Content:
About:
E_NSS is an OpenSSL "loadable cryptographic module"(engine) that use keys and
certificates stored in Mozilla "Network Security Services"(NSS) database.
NSS is used in a variety of products, including the following:
- Mozilla based products, like Firefox, SeaMonkey, Thunderbird and etc.
- Office software suite(word processing, spreadsheets and etc.), like OpenOffice and LibreOffice
- Instant messaging, like Pidgin
- Various directory servers
News:
- 10 Mar 2024 : Released e_nss 4.3.1
- Changelog:
- certificate with SHA256 digest
Prefer sha256 digest to create test certificates for builds with OpenSSL 1.1+.
- tests with SHA1 signatures
Enable OpenSSL sha1 signatures in regression tests if deprecated by system policy.
- NSS library dependency
Do not link with minimal set of directly required NSS libraries.
Avoids runtime failures like cannot initialise database if NSS libraries are installed in non-default location.
Note nss library list could be set on configuration time.
- 5 Feb 2023 : Released e_nss 4.3
- Changelog:
- public-key for "store"
OpenSSL 3.0+ functionality requires "store" to support public key in addition to key.
- digest tests with "store"-keys
OpenSSL 3.0+ digest utility support "store"-based keys.
Use utility to test operation with keys from NSS database.
- 18 Dec 2022 : Released e_nss 4.2
- Changelog:
- support either build or test without DSA key method
- 9 Oct 2022 : Released e_nss 4.1
- Changelog:
- experimental FIPS mode compatibility with OpenSSL 3+
Does not allow NSS database to be used if OpenSSL 3+ runs in FIPS mode.
Prevent crashes and raises exceptions instead.
Remark: OpenSSL 3+ fail to use non-provider based PKEY in FIPS mode.
- Fix RSA signatures for OpenSSL FIPS 2*+ module
Work-around for broken RSA "digest type" used by OpenSSL 1.0* when run in FIPS mode.
- 27 May 2022 : Released e_nss 4.0
- Changelog:
- support OpenSSL 3+
Work-around for buggy engine related key management in OpenSSL 3+.
Also with work-around for useless dsa key output change in OpenSSL 3+.
- 21 Mar 2022 : Released e_nss 3.2.6
- Changelog:
- improve compatibility with some Linux distributions
Update rpm-spec files to exclude tests for EC key with secp521r1 curve as support is not included in some vendor releases.
Also use gzip compresed source on some distributions.
- 17 Mar 2022 : Released e_nss 3.2.5
- Changelog:
- clean non-significant dso errors
Avoid post OpenSSL 1.1.1m error left in queue after load of engine.
- minimise build requirements
Downgrade "autotools" version requirements to real needs.
Allows use on ancient Linux-es.
- 4 Mar 2022 : Released e_nss 3.2.4
- Changelog:
-
- separate test results
Separate "result"-files - one for standard output and one for error output.
Prevent debug messages to mess with command output.
- build on ancient NSS releases
Build without function PK11_PrivDecrypt(), i.e removed requirement for 3.16.2 as minimum NSS version.
- avoid indirect impact on application exit
Post OpenSSL 1.1.1m engine "bind" macros may change application exit logic.
Prevent impact of such functional change in all builds with OpenSSL 1.1.1 as this is stable branch.
- 4 Jan 2022 : Released e_nss 3.2.3
- Changelog:
-
- ignore system policy
Ignore system policy in all sha1 regression tests as it may exclude sha1 signatures.
- revert "work-around for broken compilers"
Looks like temporary failure.
- 22 Dec 2021 : Released e_nss 3.2.2
- Changelog:
-
- work-around for broken compilers
Use local variable as SGN_Digest parameter call as work-around for such compiler defect.
Found by regression test on Centos8 and Fedora34 for instance.
- ignore system policy
In rsa(md5) and dsa regression tests ignore system policy as it may exclude md5 signatures and dsa keys with size 1024.
- work-around for OpenSSL 3+ x509 header pollution
Issue still not fixed in OpenSSL 3+ code.
Work-around avoids compiler warning related to redefined definitions.
Note: OpenSSL 3+ still fail on external keys.
- 14 Dec 2021 : Released e_nss 3.2.1
- Changelog:
-
- distibute store tests
Ensure that distibution tarbal contains all tests independently from build configuration.
- 13 Dec 2021 : Released e_nss 3.2
- Changelog:
-
- add store "expect" functionality
Allows to select only certificates or keys from specified uri.
- memory leak
Avoid memory leak when initialised key context for ec keys.
- 21 Nov 2021 : Released e_nss 3.1.1
- Changelog:
-
- compatibility with OpenSSL 3.0
Rewrite "key type" to use OpenSSL 3.0 API and minimise future impacts on engine code due to needless functions renames.
- memory leak
Avoid memory leak when initialised key context for rda and dsa keys.
- 21 Mar 2021 : Released e_nss 3.1
- Changelog:
-
- compatibility with OpenSSL
Capsulate store loader into own source file.
Avoid use of deprecated in 3.0 functions with changed synopsis.
- cleanup defines used only once
- 24 Jan 2021 : Released e_nss 3.0
- Changelog:
-
- compatibility with OpenSSL
Prepare code base for new model for loadable modules - move key related code into own source files.
- compatibility with NSS
Ensures test environment that allows to be tested deprecated digests like md5.
- 15 Feb 2020 : Released e_nss 2.1
- Changelog:
-
- compatibility with OpenSSL
Work-around for some deprecated in OpenSSL 3.0 methods.
- 20 Aug 2016 : Released e_nss 2.0
- Changelog:
-
- OpenSSL STORE functionality
Version implements upcoming OpenSSL (1.1.1) STORE functionality.
Used scheme prefix is "nss:".
Existing engine commands are available with corresponding store URI:
- nss:list=all
- nss:list=ca
- nss:list=user
List "nicknames" of all, CA, or user certificates stored in NSS database.
- nss:cert=nickname
Extract X.509 certificate for gives "nickname".
- nss:key=nickname
Extract key for gives "nickname".
- nss:nickname
Extract key and X.509 certificate for gives "nickname".
- RSA OAEP padding
Support OAEP padding for RSA keys (requires NSS 3.16.2 or newer)
- build and tests fixes
- 16 Dec 2016 : Released e_nss 1.1
- Changelog:
-
- dynamic allocation of user interface prompt
Engine uses default application UI(user interface) method as password prompt
when NSS database request password authentication.
- suppress harmless warnings with legacy OpenSSL versions
- 8 Sep 2016 : Released e_nss 1.0.1
- Changelog:
-
- restore build for OpenSSL 0.9.7*
- 27 Aug 2016 : Released e_nss 1.0
- Changelog:
-
- Support OpenSSL 1.1
Code is updated to use OpenSSL 1.1 API with backport of used functions if build is with previous OpenSSL versions.
Note that name of cryptographic module is changed to "e_nss", i.e. without "lib" prefix.
You must specify path to engine directory with configure option "--with-enginesdir".
- 17 Jan 2016 : Released e_nss 0.6
- Changelog:
-
- EC_KEY method for upcomming OpenSSL 1.1
- work in FIPS enabled mode(either OpenSSL or NSS module)
- partial implemention of rsa_priv_enc - if input is X.509 signature
- 6 Jun 2015 : Released e_nss 0.5
- Changelog:
-
- support EC keys
- late NSS db initialization
- 6 Sep 2013 : Released e_nss 0.4.2
- Changelog:
-
- improve engine setup by openssl config file
- fix GCC pedantic warnings
- 25 Jan 2013 : Released e_nss 0.4.1
- Changelog:
-
- support openssl 0.9.7 - 1.0.1
- automake 1.13 ready
- 12 Jan 2012 : Released e_nss 0.4
- Changelog:
-
- support openssl 0.9.7 - 1.0.1(beta)
- build on various linux distibutions
- OpenSSL<->NSS sign/verify test
- 8 Oct 2011 : Released e_nss 0.3
- Changelog:
-
- two new internal commands
E_NSS_CMD_LOAD_CERT - Return certificate found by specified nickname
E_NSS_CMD_EVP_CERT - Return certificate for specified EVP KEY
Applications should use those commads to get X.509 certificate encoded in DER format.
- own output of certificate distiguished name
NSS library cut long names of distinguished name attributes.
The cut is based on position and if break display of UTF-8 encoded attribute if position is inside mutibite sequence.
|