Re: Firefox PSM locks NSS

Thu, 13 Jan 2011 04:00:11 -0800 

Hiya,

I've tried the same test with Chromium and it worked correctly as Wan-Teh said. 
The database does not get locked.

My Firefox profile NSS files are soft links to the shared ones, as explained in 
the NSS Shared Howto document
https://wiki.mozilla.org/NSS_Shared_DB_Howto

Could it be a matter of my pkcs11.txt configuration? I've built everything with 
the modutils tool (create new database, add opensc module for my smartcard and 
set FRIENDLY flag) but maybe Firefox needs some other flag not to get locked 
that I've not considered.

<pre>
$ cat ~/.pki/nssdb/pkcs11.txt 
library=
name=NSS Internal PKCS #11 Module
parameters=configdir='sql:.' certPrefix='' keyPrefix='' secmod='' flags= 
updatedir='' updateCertPrefix='' updateKeyPrefix='' updateid='' 
updateTokenDescription='' 
NSS=Flags=internal,critical trustOrder=75 cipherOrder=100 
slotParams=(1={slotFlags=[RSA,DSA,DH,RC2,RC4,DES,RANDOM,SHA1,MD5,MD2,SSL,TLS,AES,Camellia,SEED,SHA256,SHA512]
 askpw=any timeout=30})

library=./libnssckbi.so
name=Root Certs
NSS=trustOrder=100    

library=/usr/lib/opensc/opensc-pkcs11.so
name=izenpe
NSS=slotParams={0x00000000=[slotFlags=PublicCerts ] 
0x00000001=[slotFlags=PublicCerts rootFlags=hasRootTrust] 
0x00000002=[slotFlags=PublicCerts ] 0x00000003=[slotFlags=PublicCerts ] 
0x00000004=[slotFlags=PublicCerts ] 0x00000005=[slotFlags=PublicCerts ] 
0x00000006=[slotFlags=PublicCerts ] 0x00000007=[slotFlags=PublicCerts ] 
0x00000008=[slotFlags=PublicCerts ] 0x00000009=[slotFlags=PublicCerts ] 
0x0000000a=[slotFlags=PublicCerts ] 0x0000000b=[slotFlags=PublicCerts ] 
0x0000000c=[slotFlags=PublicCerts ] 0x0000000d=[slotFlags=PublicCerts ] 
0x0000000e=[slotFlags=PublicCerts ] 0x0000000f=[slotFlags=PublicCerts ] }  
</pre>

____

I had to activate the FRIENDLY flag in order Chrome to correctly obtain the 
smartcard's certificate. I'm new to Chrome so maybe there's another way to do 
this. Firefox doesn't require it and asks for the PIN.

Irune Prado :: Zylk.net
-----------------------------------------
-- 
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto

Reply via email to