Interesting, I was trying to do a similar thing and posted to the group but got no reply. I've gotten partway down the road that Julien describes. Read on for more details.
Christoph Brueckner wrote:
My suspicion was the same as yours so I searched through secmod.db and found a string containing the path to my profile since the module would certainly need this. I pulled out the string:hi Julien, thanks for your reply.Julien Pierre wrote:At this time softoken is still tied to NSS. It requires an
initialization string to be passed to C_Initialize. If you can make your
other applicaitons pass that string, you might be able to use it.
What is the syntax of that initialization string? I couldnt find any
docs
regarding a init string for C_Initialize. I guess this has something
to do with telling softoken where the "key.db" and "cert.db" is located?
configdir='C:\\Documents and Settings\\jbj1\\Application Data\\Mozilla\\Profiles\\jens\\7zkdfliy.slt' certPrefix='' keyPrefix='' secmod='secmod.db' flags= manufacturerID='Mozilla.org' libraryDescription='PSM Internal Crypto Services' cryptoTokenDescription='Generic Crypto Services' dbTokenDescription='Software Security Device' cryptoSlotDescription='PSM Internal Cryptographic Services' dbSlotDescription='PSM Private Keys' FIPSSlotDescription='PSM Internal FIPS-140-1 Cryptographic Services' FIPSTokenDescription='PSM FIPS-140-1 User Private Key Services' minPS=0
This seemed to have gotten me part of the way. Instead of CKR_ARGUMENTS_BAD instead then I would get a different error, don't remember exactly which one now. I looked at the PSM source for a while but decided before I would go on first I would try to see if it would be possible to get it to work. I posted my message to this list on 1/7 but nobody replied so that's where I left it. I saw your message today and of course this rekindled my interest.
This was the main thing I was asking too. From looking at the source and the way it already perverted the CK_C_INITIALIZE_ARGS structure I was concerned there would be lots of other changes that I didn't want to deal with. I would love to hear an answer to this. I think the problem I was running into was with the synchronization. It didn't like me to specify none and didn't seem to like it if I passed mutex functions either. Anyone?
Is this C_Initalize thing the only change which made softoken not fully PKCS#11 compatible? Are there any other things
which make softoken not fully PKCS#11 compatible?
Actually C_GetFunctionList is really all it needs to export. C_GetFunctionList gets you pointers to all the other functions. By the way I have had no trouble at all using the nssckbi.dll PKCS11 module. This is the builtin module that stores all the root certs and it seems to behave like a proper pkcs11 module just fine.>>softoken was written separately and isn't based on ckfw. Since itimplements nearly all functions in the specification, making softoken use CKFW wouldn't make sense.Ok. But why does softoken and builtin module only export the C_GetFunctionList function? I thought softoken and builtin are "real" PKCS#11 Modules. Why don't they export functions like C_Initialize, and all the other PKCS#11 functions directly? Instead softoken exports C_GetFunctionList, NSC_GetFunctionList, FC_GetFunctionList. What is the difference between these 3 functions?
> My goal is to modify the softoken in terms of its private keyOk, now things are a little clearer. Perhaps you might instead look at encapsulating openssl to do the encryption? openssl is truly a standalone library and though its interface is poorly documented I have used it on a couple of occasions and haven't had too much trouble getting things to work.
handling. Thats because i have a device which stores the private key
securely and it performs some private key crypto operations.
I want to make the secure device available through pkcs#11.
So i thought of modifing the softoken , keeping all public key and
public crypto operations and modify all private key operations and
storage
calls to my secure device. So i dont have to spend much time to implement crypto operations like encrypt or verify, certstorage
which can easily be done by the softoken.
Is this a reasonable approach or am i totally wrong?
By the way though if you want to ultimately use this pkcs11 module in mozilla/netscape you don't have to implement all the other encryption stuff at all. For example I have a Dallas Semiconductor Java iButton crypto token which has a pkcs11 module. Its module implements all the attribute get/set and find stuff, initialization etc. but the only crypto is supports is C_WrapKey, C_UnwrapKey, C_GenerateKeyPair, and C_Sign. mozilla is happy with this and just uses what it needs.
best regards Christoph Brueckner
-- Jens B. Jorgensen [EMAIL PROTECTED]
