On 2009-09-01 06:00 PDT, Klaus Heinrich Kiwi wrote: > On 08/31/2009 11:07 PM, Nelson B Bolyard wrote: >> On 2009-08-31 14:49 PDT, Klaus Heinrich Kiwi wrote: >>> Is it possible/feasible to configure NSS to use an external PKCS#11 >>> provider and run the test suite to check if everything is running fine? >> Yes, certainly. First, tell us >> 1) what crypto functions you expect to offload to the external PKCS#11 >> module, > > openCryptoki is a generic API that can support multiple hardware types, > so essentially every mechanism supported by PKCS#11 v2.01. > > In my specific case (for my specific token type): > > * CKM_RSA_* and CKM_DSA_* mechanisms (generate key pair, encrypt, > decrypt, wrap, unwrap, verify..) > > * CKM_DES[3]* mechanisms (generate keys, encrypt, decrypt, wrap, unwrap) > > * CKM_SHA*, CKM_MD2* and CKM_MD5* mechanisms (digest) > > * CKM_AES* mechanisms (encrypt, decrypt, wrap, unwrap, sign, verify...) > > * CKM_SSL3* mechanisms > >> 2) what PKCS#11 "mechanisms" are supported by the module > answered above > >> 3) Does the module store certificates and private keys? > yes > >> 4) Is the module willing to input and output unwrapped symmetric key values? > yes, but we'd also like to test the wrapped-key case (for another token > type)
OK, so I presume that you have some program that already knows how to use NSS as an SSL client or SSL server. Perhaps it is Firefox? That program undoubtedly has a set of NSS .db files, including (probably) secmod.db, cert8.db and key3.db. secmod.db tells NSS about all the PKCS#11 modules that it must load to perform its tasks. It is queried and modified using the NSS utility program modutil. Firefox also has a GUI preferences panel for this purpose. You add your PKCS#11 module to the set of known PKCS#11 modules, specifying the path name of the PKCS#11 module shared library, and giving the module a recognizable module display name. If you're operating a server, you need to put your private key and corresponding certificate into your (hardware or software) token, and you need to tell your server to use the certificate found in that token. The exact method depends on the server program, but identifying certs by their token names and CKA_LABEL attribute strings is common. If your module does all of the mechanisms that NSS needs, then that is about all that you need to do for a server. For a client, you may need to do more to tell NSS to prefer performing operations in your token rather than in NSS's software token. This is all done through the modutil program. I can't help you more than that until I know more about your specific situation. -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
