How do I get the certificates out of the builtin object token?

classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|

How do I get the certificates out of the builtin object token?

Kyle Hamilton-2
How do I get the certificates out of the builtin object token?
certutil only appears to work on cert8.db and key3.db, modutil won't
add libnssckbi.dylib (it gives me error -2804 if I try), and I can't
figure out how I'm supposed to do it.

(I hope I don't have to use the slow, cumbersome, and insanely
laid-out Firefox certificate browser to do this.)

-Kyle H
_______________________________________________
dev-tech-crypto mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-tech-crypto
Reply | Threaded
Open this post in threaded view
|

RE: How do I get the certificates out of the builtin object token?

David Stutzman-9
Kyle,

Assuming your DBs are in the current directory:
certutil -L -d . -h "Builtin Object Token" will list all of the nicknames

Then you just add the -n "nickname" (and optionally -a to get base64) for each one like so:
certutil -L -d . -n "Builtin Object Token:StartCom Certification Authority" -a
-----BEGIN CERTIFICATE-----
MIIHyTCCBbGgAwIBAgIBATANBgkqhkiG9w0BAQUFADB9MQswCQYDVQQGEwJJTDEW
MBQGA1UEChMNU3RhcnRDb20gTHRkLjErMCkGA1UECxMiU2VjdXJlIERpZ2l0YWwg
Q2VydGlmaWNhdGUgU2lnbmluZzEpMCcGA1UEAxMgU3RhcnRDb20gQ2VydGlmaWNh
...
<snip>

I believe if you leave the -h "token name" part in, then your nicknames don't have to prepended with the token name, but it's probably easier to script the way I did it above.

Dave

-----Original Message-----
How do I get the certificates out of the builtin object token?
certutil only appears to work on cert8.db and key3.db, modutil won't
add libnssckbi.dylib (it gives me error -2804 if I try), and I can't
figure out how I'm supposed to do it.

(I hope I don't have to use the slow, cumbersome, and insanely
laid-out Firefox certificate browser to do this.)

-Kyle H
_______________________________________________
dev-tech-crypto mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-tech-crypto
Reply | Threaded
Open this post in threaded view
|

Re: How do I get the certificates out of the builtin object token?

Kyle Hamilton-2
That doesn't give me the list of nicknames in the Builtin Object
Token, that just gives me the list of nicknames in the softtoken.  (I
doubt that nssckbi is supposed to include this...)

KyleMac:.netscape kyanha$ certutil -L -d . -h "Builtin Object Token"
[...]
StartCom Free Certificate Member's StartCom Ltd. ID          u,u,u
[...]

Notably, modutil -list gives me this:

-----------------------------------------------------------
  1. NSS Internal PKCS #11 Module
         slots: 2 slots attached
        status: loaded

         slot: NSS Internal Cryptographic Services
        token: NSS Generic Crypto Services

         slot: NSS User Private Key and Certificate Services
        token: NSS Certificate DB
-----------------------------------------------------------

It does this regardless of whether I have libnssckbi.dylib (I'm on Mac
OS X Leopard 10.5.6) in the profile directory.  It also does this
regardless of whether I have all of Firefox.app/Contents/MacOS/*.dylib
in the profile directory.  And it especially does this even when I'm
in the profile directory.

The version of nss I'm using is @3.11.9 (net), provided by darwinports.

-Kyle H



On Tue, Dec 30, 2008 at 4:44 AM, David Stutzman <[hidden email]> wrote:

> Kyle,
>
> Assuming your DBs are in the current directory:
> certutil -L -d . -h "Builtin Object Token" will list all of the nicknames
>
> Then you just add the -n "nickname" (and optionally -a to get base64) for each one like so:
> certutil -L -d . -n "Builtin Object Token:StartCom Certification Authority" -a
> -----BEGIN CERTIFICATE-----
> MIIHyTCCBbGgAwIBAgIBATANBgkqhkiG9w0BAQUFADB9MQswCQYDVQQGEwJJTDEW
> MBQGA1UEChMNU3RhcnRDb20gTHRkLjErMCkGA1UECxMiU2VjdXJlIERpZ2l0YWwg
> Q2VydGlmaWNhdGUgU2lnbmluZzEpMCcGA1UEAxMgU3RhcnRDb20gQ2VydGlmaWNh
> ...
> <snip>
>
> I believe if you leave the -h "token name" part in, then your nicknames don't have to prepended with the token name, but it's probably easier to script the way I did it above.
>
> Dave
>
> -----Original Message-----
> How do I get the certificates out of the builtin object token?
> certutil only appears to work on cert8.db and key3.db, modutil won't
> add libnssckbi.dylib (it gives me error -2804 if I try), and I can't
> figure out how I'm supposed to do it.
>
> (I hope I don't have to use the slow, cumbersome, and insanely
> laid-out Firefox certificate browser to do this.)
>
> -Kyle H
> _______________________________________________
> dev-tech-crypto mailing list
> [hidden email]
> https://lists.mozilla.org/listinfo/dev-tech-crypto
>
_______________________________________________
dev-tech-crypto mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-tech-crypto
Reply | Threaded
Open this post in threaded view
|

RE: How do I get the certificates out of the builtin object token?

David Stutzman-9
Ahh...I did it from my Vista workstation's firefox profile which I knew had the roots module added.  Nssckbi.dll or libnssckbi.so or whatever it is on a Mac is a special PKCS#11 module that is read-only and contains the trust anchors.  By default with an NSS database, it's not added.  You can add it yourself to a new or existing db using modutil.

mbn ~ # mkdir nss
mbn ~ # cd nss/
mbn nss # nsscertutil -N -d .
Enter a password which will be used to encrypt your keys.
The password should be at least 8 characters long,
and should contain at least one non-alphabetic character.

Enter new password:
Re-enter password:
mbn nss # nssmodutil -list -dbdir .

Listing of PKCS #11 Modules
-----------------------------------------------------------
  1. NSS Internal PKCS #11 Module
         slots: 2 slots attached
        status: loaded

         slot: NSS Internal Cryptographic Services
        token: NSS Generic Crypto Services

         slot: NSS User Private Key and Certificate Services
        token: NSS Certificate DB
-----------------------------------------------------------
mbn nss # nssmodutil -add roots -libfile /usr/lib64/nss/libnssckbi.so -dbdir .

WARNING: Performing this operation while the browser is running could cause
corruption of your security databases. If the browser is currently running,
you should exit browser before continuing this operation. Type
'q <enter>' to abort, or <enter> to continue:

Module "roots" added to database.
mbn nss # nssmodutil -list -dbdir .

Listing of PKCS #11 Modules
-----------------------------------------------------------
  1. NSS Internal PKCS #11 Module
         slots: 2 slots attached
        status: loaded

         slot: NSS Internal Cryptographic Services
        token: NSS Generic Crypto Services

         slot: NSS User Private Key and Certificate Services
        token: NSS Certificate DB

  2. roots
        library name: /usr/lib64/nss/libnssckbi.so
         slots: 1 slot attached
        status: loaded

         slot: NSS Builtin Objects
        token: Builtin Object Token
-----------------------------------------------------------
mbn nss # nsscertutil -L -d . -h all

Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

Builtin Object Token:Verisign/RSA Secure Server CA           CG,C,
Builtin Object Token:GTE CyberTrust Root CA                  CG,C,C
Builtin Object Token:GTE CyberTrust Global Root              CG,C,C
<snip> you get the point

(BTW, ignore the "nss" prepended to the beginning of all the commands, I filed a bug with Gentoo a while back to have the NSS command-line utils be built by default and they didn't want a binary called "digest" laying around among others so they prepend "nss" before all the commands.)

At this point you can follow my previous directions.  Sorry I didn't explicitly mention this piece earlier.

Good luck,
Dave

-----Original Message-----
That doesn't give me the list of nicknames in the Builtin Object
Token, that just gives me the list of nicknames in the softtoken.  (I
doubt that nssckbi is supposed to include this...)

KyleMac:.netscape kyanha$ certutil -L -d . -h "Builtin Object Token"
[...]
StartCom Free Certificate Member's StartCom Ltd. ID          u,u,u
[...]

Notably, modutil -list gives me this:

-----------------------------------------------------------
  1. NSS Internal PKCS #11 Module
         slots: 2 slots attached
        status: loaded

         slot: NSS Internal Cryptographic Services
        token: NSS Generic Crypto Services

         slot: NSS User Private Key and Certificate Services
        token: NSS Certificate DB
-----------------------------------------------------------

It does this regardless of whether I have libnssckbi.dylib (I'm on Mac
OS X Leopard 10.5.6) in the profile directory.  It also does this
regardless of whether I have all of Firefox.app/Contents/MacOS/*.dylib
in the profile directory.  And it especially does this even when I'm
in the profile directory.

The version of nss I'm using is @3.11.9 (net), provided by darwinports.

-Kyle H
_______________________________________________
dev-tech-crypto mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-tech-crypto
Reply | Threaded
Open this post in threaded view
|

Re: How do I get the certificates out of the builtin object token?

Kyle Hamilton-2
KyleMac:.netscape kyanha$ modutil -add roots -libfile
/Applications/Firefox.app/Contents/MacOS/libnssckbi.dylib -dbdir .

WARNING: Performing this operation while the browser is running could cause
corruption of your security databases. If the browser is currently running,
you should exit browser before continuing this operation. Type
'q <enter>' to abort, or <enter> to continue:

Using database directory ....
ERROR: Failed to add module "roots". Probable cause : "Unknown error: -2804".
KyleMac:.netscape kyanha$

(The architecture is 'i386' on all of modutil, certutil, and libnssckbi.dylib.)

-Kyle H

On Wed, Dec 31, 2008 at 4:48 AM, David Stutzman <[hidden email]> wrote:

> Ahh...I did it from my Vista workstation's firefox profile which I knew had the roots module added.  Nssckbi.dll or libnssckbi.so or whatever it is on a Mac is a special PKCS#11 module that is read-only and contains the trust anchors.  By default with an NSS database, it's not added.  You can add it yourself to a new or existing db using modutil.
>
> mbn ~ # mkdir nss
> mbn ~ # cd nss/
> mbn nss # nsscertutil -N -d .
> Enter a password which will be used to encrypt your keys.
> The password should be at least 8 characters long,
> and should contain at least one non-alphabetic character.
>
> Enter new password:
> Re-enter password:
> mbn nss # nssmodutil -list -dbdir .
>
> Listing of PKCS #11 Modules
> -----------------------------------------------------------
>  1. NSS Internal PKCS #11 Module
>         slots: 2 slots attached
>        status: loaded
>
>         slot: NSS Internal Cryptographic Services
>        token: NSS Generic Crypto Services
>
>         slot: NSS User Private Key and Certificate Services
>        token: NSS Certificate DB
> -----------------------------------------------------------
> mbn nss # nssmodutil -add roots -libfile /usr/lib64/nss/libnssckbi.so -dbdir .
>
> WARNING: Performing this operation while the browser is running could cause
> corruption of your security databases. If the browser is currently running,
> you should exit browser before continuing this operation. Type
> 'q <enter>' to abort, or <enter> to continue:
>
> Module "roots" added to database.
> mbn nss # nssmodutil -list -dbdir .
>
> Listing of PKCS #11 Modules
> -----------------------------------------------------------
>  1. NSS Internal PKCS #11 Module
>         slots: 2 slots attached
>        status: loaded
>
>         slot: NSS Internal Cryptographic Services
>        token: NSS Generic Crypto Services
>
>         slot: NSS User Private Key and Certificate Services
>        token: NSS Certificate DB
>
>  2. roots
>        library name: /usr/lib64/nss/libnssckbi.so
>         slots: 1 slot attached
>        status: loaded
>
>         slot: NSS Builtin Objects
>        token: Builtin Object Token
> -----------------------------------------------------------
> mbn nss # nsscertutil -L -d . -h all
>
> Certificate Nickname                                         Trust Attributes
>                                                             SSL,S/MIME,JAR/XPI
>
> Builtin Object Token:Verisign/RSA Secure Server CA           CG,C,
> Builtin Object Token:GTE CyberTrust Root CA                  CG,C,C
> Builtin Object Token:GTE CyberTrust Global Root              CG,C,C
> <snip> you get the point
>
> (BTW, ignore the "nss" prepended to the beginning of all the commands, I filed a bug with Gentoo a while back to have the NSS command-line utils be built by default and they didn't want a binary called "digest" laying around among others so they prepend "nss" before all the commands.)
>
> At this point you can follow my previous directions.  Sorry I didn't explicitly mention this piece earlier.
>
> Good luck,
> Dave
>
> -----Original Message-----
> That doesn't give me the list of nicknames in the Builtin Object
> Token, that just gives me the list of nicknames in the softtoken.  (I
> doubt that nssckbi is supposed to include this...)
>
> KyleMac:.netscape kyanha$ certutil -L -d . -h "Builtin Object Token"
> [...]
> StartCom Free Certificate Member's StartCom Ltd. ID          u,u,u
> [...]
>
> Notably, modutil -list gives me this:
>
> -----------------------------------------------------------
>  1. NSS Internal PKCS #11 Module
>         slots: 2 slots attached
>        status: loaded
>
>         slot: NSS Internal Cryptographic Services
>        token: NSS Generic Crypto Services
>
>         slot: NSS User Private Key and Certificate Services
>        token: NSS Certificate DB
> -----------------------------------------------------------
>
> It does this regardless of whether I have libnssckbi.dylib (I'm on Mac
> OS X Leopard 10.5.6) in the profile directory.  It also does this
> regardless of whether I have all of Firefox.app/Contents/MacOS/*.dylib
> in the profile directory.  And it especially does this even when I'm
> in the profile directory.
>
> The version of nss I'm using is @3.11.9 (net), provided by darwinports.
>
> -Kyle H
> _______________________________________________
> dev-tech-crypto mailing list
> [hidden email]
> https://lists.mozilla.org/listinfo/dev-tech-crypto
>
_______________________________________________
dev-tech-crypto mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-tech-crypto
Reply | Threaded
Open this post in threaded view
|

Re: How do I get the certificates out of the builtin object token?

Nelson B Bolyard-2
Kyle Hamilton wrote, On 2008-12-31 06:36 PST:

> KyleMac:.netscape kyanha$ modutil -add roots -libfile
> /Applications/Firefox.app/Contents/MacOS/libnssckbi.dylib -dbdir .
>
> WARNING: Performing this operation while the browser is running could cause
> corruption of your security databases. If the browser is currently running,
> you should exit browser before continuing this operation. Type
> 'q <enter>' to abort, or <enter> to continue:
>
> Using database directory ....
> ERROR: Failed to add module "roots". Probable cause : "Unknown error: -2804".
> KyleMac:.netscape kyanha$
>
> (The architecture is 'i386' on all of modutil, certutil, and libnssckbi.dylib.)

Kyle, Please file a bug about this.  Product: NSS, component: Libraries

Error -2804 is not a known NSS or NSPR error code.  It's not even in the
range of known error codes.  The known ranges are:
    -5k+1 ... -6k     NSPR
    -7k+1 ... -8k     NSS
   -11k+1 ... -12k    SSL

So, this failure is a mystery.

Note also that if the nssckbi file is in the directory where the DBs live,
it should get loaded automatically, even if it's not in the secmod DB.
But given the failure you're seeing, I'd be surprised if that works for you.
_______________________________________________
dev-tech-crypto mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-tech-crypto
Reply | Threaded
Open this post in threaded view
|

Re: How do I get the certificates out of the builtin object token?

Kyle Hamilton-2
Bug 471734.  Poking around Apple's developer site, the only thing I
can come up with for error -2804 is cfragNoLibraryErr, with the
description "The named library was not found."

I'm also seeing that some functions in the code fragment library were
deprecated in 10.5, but I can't find information on what they were
superseded by.

-Kyle H

On Wed, Dec 31, 2008 at 10:22 AM, Nelson B Bolyard <[hidden email]> wrote:

> Kyle Hamilton wrote, On 2008-12-31 06:36 PST:
>> KyleMac:.netscape kyanha$ modutil -add roots -libfile
>> /Applications/Firefox.app/Contents/MacOS/libnssckbi.dylib -dbdir .
>>
>> WARNING: Performing this operation while the browser is running could cause
>> corruption of your security databases. If the browser is currently running,
>> you should exit browser before continuing this operation. Type
>> 'q <enter>' to abort, or <enter> to continue:
>>
>> Using database directory ....
>> ERROR: Failed to add module "roots". Probable cause : "Unknown error: -2804".
>> KyleMac:.netscape kyanha$
>>
>> (The architecture is 'i386' on all of modutil, certutil, and libnssckbi.dylib.)
>
> Kyle, Please file a bug about this.  Product: NSS, component: Libraries
>
> Error -2804 is not a known NSS or NSPR error code.  It's not even in the
> range of known error codes.  The known ranges are:
>    -5k+1 ... -6k     NSPR
>    -7k+1 ... -8k     NSS
>   -11k+1 ... -12k    SSL
>
> So, this failure is a mystery.
>
> Note also that if the nssckbi file is in the directory where the DBs live,
> it should get loaded automatically, even if it's not in the secmod DB.
> But given the failure you're seeing, I'd be surprised if that works for you.
> _______________________________________________
> dev-tech-crypto mailing list
> [hidden email]
> https://lists.mozilla.org/listinfo/dev-tech-crypto
>
_______________________________________________
dev-tech-crypto mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-tech-crypto