Hi there, I am testing out the NSS 3.8 PKCS#11 Soft Token, and have managed
to load it correctly and initialise it correctly.
Congratulations! You've gotten farther than most folks who post here for the first time.
However I note from the returned flags of C_GetTokenInfo that the token is write protected, and this is obviously why my calls to C_GenerateKey are failing with CKR_TOKEN_WRITE_PROTECTED.
As you've (no doubt) noticed, there are two tokens (in two slots) being emulated by the softken module. One token, the "Generic Crypto Services" token, has no long-term storage and so it cannot import/derive/generate any "token objects" (objects with the CKA_TOKEN attribute set to true).
The other token, the "Certificate DB" token, has DBs for long term storage of keys and certs, and it can import/derive/generate *some* token objects. Specifically, certs and public and private keys can be token objects. Symmetric keys and "generic secrets" cannot be token objects on that token, if I recall correctly. (This capability may have been added, but I don't recall it.)
CKR_TOKEN_WRITE_PROTECTED and CKF_WRITE_PROTECTED refer to token objects, not to "session objects" (objects woth CKA_TOKEN set to false).
So, I gather that you were trying to create a triple-DES key as a token object. You were using the "Generic Crypto Services" token, which cannot have any token objects.
Could someone please tell me how I remove the write protection from the token? Is it necessary for me to login to the "NSS Certificate DB" token to do this?
Your choices are: (a) try to generate a session object, or (b) try to generate a token object in the "Certificate DB" token (which might work).
Here is the debug out from my application -
You did a great job of presenting your situation! Did you devise a tool to do that? or did you use some known tool?
> does anyone know what the
"Unknown" token flag 0x8000 is, that is returned by C_GetTokenInfo?
Yes. CKF_THREAD_SAFE. It's a non-standard flag. You won't find it in the official PKCS11 header files. It means that the token supports multiple crypto operations in parallel (on separate sessions, of course) from multiple threads. Many pkcs11 modules require the calling application to not do more than one pkcs11 call at a time on a slot. They require the application to single-thread calls, using a mutual exclusion device (lock) if it is multi-threaded. The upper layers of NSS, above/outside of PKCS11 (which you're apparently not using) will single-thread calls to a slot UNLESS the token claims to be CKF_THREAD_SAFE. You can safely ignore this flag.
-- Nelson B
_______________________________________________ mozilla-crypto mailing list [EMAIL PROTECTED] http://mail.mozilla.org/listinfo/mozilla-crypto
