Archive of obsolete content


This feature is non-standard and is not on a standards track. Do not use it on production sites facing the Web: it will not work for every user. There may also be large incompatibilities between implementations and the behavior may change in the future.

This feature has been removed from the Web standards. Though some browsers may still support it, it is in the process of being dropped. Avoid using it and update existing code if possible; see the compatibility table at the bottom of this page to guide your decision. Be aware that this feature may cease to work at any time.

Warning: The features mentioned in this article are deleted proprietary Mozilla extensions, and are not supported in any other browser. They won't work in Firefox 34 or later. Use <keygen> or the future Web Crypto API instead.

resultString = crypto.popChallengeResponse("challengeString");
Argument Description
"challengeString" A base-64 encoded CMMF POPODecKeyChallContent message. The current implementation does not conform to that defined in the CMMF draft, and we intend to change this implementation to that defined in the CMC RFC.. See below for the current implementation.

The resultString will either be a base-64 encoded POPODecKeyRespContent message, or one of the following error strings:

Error String Description
"error:invalidParameter:XXX" The parameter XXX was an invalid value.
"error:internalError" The software encountered some internal error, such as out of memory

Challenge-Response Proof Of Possession

Expected Input:

POPODecKeyChallContent ::= SEQUENCE OF Challenge
   -- One Challenge per encryption key certification request (in the
   -- same order as these requests appear in FullCertTemplates).

Challenge ::= SEQUENCE {
     owf                 AlgorithmIdentifier  OPTIONAL,
     -- MUST be present in the first Challenge; MAY be omitted in any
     -- subsequent Challenge in POPODecKeyChallContent (if omitted,
     -- then the owf used in the immediately preceding Challenge is
     -- to be used).
     witness             OCTET STRING,
     -- the result of applying the one-way function (owf) to a
     -- randomly-generated INTEGER, A.  [Note that a different
     -- INTEGER MUST be used for each Challenge.]
     sender              GeneralName,
     -- the name of the sender.
     key                 OCTET STRING,
     -- the public key used to encrypt the challenge.  This will allow
     -- the client to find the appropriate key to do the decryption.
     challenge           OCTET STRING
     -- the encryption (under the public key for which the cert.
     -- request is being made) of Rand, where Rand is specified as
     --   Rand ::= SEQUENCE {
     --      int      INTEGER,
     --       - the randomly-generated INTEGER A (above)
     --      senderHash  OCTET STRING
     --       - the result of applying the one-way function (owf) to
     --       - the sender's general name
     --   }
     -- the size of "int" must be small enough such that "Rand" can be
     -- contained within a single PKCS #1 encryption block.

Document Tags and Contributors

 Contributors to this page: teoli, Ms2ger,, Nickolay, Relyea
 Last updated by: teoli,