Carlos Cid wrote:
> Hello there,
>
> We have been working on the development of a hardware accellerator to work
> with Netscape/iPlanet products and I have two questions :
>
> 1) We have been able to hack NSS in order to make it use the functions we
> provide instead. In the early stages of development we wish to test it with
> iPlanet servers. Is it possible to "substitute" Netscape built-in NSS by
> ours ? We thought it would be a matter of relinking the libraries, but we
> were unable to find the original ones. And even if we can add our NSS to
> netscape (or iPlanet servers), how can we be sure that it is in fact using
> our libraries and not the native ones ?
For all the current shipping servers, not. Because of old export rules
NSS had to be statically bound into the application. Those rules changed
recently and new versions of the various servers will begin to ship with
DLL based versions of NSS. From a product perspective, it would be best
if you didn't have to replace NSS, but use the standard mechanisms built
into NSS for extensions (PKCS #11). If you find bugs in this code, it's
best to feed those bugs back to mozilla so the future Server products
will have fixes.
>
> 2) Our aim is to develop a PKCS#11 module for our product. Would we be able
> to obtain such module from NSS ? I mean, have only the PKCS#11 libraries
> "extracted" from NSS, without all the other stuff (or at least a base for
> the module), and then adding it as a PKCS#11 module to the server using
> modutil ? If yes, how ? Someone has already asked a similar question, but
> the answer was not very clear (it was just said that it was is possible).
There are a couple of places where NSS builds PKCS #11 modules, two of
them for standalong external modules and one for internal use. The ckfw
directory is that start of a generic PKCS #11 framework to allow vendors
to drop in their specific functions without dealing with PKCS #11
parsing. It's currently only implemented for PKCS #11 modules which just
provide objects, but it could make an interesting basis to start. The
second stand alone module is the FORTEZZA module in libfort. The final
piece is our internal PKCS #11 module, which you can find in softoken.
In addition I believe there is a gnu licensed version of a PKCS #11
framework. A good place to ask about this would be the cryptoki mailing
list. ([EMAIL PROTECTED])
There are a number of vendors who are already shipping PKCS #11 modules
which work with the NSS in Communicator, PSM, and the various 4.X
servers. You should be able to do your replacement stuff without hacking
NSS (though having the source code can help answer questions when your
PKCS #11 module mysteriously fails to load!
bob
>
> Thanks a lot
>
>
> Carlos
