Configuring Firefox with a PKCS#11 library is simple - all you have
to do is follow the "Edit->Preferences->Advanced->Security Devices->
Load" path and supply a name (of your choice) for the module and the
actual full-path of the PKCS11 library for the prompts. If the P11
library is correctly implemented, FF will recognize the module and
you should now see it in the list of devices of the Device Manager
window in FF.
Once configured, FF treats the TPM no differently from any other
hardware device for generating keys, using certificates, etc. Of,
course, the crypto-capabilities that FF can use on the TPM will
depend on what the TPM has to offer.
I am making some incremental progress with a specific vendor's TPM
library I have and the use of Java to generate keys and create a
self-signed certificate; but I have run into some other issues
(related to the TPM's security model) that I need to resolve and
am working with the vendor on resolving this.
Eventually, this code will show up in our open-source CSRTool (and
StrongKey) which will be able to do precisely what you're seeking
to do: generate a key-pair, create a CSR that can be submitted to a
CA (as a PKCS#10 blob) and get back a signed certificate that can
then be imported into the TPM. Once done, all applications that
can interface with a TPM should be able to see and use those
objects.
We do plan to integrate it with Trousers, but rather than use the
openCryptoki library (which will necessitate using the SunPKCS11
bridge), we plan to use jTSS (http://trustedjava.sourceforge.net/)
and eventually, the JSR-321 interface, which should provide native
access to the TPM (lesser integration headaches, hopefully).
Arshad Noor
StrongAuth, Inc.
Martin Schneider wrote:
Hello Arshad,
I want to use Firefox with TPM preferably in Ubuntu Linux.
I'm not sure what I've got to do to link Firefox with the PKCS#11
interface. Do you need to implement some code or is this a mere
configuration thing?
The next question is: How does the creation of a TPM protected
certificate work? Do you have to externally create a Certification
Signing Request for a key protected inside the TPM, get a signature
for this CSR and import the cert to Firefox?
Best regards,
Martin
On 6 Jul., 19:18, Arshad Noor <arshad.n...@strongauth.com> wrote:
Hi Martin,
Yes, TSS does apparently give you a PKCS#11 interface when layered
with openCryptoki (http://trousers.sourceforge.net/pkcs11.html). I
haven't used this configuration personally (I'm trying to work with
a specific vendors PKCS#11 library and access the TPM using Java
through the SunPKCS11 bridge).
You didn't specify the platform - if you're using Windows, your TPM
provider probably has a PKCS#11 library already bundled in the TPM
software distribution.
Arshad Noor
StrongAuth, Inc.
Martin Schneider wrote:
Hello everybody,
I'm new to this topic, so it would be kind if some of you people could
give me some input.
I want to use certificates which according private key is protected
inside a Trusted Platform Module and use these Certificates for client
side authentication towards a web based service running on an Apache.
As far as I understand, there should be the possibility to somehow use
the TPM together with Firefox or Thunderbird if you have a suitable
PKCS#11 module. As far as I know, will TrouSerS or jTSS offer such a
PKCS#11 provider. But I do not understand how this must be used. Did
anybody of you set up something as I want to do and maybe put down
some notes?
Thanks for your replies
Martin
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
