On Aug 13, 6:13 am, Nelson B Bolyard <nel...@bolyard.me> wrote:
> On 2009-08-12 03:43 PDT, Rishi Renjith wrote:
>
> > Hello,
> > I tried creating a NSS database, linking it with crypto card and
> > connecting using apache mod_nss. Everything works fine, except that the
> > *rsaprivate *jobs are not getting increased in the kstat of the card.
>
> This is essentially the same issue that Rishi reported yesterday.
> I think he is not seeing our replies.
>
> > *bash-3.00# modutil -list -dbdir . *
> > Listing of PKCS #11 Modules
> > 2. Sun Crypto Accelerator
> > library name: /usr/lib/libpkcs11.so
> > slots: 2 slots attached
> > status: loaded
>
> > slot: Sun Metaslot
> > token: Sun Metaslot
>
> > slot: Sun Crypto Softtoken
> > token: Sun Software PKCS#11 softtoken
>
> There's obviously no crypto accelerator there.
>
> > Generating key. This may take a few moments...
>
> > Enter Password or Pin for "Sun Software PKCS#11 softtoken":
>
> The above prompt confirms that the key was generated in Sun's pure
> software token, not in the SCA 6000 crypto accelerator token.
>
> When the SCA 6000 is properly configured, it shows up as one of the slot
> and tokens in the list of slots and tokens (shown above) for the module
> /usr/lib/libpkcs11.so. I searched today through Sun's public documentation
> trying to find out how to register the SCA 6000 with the MetaSlot so that
> it would show up in that list, and could not find any documentation about
> that. :(
>
> Sorry.
>
> /Nelson
Sorry, I was not receiving the replies you had posted earlier as I did
not subscribe to the list.
When I do a cryptoadm list to list the providers, there are no s/w
providers for RSA, as below.
bash-3.00# cryptoadm list
User-level providers:
Provider: /usr/lib/security/$ISA/pkcs11_kernel.so
Provider: /usr/lib/security/$ISA/pkcs11_softtoken_extra.so
Kernel software providers:
des
aes256
arcfour2048
blowfish448
sha1
sha2
md5
swrand
Kernel hardware providers:
mca/0
I went through the documentation of the SCA6000 at
http://dlc.sun.com/pdf/819-5536-11/819-5536-11.pdf
This is that they say...
"Configuring Sun Metaslot to Use the Sun Crypto Accelerator 6000
Keystore
Through Sun Metaslot, only one keystore can be accessed. By default
Sun Metaslot
uses the Solaris Softtoken keystore. To access the Sun Crypto
Accelerator 6000
keystore through Sun Metaslot, you must use one of the following
configurations.
■ Configure Sun Metaslot to use the Sun Crypto Accelerator 6000
keystore systemwide
using cryptoadm(1M).
Enter the following command to use the Sun Crypto Accelerator 6000
keystore.
For the example in this section, ks is the name of the Sun Crypto
Accelerator 6000
cryptoadm enable metaslot token=ks
This command forces a global change throughout the system, which
causes all
applications on the system to use the Sun Crypto Accelerator 6000
keystore by
default."
I had done this earlier, nevertheless, I tried it again today as below
bash-3.00# cryptoadm list -v metaslot
System-wide Meta Slot Configuration:
------------------------------------
Status: enabled
Sensitive Token Object Automatic Migrate: disabled
Persistent object store token: Military.602889
Detailed Meta Slot Information:
-------------------------------
actual status: enabled.
Description: Sun Metaslot
Token Present: True
Token Label: Sun Metaslot
Manufacturer ID: Sun Microsystems, Inc.
Model: 1.0
Serial Number:
Hardware Version: 0.0
Firmware Version: 0.0
UTC Time:
PIN Length: 0-253
Flags: CKF_RNG CKF_LOGIN_REQUIRED CKF_USER_PIN_INITIALIZED
CKF_TOKEN_INITIALIZED CKF_SO_PIN_LOCKED
bash-3.00# cryptoadm enable metaslot token="Military.602889"
bash-3.00#
bash-3.00# modutil -list -dbdir .
Listing of PKCS #11 Modules
-----------------------------------------------------------
1. NSS Internal PKCS #11 Module
slots: 2 slots attached
status: loaded
slot: NSS Internal Cryptographic Services
token: NSS Generic Crypto Services
slot: NSS User Private Key and Certificate Services
token: NSS Certificate DB
2. Sun Crypto Accelerator
library name: /usr/lib/libpkcs11.so
slots: 2 slots attached
status: loaded
slot: Sun Metaslot
token: Sun Metaslot
slot: Sun Crypto Softtoken
token: Sun Software PKCS#11 softtoken
-----------------------------------------------------------
bash-3.00# modutil -disable "NSS Internal PKCS #11 Module" -dbdir .
WARNING: Performing this operation while the browser is running could
cause
corruption of your security databases. If the browser is currently
running,
you should exit browser before continuing this operation. Type
'q <enter>' to abort, or <enter> to continue:
Slot "NSS Internal Cryptographic Services" disabled.
Slot "NSS User Private Key and Certificate Services" disabled.
bash-3.00# modutil -disable "Sun Crypto Accelerator" -dbdir .
WARNING: Performing this operation while the browser is running could
cause
corruption of your security databases. If the browser is currently
running,
you should exit browser before continuing this operation. Type
'q <enter>' to abort, or <enter> to continue:
Slot "Sun Metaslot" disabled.
Slot "Sun Crypto Softtoken" disabled.
bash-3.00# modutil -enable "Sun Crypto Accelerator" -slot "Sun
Metaslot" -dbdir .
WARNING: Performing this operation while the browser is running could
cause
corruption of your security databases. If the browser is currently
running,
you should exit browser before continuing this operation. Type
'q <enter>' to abort, or <enter> to continue:
Slot "Sun Metaslot" enabled.
Another strange thing is that when I check the kstat output, the
AESjobs are getting incremented. This means that somehow the NSS is
using the crypto hardware for symmetric jobs, but for asymmetric jobs,
it is not using the h/w card. And also if you use it through JSSE, the
card is correctly used for RSA jobs.
Is there any possibility the RSA jobs are getting done by the " NSS
Internal PKCS #11 Module" that gets created automatically when we
create the DB? It is clear from the previous mail that the the
certificates and keys are stored in the card, only that the RSA jobs
are not offloaded to the crypto card. I can retrieve even using pktool
giving my hardware keystore as below.
bash-3.00# pktool list token=Military.602889 objtype=both
Enter pin for Military.602889:
Found 8 keys.
Key #1 - RSA private key:
Key #2 - RSA private key: sanCert
Key #3 - RSA private key:
Key #4 - RSA private key:
Key #5 - RSA private key:
Key #6 - RSA private key:
Key #7 - RSA private key: fips999
Key #8 - RSA private key:
Found 3 keys.
Key #1 - AES: VSAT_AES_KEY (1077504064 bits) 256 bits
Key #2 - AES: smc_encrptor (1077507264 bits) 256 bits
Key #3 - AES: smcAesEncryptor (1077506944 bits) 256 bits
Found 8 certificates.
1. (X.509 certificate)
Label: ismc_cert
ID: 4e:75:2a:9b:4a:76:c1:46:2d:9a:ec:76:de:16:17:e0:8d:07:ff:
42
Subject: CN=sandeeprc.eu.org
Issuer: O=Root CA, OU=http://www.cacert.org, CN=CA Cert
Signing Authority, emailaddress=supp...@cacert.org
Serial: 0x0747A9
X509v3 Subject Alternative Name:
DNS:sandeeprc.eu.org, othername:<unsupported>
2. (X.509 certificate)
Label: CACERT CA
ID: c8:1e:42:ce:da:0b:c1:d6:5c:90:51:b0:eb:
86:79:e2:9d:d6:c0:67
Subject: O=Root CA, OU=http://www.cacert.org, CN=CA Cert
Signing Authority, emailaddress=supp...@cacert.org
Issuer: O=Root CA, OU=http://www.cacert.org, CN=CA Cert
Signing Authority, emailaddress=supp...@cacert.org
Serial: 0x00
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
