Re: NSS Custom Crypto Module

Thu, 10 Jul 2014 11:38:43 -0700 

On 07/10/2014 01:28 AM, ramahmoo wrote:

I have a requirement where TLS client auth has to be done by client
certificate which is provided by a web-service (which in turn has access to
smart cards at central server location). To achieve this i want a custom
pkcs#11 crypto module that calls web service to get client certificate.
After searching all over i found this could be possible with NSS in cross
platform fashion. Using Firefox only is not a problem. Can i extend the
existing internal softtoken implementation to achieve the above? If yes
which methods has to be overriden. If no, from where should i start? What
about pin management in this case?I am newbie to PKCS#11 :) Thanks for your
help.
The plug in interface for this kind of thing is PKCS #11. The current version of the PKCS #11 spec is available here: 


     Docs

https://www.oasis-open.org/news/announcements/30-day-public-review-for-pkcs11-committee-specification-and-committee-note-drafts

It's a draft OASIS spec which is almost throught the OASIS process.


A short primer on implementing PKCS #11 for NSS is here: 
https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/PKCS11_Implement
A supplemental FAQ is here: 
https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/PKCS11/FAQ



     Samples


NSS code includes a toolkit for building PKCS #11 modules: nss/lib/ckfw. 
Under that directory are 3 examples:

nss/lib/ckfw/builtins - used to supply the builtin root certs.

nss/lib/ckfw/capi - used to access keys and certs stored in Microsoft 
CAPI on Windows.

nss/lib/ckfw/nssmkey - used to access keys and certs in the MacOS keyring.
You can brows these sources at : http://lxr.mozilla.org/nss/source/lib/ckfw/


The open-c project also has some tools and a helper library available 
here: http://lxr.mozilla.org/nss/source/lib/ckfw/










--
View this message in context: 
http://mozilla.6506.n7.nabble.com/NSS-Custom-Crypto-Module-tp319226.html
Sent from the Mozilla - Cryptography mailing list archive at Nabble.com.





Attachment:
smime.p7s

Description: S/MIME Cryptographic Signature


-- 
dev-tech-crypto mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-tech-crypto





















					Reply via email to