NSS: Certificate mangement without certdb
Kai Chan
Is there a way to do certificate operations in NSS without using the cert8.db? I was looking at a post at mail-archive.com (http://www.mail-archive.com/dev-tec...@lists.mozilla.org/msg00245.html) that suggested all this would now be internal to the PKCS #11 module, removing dependence on cert8.db. Does that mean I can use the certdb library to handle certificate operations?
Thanks,
Kai
Wan-Teh Chang
> Hi,
>
> Is there a way to do certificate operations in NSS without using the
> cert8.db?
Yes, you can initialize NSS with NSS_NoDB_Init(NULL).
Then NSS won't create or use any databases.
You can then import certificates as "temporary certificates"
(as opposed to "permanent certificates" or "token certificates"
that are stored in cert8.db) and perform operations on them.
Wan-Teh
Kai Chan
I'm looking at the DogTag instructions (http://pki.fedoraproject.org/wiki/ECC_Capable_NSS) for using an ECC-enabled NSS that strips out the softoken and freebl implementations and imports a third-party crypto module (http://pki.fedoraproject.org/wiki?title=ECC_Enabling_Dogtag#Command_Line_Tests). They use modutil with the "-nocertdb" option, which I guess defaults all certificate operations to the token instead of looking at cert8.db and key3.db and use certutil as normal? I know that the referenced instructions are from a different project, but I was hoping anyone could confirm that this is a viable and "standard" way of modifying NSS to use a third-party cryptographic module and, if not, could point me in the right direction.
Hi,
Is there a way to do certificate operations in NSS without using the cert8.db? I was looking at a post at mail-archive.com (http://www.mail-archive.com/dev-tec...@lists.mozilla.org/msg00245.html) that suggested all this would now be internal to the PKCS #11 module, removing dependence on cert8.db. Does that mean I can use the certdb library to handle certificate operations?
Thanks,
Kai
--
dev-tech-crypto mailing list
https://lists.mozilla.org/listinfo/dev-tech-crypto
Kai Chan
Thanks,
Kai
Wan-Teh Chang
> I noticed in a lot of the certificate functions
> (http://www.mozilla.org/projects/security/pki/nss/ref/ssl/sslcrt.html#1050532),
> there is an argument for CERTCertDBHandle. Does that mean I can't use these
> certificate functions unless I use the cert8.db? If I still can, then do I
> pass that as NULL?
You should always pass the return value of CERT_GetDefaultCertDB()
as the CERTCertDBHandle * argument to those certificate functions.
Once you initialize NSS (with or without databases), CERT_GetDefaultCertDB()
will return a suitable value.
Wan-Teh
Kai Chan
Thanks,
Kai
Wan-Teh
Nelson B Bolyard
> Thanks for the clarification. So, by calling CERT_GetDefaultCertDB(), I
> get a handle to some type of pseudo-certificate database when
> initializing with NSS_NoDB_Init?
Yes. You get a handle to a "pseudo cert DB" (actually, a trust domain)
regardless of which way you initialize NSS.
As you know, NSS is now in its third major release (3.x) and this third
release uses PKCS#11 modules for all crypto and for all key and cert
storage. Older major versions of NSS did not use PKCS#11 for cert storage
but instead directly accessed the cert DB. The function
CERT_GetDefaultCertDB is a hold over from NSS 1.x and is preserved for
backward binary and API compatibility, but it no longer actually returns
a real DB handle. Now, it returns a handle of another type, and all the
functions that expect to receive that handle expect to receive a handle of
that type.
> Does this guarantee that any key material stays inside a third-party PKCS
> #11 module during certificate and cryptographic operations?
Yes.