Hello Klaus, again I've got stupid problems. I wanted to follow your
instructions step by step, so I removed everything I had already built and
installed about opencryptoki/pkcs11. I guess I had sort of multiple
installation of the libraries on the disk, cause ubuntu already had that
package installed, before I built the one I got from sourceforge. So I
started by removing the ubuntu-package with abt-get, then deleted everything
I found.
After that, I downloaded the last version of opencryptoki on the sourceforge
page (opencryptoki 2.3.0, without ica and so on...). I built it and after
starting pkcsslotd, no tpm token can be found by using pkcsconf -s or -t. I
can only see the softTok, maybe there's something missing. But TCSD is still
up and running, I can "talk" to the tpm using the TSS commands.
With Opencryptoki, I'm not even able to configure the Softtok (Flags:
0xC80045
(RNG|LOGIN_REQUIRED|CLOCK_ON_TOKEN|USER_PIN_TO_BE_CHANGED|SO_PIN_LOCKED|SO_PIN_TO_BE_CHANGED).
I tried to change the SO PIN, since there's a flag telling
"SO_PIN_TO_BE_CHANGED", but it doesn't work. I tried "87654321" and
"12345678" to log in as "Security Officer" and change the SO-PIN
(pkcsconf -c 0 -P), but I get an error "Error logging in: 0xA4". Maybe it's
because there's the flag "SO_PIN_LOCKED", but I don't know why.
I'm still trying to get those things fixed, but I thought I give you a
feedback before you think I gave up ^^
Marc
"Klaus Heinrich Kiwi" <kla...@linux.vnet.ibm.com> schrieb im Newsbeitrag
news:mailman.1275.1251392984.4294.dev-tech-cry...@lists.mozilla.org...
Marc Kaeser wrote:
Hello Klaus,
I tried to find those software tokens so I can test where the problem
comes from. Unfortunately I haven't been able to find that software
"emulating" a token. You talk about ica_tok or swtok, but where can I
find those software-tokens? Do they come with another module for Firefox?
Google doesn't find anything about "ica_tok" and a search using "swtok"
(by the way, does that name mean "software token"?) as string doesn't
help very much.
Marc,
from my understanding, you were using opencryptoki as the PKCS#11
provider for NSS.
Opencryptoki provides a PKCS#11 layer for accessing cryptographic hardware
that doesn't come with a native PKCS#11 interface (thing of it as a
'translation' library).
In addition to a TPM token, opencryptoki also supports other token types
as well:
* ICA (IBM Cryptographic Accelerator) - aimed at s390x-specific hardware,
but also supports software fallback since 1.3.9
* CCA (Secure Key token) - same as ICA, but proprietary
* software token - if I remember correctly, using OpenSSL
If I understand that correctly, I have to "load" another token into
another slot (using swtok or ica_tok) to see if cryptoki slotdeamon finds
it, and if it does, look if I can import the matching module in Firefox?
I'm not sure if opencryptoki as shipped by the distros have the software
token enabled (I know Ubuntu has), but you could download the latest
opencryptoki from https://sourceforge.net/projects/opencryptoki/ and build
the the software token enabled.
After that, make sure you have the software token configured correctly
(that's usually done using pkcs11_startup automatically), initialize the
token using pkcsconf (see help) and point firefox to use the PKCS#11
library ({prefix}/lib/pkcs11/PKCS11_API.so)
Tell us of your results.
-Klaus
--
Klaus Heinrich Kiwi | kla...@br.ibm.com | http://blog.klauskiwi.com
Open Source Security blog : http://www.ratliff.net/blog
IBM Linux Technology Center : http://www.ibm.com/linux/ltc
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
