On 10/21/2009 12:30 PM, Marc Kaeser wrote:
> Hello,
>
> I've got the following problem: I need nsSDR.cpp to use another pkcs11
> module instead of the built in software one, in order to store the
> encryption keys on another crypto-token than the built in software one.
>
> in nsSDR.cpp, the 3 functions Encrypt(), Decrypt() and
> ChangePassword() use
> PK11SlotInfo * PK11_GetInternalModule();
>
> I'd like to modify those 3 functions so they use another module. I've
> tried to use
> PK11SlotInfo * PK11_FindSlotByName (const char *name), but I don't
> really know how to tell nsSDR to use the right module, slot and after
> that the right token. Does anybody have experience with those pkcs11
> tools?
You will need to provide a patch for NSS. A big deficiency of PK11SDR is
the lack of ability to select the slot which is acted on. The Encrypt
changes would be realitively simple.
For PK11SDR_Encrypt(), you should remove the
slot = PK11_GetInternalKeySlot();
if (!slot) { rv = SECFailure; goto loser; }
and
if (slot) PK11_FreeSlot(slot);
lines from your new function, and have it take the slot as a parameter.
The new function should have a new name PK11SDR_EncryptOnSlot(), and the
old function should get the internal slot and call the new function
(this will allow old apps to continue to work).
PK11SDR_Decrypt is another matter. It probably makes sense to always try
the other slots if we couldn't find the key, or decrypt the result in
the softoken. I certainly believe we at least need some function that
has this semantic (search all the tokens for the desired key), whether
that function is PK11SDR_Decrypt or not (or whether or not we provide a
function in which the application knows which slot, so it checks only
that slot) is a matter for debate. My initial thought would be provide a
new PK11SDR_DecryptOnSlot(). This takes an optional slot. If the Slot is
provided, only that slot would be searched for the required key. If no
slot is provided, then "all" slots are searched for the key.
PK11SDR_Decrypt would then call PK11SDR_DecryptOnSlot() with softoken.
Decrypt is clearly trickier than encrypt.
The low level change password call already accepts a slot:
PK11_ChangePW(PK11SlotInfo *slot, const char *oldpw, const char *newpw)
bob
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
