REGIBEAU Julien wrote: > > Hello all, > > I'm currently using NSS with a Baltimore PKCS#11 compliant hardware. I would > like to sign a message with the private key that resides on this hardware. > It works perfectly with NSS 3.2.1 but not with NSS 3.6.0. > After some investigations, I've found that the problem comes from the > function "pk11_getcerthandle" (the high level call is "SEC_PKCS7Encode"). > This function is different in NSS 3.6.0 than in 3.2.1 (you can see the > differences in the code below). > The behavior of this function is quite strange, the first time it returns 0 > (failed) and then, if we immediately re-run the function, it works perfectly > ! (because of this instruction: cert->series = slot->series;) > > So, my questions are: > - why is the code different in NSS 3.6 ? > - what's the meaning of cert->series and slot->series ?
slot->series is a counter maintained by NSS. It counts the number of times that the token was removed and/or reinserted into the slot/reader. The removal/reinsertion is detected based on values returned by the PKCS 11 module to certain PKCS11 function calls into that module. cert->series is the slot's series number that was current at the time that the cert's handle was taken from the slot/token. If the token has been removed and reinserted since the cert's handle was last obtained, then the previously obtained handle value is invalid, and a new value must be obtained. The code detects that the token has been removed/reinserted since the handle was last obtained by comparing the slot's current series number with cert->series. If the two do not match, then a new handle is fetched from the token, and the cert's series number is updated. The older code appears to have been incorrect. It failed to detect the series mismatch, and so sometimes used a stale handle. That has been apparently corrected. I'd guess that your PKCS 11 module is behaving in a way that appears to indicate the removal and/or reinsertion of the token, which then forces the handle to be refetched. But this shouldnt' cause a failure. The new handle simply should be fetched and the operations should continue. > The modification appears in the file 'pk11cert.c' between the version 1.82 > and 1.83. The author of this modification is Bob Relyea. Maybe Bob will add some comments here. > Thanks in advance ! > Julien -- Nelson Bolyard Disclaimer: I speak for myself, not for Netscape
