkcs11prng this invokes the nss internal pseudorandom number generator.
NSS 3.12.4 release notes
in cert_pkixsetparam bug 494107: during nss_nodb_init(), softoken tries but fails to load libsqlite3.so crash [@ @0x0 ] bug 495097: sdb_mapsqlerror returns signed int bug 495103: nss_initreadwrite(sql:<dbdir>) causes nss to look for sql:<dbdir>/libnssckbi.so bug 495365: add const to the 'nickname' parameter of sec_certnicknameconflict bug 495656: nss_initreadwrite(sql:<configdir>) leaves behind a pkcs11.txu file if libnssckbi.so is in <configdir>.
NSS 3.24 release notes
new macros in pkcs11t.h ckm_tls12_mac in secoidt.h sec_oid_tls_ecdhe_psk - this oid governs the use of the tls_ecdhe_psk_with_aes_128_gcm_sha256 cipher suite, which is used only for session resumption in tls 1.3.
NSS 3.30 release notes
new macros in ciferfam.h pkcs12_aes_cbc_128, pkcs12_aes_cbc_192, pkcs12_aes_cbc_256 - cipher family identifiers corresponding to the pkcs#5 v2.1 aes based encryption schemes used in the pkcs#12 support in nss in pkcs11n.h cka_nss_mozilla_ca_policy - identifier for a boolean pkcs#11 attribute, that should be set to true, if a ca is present because of it's acceptance according to the mozilla ca policy notable changes in nss 3.30 the tls server code has been enhanced to support session tickets when no rsa certificate (e.g.
NSS 3.35 release notes
sql: the newer file format, based on sqlite, using filenames cert9.db, key4.and and pkcs11.txt.
NSS 3.36.8 release notes
bugs fixed in nss 3.36.8 1554336 - optimize away unneeded loop in mpi.c 1515342 - more thorough input checking (cve-2019-11729) 1540541 - don't unnecessarily strip leading 0's from key material during pkcs11 import (cve-2019-11719) compatibility nss 3.36.8 shared libraries are backward compatible with all older nss 3.x shared libraries.
NSS 3.44.1 release notes
y 1546229 - add ipsec ike support to softoken many new fips test cases (note: this has increased the source archive by approximately 50 megabytes for this release.) bugs fixed in nss 3.44.1 1554336 - optimize away unneeded loop in mpi.c 1515342 - more thorough input checking (cve-2019-11729) 1540541 - don't unnecessarily strip leading 0's from key material during pkcs11 import (cve-2019-11719) 1515236 - add a sslkeylogfile enable/disable flag at build.sh 1473806 - fix seckey_converttopublickey handling of non-rsa keys 1546477 - updates to testing for fips validation 1552208 - prohibit use of rsassa-pkcs1-v1_5 algorithms in tls 1.3 (cve-2019-11727) 1551041 - unbreak build on gcc < 4.3 big-endian compatibility nss 3.44.1 shared l...
NSS 3.45 release notes
certificate authority changes the following ca certificates were removed: bug 1552374 - cn = certinomis - root ca sha-256 fingerprint: 2a99f5bc1174b73cbb1d620884e01c34e51ccb3978da125f0e33268883bf4158 bugs fixed in nss 3.45 bug 1540541 - don't unnecessarily strip leading 0's from key material during pkcs11 import (cve-2019-11719) bug 1515342 - more thorough input checking (cve-2019-11729) bug 1552208 - prohibit use of rsassa-pkcs1-v1_5 algorithms in tls 1.3 (cve-2019-11727) bug 1227090 - fix a potential divide-by-zero in makepfromqandseed from lib/freebl/pqg.c (static analysis) bug 1227096 - fix a potential divide-by-zero in pqg_verifyparams from lib/freebl/pqg.c (static analysis) bug 15...
NSS 3.46 release notes
setup bug 1565013 - hacl image builder times out while fetching gpg key bug 1563786 - update hacl-star docker image to pull specific commit bug 1559012 - improve gcm perfomance using pmull2 bug 1528666 - correct resumption validation checks bug 1568803 - more tests for client certificate authentication bug 1564284 - support profile mobility across windows and linux bug 1573942 - gtest for pkcs11.txt with different breaking line formats bug 1575968 - add strsclnt option to enforce the use of either ipv4 or ipv6 bug 1549847 - fix nss builds on ios bug 1485533 - enable nss_ssl_tests on taskcluster this bugzilla query returns all the bugs fixed in nss 3.46: https://bugzilla.mozilla.org/buglist.cgi?resolution=fixed&classification=components&query_format=advanced&product=nss&target_miles...
NSS 3.51 release notes
bug 1611209 - correct swapped pkcs11 values of ckm_aes_cmac and ckm_aes_cmac_general bug 1612259 - complete integration of wycheproof ecdh test cases bug 1614183 - check if ppc __has_include(<sys/auxv.h>) bug 1614786 - fix a compilation error for ‘getfipsenv’ "defined but not used" bug 1615208 - send dtls version numbers in dtls 1.3 supported_versions extension to avoid an incompatibility.
Enc Dec MAC Using Key Wrap CertReq PKCS10 CSR
generates encryption/mac keys and outputs public key as pkcs11 certificate signing request /* this source code form is subject to the terms of the mozilla public * license, v.
OLD SSL Reference
ssl configuration functions ssl configuration ssl_importfd ssl_optionset ssl_optionget ssl_cipherprefset ssl_cipherprefget ssl_configsecureserver ssl_seturl ssl_setpkcs11pinarg callback configuration ssl_authcertificatehook ssl_authcertificate ssl_badcerthook ssl_getclientauthdatahook nss_getclientauthdata ssl_handshakecallback ...
sslintro.html
ssl_setpkcs11pinarg.
SSL functions
ssl_restarthandshakeaftercertreq mxr 3.2 and later ssl_restarthandshakeafterservercert mxr 3.2 and later ssl_revealcert mxr 3.2 and later ssl_revealpinarg mxr 3.2 and later ssl_revealurl mxr 3.2 and later ssl_securitystatus mxr 3.2 and later ssl_setmaxservercachelocks mxr 3.4 and later ssl_setpkcs11pinarg mxr 3.2 and later ssl_setsockpeerid mxr 3.2 and later ssl_seturl mxr 3.2 and later ssl_shutdownserversessionidcache mxr 3.7.4 and later ...
NSS_3.12.3_release_notes.html
new korean seed cipher: new macros for seed support: in blapit.h: nss_seed nss_seed_cbc seed_block_size seed_key_length in pkcs11t.h: ckk_seed ckm_seed_key_gen ckm_seed_ecb ckm_seed_cbc ckm_seed_mac ckm_seed_mac_general ckm_seed_cbc_pad ckm_seed_ecb_encrypt_data ckm_seed_cbc_encrypt_data in secmod.h: public_mech_seed_flag in secmodt.h: secmod_seed_flag in sec...
NSS Tools pk12util
error codes pk12util can return the following values: 0 - no error 1 - user cancelled 2 - usage error 6 - nls init error 8 - certificate db open error 9 - key db open error 10 - file initialization error 11 - unicode conversion error 12 - temporary file creation error 13 - pkcs11 get slot error 14 - pkcs12 decoder start error 15 - error read from import file 16 - pkcs12 decode error 17 - pkcs12 decoder verify error 18 - pkcs12 decoder validate bags error 19 - pkcs12 decoder import bags error 20 - key db conversion version 3 to version 2 error 21 - cert db conversion version 7 to version 5 error 22 - cert and key dbs patch error 23 - get default cert db error 24 - find cer...
Index
MozillaTechXPCOMIndex
these values map onto the values defined in mozilla/security/nss/lib/softoken/pkcs11t.h and are switched to ckm_*_hmac constant.
nsICryptoHMAC
these values map onto the values defined in mozilla/security/nss/lib/softoken/pkcs11t.h and are switched to ckm_*_hmac constant.
nsIDOMWindowInternal
pkcs11 nsidompkcs11 obsolete: this property is not supported in newer versions of firefox.
PKCS #11 Netscape Trust Objects - Network Security Services
definitions definitions for all of the above values are defined in pkcs11n.h in the nss source.
Window - Web APIs
WebAPIWindow
window.pkcs11 formerly provided access to install and remove pkcs11 modules.