"Nelson B" <[EMAIL PROTECTED]> wrote in message news:[EMAIL PROTECTED] > Andy Duplain wrote: > > Hi there, I am testing out the NSS 3.8 PKCS#11 Soft Token, and have managed > > to load it correctly and initialise it correctly. > > Congratulations! > You've gotten farther than most folks who post here for the first time.
:) Thanks - it wasn't easy figuring out what was going on. > > > However I note from the > > returned flags of C_GetTokenInfo that the token is write protected, and this > > is obviously why my calls to C_GenerateKey are failing with > > CKR_TOKEN_WRITE_PROTECTED. > > As you've (no doubt) noticed, there are two tokens (in two slots) being > emulated by the softken module. One token, the "Generic Crypto Services" > token, has no long-term storage and so it cannot import/derive/generate > any "token objects" (objects with the CKA_TOKEN attribute set to true). > > The other token, the "Certificate DB" token, has DBs for long term storage > of keys and certs, and it can import/derive/generate *some* token objects. > Specifically, certs and public and private keys can be token objects. > Symmetric keys and "generic secrets" cannot be token objects on that token, > if I recall correctly. (This capability may have been added, but I don't > recall it.) > > CKR_TOKEN_WRITE_PROTECTED and CKF_WRITE_PROTECTED refer to token objects, > not to "session objects" (objects woth CKA_TOKEN set to false). > > So, I gather that you were trying to create a triple-DES key as a token > object. You were using the "Generic Crypto Services" token, which cannot > have any token objects. Yes, that's what I'm trying to do. > > > Could someone please tell me how I remove the write protection from the > > token? Is it necessary for me to login to the "NSS Certificate DB" token to > > do this? > > Your choices are: (a) try to generate a session object, or (b) try to > generate a token object in the "Certificate DB" token (which might work). OK, I'll give that a try. Presumably I have to use C_Login to gain write access to that token? I have written another mini test program and login to that token, which succeeds, however the token still has CKF_WRITE_PROTECTED set from C_GetTokenInfo. > > > Here is the debug out from my application - > > You did a great job of presenting your situation! Did you devise a tool > to do that? or did you use some known tool? Thanks. We are using a hardware security module and used to link directly to the suppliers PKCS#11 library DLL - I wrote a simple wrapper module that can do different initialisation depending on registry settings (i.e. provide the NSS config strings or not). I just added some debug output to selected API functions in order to figure out what was going wrong. > > > does anyone know what the > > "Unknown" token flag 0x8000 is, that is returned by C_GetTokenInfo? > > Yes. CKF_THREAD_SAFE. It's a non-standard flag. You won't find it in the > official PKCS11 header files. It means that the token supports multiple > crypto operations in parallel (on separate sessions, of course) from > multiple threads. Many pkcs11 modules require the calling application to > not do more than one pkcs11 call at a time on a slot. They require the > application to single-thread calls, using a mutual exclusion device (lock) > if it is multi-threaded. The upper layers of NSS, above/outside of PKCS11 > (which you're apparently not using) will single-thread calls to a slot > UNLESS the token claims to be CKF_THREAD_SAFE. You can safely ignore this > flag. Cheers. Thanks for your feedback - I was beginning to give up hope of getting it working. All the best, Andy. _______________________________________________ mozilla-crypto mailing list [EMAIL PROTECTED] http://mail.mozilla.org/listinfo/mozilla-crypto
