Re: NSS and OpenSSL BIO replacement
Nelson B Bolyard
> Can anyone point me to the documentation present for pkcs7.
I'm not sure if you're asking about the standards or the NSS
implementations of the standards (there are multiple of each).
PKCS#7 v 1.5, also known as Cryptographic Message Syntax (CMS),
is RFC 2315. It was the first in a series of RFCs publishing
various versions of CMS. It was used in S/MIME V 2, RFC 2311.
It was succeeded by
CMS 1 - RFC 2630 used in S/MIME v 3.0, RFC 2633
CMS 2 - RFC 3369
CMS 3 - RFC 3852, used in S/MIME v 3.1, RFC 3851.
There was also an extension to CMS 1 known as ESS, RFC 2634.
NSS contains two separate libraries that implement versions of CMS.
The functions and typedefs whose names begin with SEC_PKCS7 embody an
implementation of PKCS#7 v1.5. See a list in
http://mxr.mozilla.org/security/search?string=SEC_PKCS7&find=nss.*h
The functions whose names begin with NSS_CMS and the typedefs whose names
begin with NSSCMS embody an implementation of CMS 1
http://mxr.mozilla.org/security/search?string=NSS_*CMS&find=nss.*h®exp=1
Today, Thunderbird (which implements S/MIME 3.0) uses the NSS_CMS functions.
NSS internally still uses the older SEC_PKCS7 functions for decoding
signedData messages, which are used to download certificate chains.
http://developer.mozilla.org/En/NSS_Certificate_Download_Specification
> Are there any specific examples present on its usage?
For the SEC_PKCS7 API, there are examples in these files:
http://mxr.mozilla.org/security/source/security/nss/cmd/p7content/p7content.c
http://mxr.mozilla.org/security/source/security/nss/cmd/p7env/p7env.c
http://mxr.mozilla.org/security/source/security/nss/cmd/p7sign/p7sign.c
http://mxr.mozilla.org/security/source/security/nss/cmd/p7verify/p7verify.c
http://mxr.mozilla.org/security/source/security/nss/cmd/signver/pk7print.c
http://mxr.mozilla.org/security/source/security/nss/cmd/signver/signver.c
For the NSS_CMS API, see
http://mxr.mozilla.org/security/source/security/nss/cmd/smimetools/cmsutil.c
> Thanks
Ruchi Lohani
And sorry about the subject of the mail. I wanted to ask about that also.
What are the equivalent APIs in NSS which probably can replace the BIO I/O abstraction of OpenSSL ?
Cheers
Ruchi
_______________________________________________
dev-tech-crypto mailing list
dev-tec...@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
Nelson B Bolyard
> Thanks Nelson.
> And sorry about the subject of the mail. I wanted to ask about that also.
> What are the equivalent APIs in NSS which probably can replace the BIO
> I/O abstraction of OpenSSL ?
Years have elapsed since I last looked at the BIO functions, but I believe
the NSPR PR_ functions (e.g. PR_Open, PR_Close, PR_NewTCPSocket, PR_Read,
PR_Write, PR_Send, PR_Recv, etc.) are what you want.
See them declared in
http://mxr.mozilla.org/nspr/source/nsprpub/pr/include/prio.h
See the documentation for the NSPR I/O functions in
http://www.mozilla.org/projects/nspr/reference/html/priofnc.html
See the documentation on related functions in NSS's SSL library at
http://www.mozilla.org/projects/security/pki/nss/ref/ssl/sslfnc.html#1163855
See a simplified example of those functions in use in the .c files in
http://mxr.mozilla.org/security/source/security/nss/cmd/SSLsample/
For an example of a client program that uses non-blocking IO with SSL see
http://mxr.mozilla.org/security/source/security/nss/cmd/tstclnt/tstclnt.c
Howard Chu
> Ruchi Lohani wrote, On 2008-08-20 21:31:
>> Thanks Nelson.
>> And sorry about the subject of the mail. I wanted to ask about that also.
>> What are the equivalent APIs in NSS which probably can replace the BIO
>> I/O abstraction of OpenSSL ?
>
> Years have elapsed since I last looked at the BIO functions, but I believe
> the NSPR PR_ functions (e.g. PR_Open, PR_Close, PR_NewTCPSocket, PR_Read,
> PR_Write, PR_Send, PR_Recv, etc.) are what you want.
A working example showing how to import an OS-native file descriptor into the
NSPR framework is provided here:
https://bugzilla.mozilla.org/attachment.cgi?id=334117
That plugs NSPR/PSM into OpenLDAP's sockbuf handler (which is the moral
equivalent of both BIOs and NSPR fds...)
Likewise you can look at the sockbuf support in OpenLDAP here
http://www.openldap.org/devel/cvsweb.cgi/libraries/libldap/
and compare the sockbuf interface to BIOs in tls_o.c with the sockbuf
interface to NSPR in tls_m.c. This is a more extensive example because it
sandwiches the SSL layers from both top and bottom; i.e. there is a sockbuf
layer that sits above the SSL layer (between libldap and the SSL library), and
another sockbuf layer below the SSL layer (between the SSL library and the
network).
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/
Ruchi Lohani
What I am looking for is specific functions to verify a signed file
(both signers certificate and the signed content).
I need to then get the signed content from the file.
Thanks
-----Original Message-----
From: dev-tech-crypto-bounces+rlohani=adob...@lists.mozilla.org
[mailto:dev-tech-crypto-bounces+rlohani=adob...@lists.mozilla.org] On
Behalf Of Nelson B Bolyard
Sent: Wednesday, August 20, 2008 9:56 PM
To: mozilla's crypto code discussion list
Subject: Re: NSS and OpenSSL BIO replacement
Ruchi Lohani wrote, On 2008-08-20 21:31:
> Thanks Nelson.
> And sorry about the subject of the mail. I wanted to ask about that
also.
> What are the equivalent APIs in NSS which probably can replace the BIO
> I/O abstraction of OpenSSL ?
Years have elapsed since I last looked at the BIO functions, but I
believe
the NSPR PR_ functions (e.g. PR_Open, PR_Close, PR_NewTCPSocket,
PR_Read,
PR_Write, PR_Send, PR_Recv, etc.) are what you want.
See them declared in
http://mxr.mozilla.org/nspr/source/nsprpub/pr/include/prio.h
See the documentation for the NSPR I/O functions in
http://www.mozilla.org/projects/nspr/reference/html/priofnc.html
See the documentation on related functions in NSS's SSL library at
http://www.mozilla.org/projects/security/pki/nss/ref/ssl/sslfnc.html#116
3855
See a simplified example of those functions in use in the .c files in
http://mxr.mozilla.org/security/source/security/nss/cmd/SSLsample/
For an example of a client program that uses non-blocking IO with SSL
see
http://mxr.mozilla.org/security/source/security/nss/cmd/tstclnt/tstclnt.
c
Nelson B Bolyard
> Thanks for all the links.
> What I am looking for is specific functions to verify a signed file
> (both signers certificate and the signed content).
> I need to then get the signed content from the file.
The program cmsutil already does all that.
I suggest you look at its source as an example.
http://mxr.mozilla.org/security/source/security/nss/cmd/smimetools/cmsutil.c
DanKegel
> Likewise you can look at the sockbuf support in OpenLDAP here
> http://www.openldap.org/devel/cvsweb.cgi/libraries/libldap/
> and compare the sockbuf interface to BIOs in tls_o.c with the sockbuf
> interface to NSPR in tls_m.c. This is a more extensive example because it
> sandwiches the SSL layers from both top and bottom; i.e. there is a sockbuf
> layer that sits above the SSL layer (between libldap and the SSL library), and
> another sockbuf layer below the SSL layer (between the SSL library and the
> network).
Howard, have I mentioned lately that you rock? :-)
This is timely; we're just about to hook up nss to Chromium on Linux.
I've done the BIO dance with openssl before, nice to see a rosetta
stone to show how to do it in nss.
- Dan
DanKegel
> What are the equivalent APIs in NSS which probably can replace the BIO
> I/O abstraction of OpenSSL ?
I have a demo program at
http://kegel.com/chromium/nss/mozilla/security/nss/cmd/ptstclnt2/
showing a BIO-like thing for NSS. It's not polished or fully
debugged yet, but the basic idea is you do
#include "memio.h"
and then use something like
PRFileDesc *fd = memio_CreateIOLayer(4096);
struct memio_secret *private = fd->secret;
connect(fd, ...);
memio_SetPeerName(fd, &peername);
fd = SSL_ImportFD(NULL, fd);
to create a pure state machine. SSL i/o is done
as usual via fd, but instead of going to the network,
it goes to a circular buffer.
Then to do the actual network I/O, do something like this:
memio_buffer_send(private->bufs->writebuf, fd);
memio_buffer_recv(private->bufs->readbuf, fd);
to do the actual networking. I'd put a nicer interface
on it, but I'm not sure what's appropriate yet.
Comments welcome...
- Dan
DanKegel
>> What are the equivalent APIs in NSS which probably can
>> replace the BIO I/O abstraction of OpenSSL ?
Thanks to Wan-Teh for several rounds of code review on
the core part of my demo, the NSPR I/O layer:
http://kegel.com/chromium/nss/mozilla/security/nss/cmd/ptstclnt2/memio.c
http://kegel.com/chromium/nss/mozilla/security/nss/cmd/ptstclnt2/ptstclnt2.c
is a simple many-session nonblocking SSL example that shows
how to use memio.c to create something like OpenSSL's
memory BIO so you can do all your own networking instead of letting
nspr do it. (Which is handy when fitting NSS into a non-nspr app.)
It's also available as http://kegel.com/chromium/memio.tgz
- Dan