[empty image] [empty image]
[empty image]
[empty image] [empty image] [empty image]
[empty image]



E_NSS is an OpenSSL "loadable cryptographic module"(engine) that use keys and certificates stored in Mozilla "Network Security Services"(NSS) database.

NSS is used in a variety of products, including the following:

  • Mozilla based products, like Firefox, SeaMonkey, Thunderbird and etc.
  • Office software suite(word processing, spreadsheets and etc.), like OpenOffice and LibreOffice
  • Instant messaging, like Pidgin
  • Various directory servers


5 Feb 2023 : Released e_nss 4.3
  • public-key for "store" OpenSSL 3.0+ functionality requires "store" to support public key in addition to key.
  • digest tests with "store"-keys OpenSSL 3.0+ digest utility support "store"-based keys. Use utility to test operation with keys from NSS database.

18 Dec 2022 : Released e_nss 4.2
  • support either build or test without DSA key method

9 Oct 2022 : Released e_nss 4.1
  • experimental FIPS mode compatibility with OpenSSL 3+
    Does not allow NSS database to be used if OpenSSL 3+ runs in FIPS mode. Prevent crashes and raises exceptions instead.
    Remark: OpenSSL 3+ fail to use non-provider based PKEY in FIPS mode.
  • Fix RSA signatures for OpenSSL FIPS 2*+ module
    Work-around for broken RSA "digest type" used by OpenSSL 1.0* when run in FIPS mode.

27 May 2022 : Released e_nss 4.0
  • support OpenSSL 3+
    Work-around for buggy engine related key management in OpenSSL 3+. Also with work-around for useless dsa key output change in OpenSSL 3+.

21 Mar 2022 : Released e_nss 3.2.6
  • improve compatibility with some Linux distributions
    Update rpm-spec files to exclude tests for EC key with secp521r1 curve as support is not included in some vendor releases. Also use gzip compresed source on some distributions.

17 Mar 2022 : Released e_nss 3.2.5
  • clean non-significant dso errors
    Avoid post OpenSSL 1.1.1m error left in queue after load of engine.
  • minimise build requirements
    Downgrade "autotools" version requirements to real needs. Allows use on ancient Linux-es.

4 Mar 2022 : Released e_nss 3.2.4
  • separate test results
    Separate "result"-files - one for standard output and one for error output. Prevent debug messages to mess with command output.
  • build on ancient NSS releases
    Build without function PK11_PrivDecrypt(), i.e removed requirement for 3.16.2 as minimum NSS version.
  • avoid indirect impact on application exit
    Post OpenSSL 1.1.1m engine "bind" macros may change application exit logic. Prevent impact of such functional change in all builds with OpenSSL 1.1.1 as this is stable branch.

4 Jan 2022 : Released e_nss 3.2.3
  • ignore system policy
    Ignore system policy in all sha1 regression tests as it may exclude sha1 signatures.
  • revert "work-around for broken compilers"
    Looks like temporary failure.

22 Dec 2021 : Released e_nss 3.2.2
  • work-around for broken compilers
    Use local variable as SGN_Digest parameter call as work-around for such compiler defect. Found by regression test on Centos8 and Fedora34 for instance.
  • ignore system policy
    In rsa(md5) and dsa regression tests ignore system policy as it may exclude md5 signatures and dsa keys with size 1024.
  • work-around for OpenSSL 3+ x509 header pollution
    Issue still not fixed in OpenSSL 3+ code. Work-around avoids compiler warning related to redefined definitions. Note: OpenSSL 3+ still fail on external keys.

14 Dec 2021 : Released e_nss 3.2.1
  • distibute store tests
    Ensure that distibution tarbal contains all tests independently from build configuration.

13 Dec 2021 : Released e_nss 3.2
  • add store "expect" functionality
    Allows to select only certificates or keys from specified uri.
  • memory leak
    Avoid memory leak when initialised key context for ec keys.

21 Nov 2021 : Released e_nss 3.1.1
  • compatibility with OpenSSL 3.0
    Rewrite "key type" to use OpenSSL 3.0 API and minimise future impacts on engine code due to needless functions renames.
  • memory leak
    Avoid memory leak when initialised key context for rda and dsa keys.

21 Mar 2021 : Released e_nss 3.1
  • compatibility with OpenSSL Capsulate store loader into own source file.
    Avoid use of deprecated in 3.0 functions with changed synopsis.
  • cleanup defines used only once

24 Jan 2021 : Released e_nss 3.0
  • compatibility with OpenSSL Prepare code base for new model for loadable modules - move key related code into own source files.
  • compatibility with NSS Ensures test environment that allows to be tested deprecated digests like md5.

15 Feb 2020 : Released e_nss 2.1
  • compatibility with OpenSSL Work-around for some deprecated in OpenSSL 3.0 methods.

20 Aug 2016 : Released e_nss 2.0
  • OpenSSL STORE functionality Version implements upcoming OpenSSL (1.1.1) STORE functionality. Used scheme prefix is "nss:". Existing engine commands are available with corresponding store URI:
    • nss:list=all
    • nss:list=ca
    • nss:list=user
      List "nicknames" of all, CA, or user certificates stored in NSS database.
    • nss:cert=nickname
      Extract X.509 certificate for gives "nickname".
    • nss:key=nickname
      Extract key for gives "nickname".
    • nss:nickname
      Extract key and X.509 certificate for gives "nickname".
  • RSA OAEP padding Support OAEP padding for RSA keys (requires NSS 3.16.2 or newer)
  • build and tests fixes

16 Dec 2016 : Released e_nss 1.1
  • dynamic allocation of user interface prompt Engine uses default application UI(user interface) method as password prompt when NSS database request password authentication.
  • suppress harmless warnings with legacy OpenSSL versions

8 Sep 2016 : Released e_nss 1.0.1
  • restore build for OpenSSL 0.9.7*

27 Aug 2016 : Released e_nss 1.0
  • Support OpenSSL 1.1
    Code is updated to use OpenSSL 1.1 API with backport of used functions if build is with previous OpenSSL versions.
    Note that name of cryptographic module is changed to "e_nss", i.e. without "lib" prefix. You must specify path to engine directory with configure option "--with-enginesdir".

17 Jan 2016 : Released e_nss 0.6
  • EC_KEY method for upcomming OpenSSL 1.1
  • work in FIPS enabled mode(either OpenSSL or NSS module)
  • partial implemention of rsa_priv_enc - if input is X.509 signature

6 Jun 2015 : Released e_nss 0.5
  • support EC keys
  • late NSS db initialization

6 Sep 2013 : Released e_nss 0.4.2
  • improve engine setup by openssl config file
  • fix GCC pedantic warnings

25 Jan 2013 : Released e_nss 0.4.1
  • support openssl 0.9.7 - 1.0.1
  • automake 1.13 ready

12 Jan 2012 : Released e_nss 0.4
  • support openssl 0.9.7 - 1.0.1(beta)
  • build on various linux distibutions
  • OpenSSL<->NSS sign/verify test

8 Oct 2011 : Released e_nss 0.3
  • two new internal commands

    E_NSS_CMD_LOAD_CERT - Return certificate found by specified nickname
    E_NSS_CMD_EVP_CERT - Return certificate for specified EVP KEY

    Applications should use those commads to get X.509 certificate encoded in DER format.

  • own output of certificate distiguished name

    NSS library cut long names of distinguished name attributes. The cut is based on position and if break display of UTF-8 encoded attribute if position is inside mutibite sequence.

[empty image]
[empty image] [empty image] Last modified : Sunday February 05, 2023 [empty image]