On 2009-11-20 10:56 PST, Kai Chan wrote: > Thanks for the clarification. So, by calling CERT_GetDefaultCertDB(), I > get a handle to some type of pseudo-certificate database when > initializing with NSS_NoDB_Init?
Yes. You get a handle to a "pseudo cert DB" (actually, a trust domain) regardless of which way you initialize NSS. As you know, NSS is now in its third major release (3.x) and this third release uses PKCS#11 modules for all crypto and for all key and cert storage. Older major versions of NSS did not use PKCS#11 for cert storage but instead directly accessed the cert DB. The function CERT_GetDefaultCertDB is a hold over from NSS 1.x and is preserved for backward binary and API compatibility, but it no longer actually returns a real DB handle. Now, it returns a handle of another type, and all the functions that expect to receive that handle expect to receive a handle of that type. > Does this guarantee that any key material stays inside a third-party PKCS > #11 module during certificate and cryptographic operations? Yes. -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto