Hello!
Hey Aleksey, Good to hear from you again. Still working on XMLDsig?
I wonder if there is a way to specify which slot will be returned
by PK11_GetBestSlot() function for a given mechanism.
> Yes, there is.
I have found PK11_UpdateSlotAttribute/PK11_ClearSlotList functions which seem to be doing what I want. But they are not listed in the "official" NSS 3.4 functions list
http://www.mozilla.org/projects/security/pki/nss/nss-3.4/nss-3.4-functions.html
Please ignore that *old* list. The real list of public NSS functions is found in these files (one per shared lib):
http://lxr.mozilla.org/security/source/security/nss/lib/nss/nss.def http://lxr.mozilla.org/security/source/security/nss/lib/ssl/ssl.def http://lxr.mozilla.org/security/source/security/nss/lib/smime/smime.def http://lxr.mozilla.org/security/source/security/nss/lib/softoken/softokn.def
thus I am not sure if it is a good idea to use them or just create a list of "best" slots on the application level and use it instead.
I think the answer is: none of the above.
NSS has a database known as "secmod.db" which contains configuration
information about the various PKCS11 modules and slots. In that DB
you can tell NSS which module(s) and/or slot(s) is/are preferred
for any algorithm. That info will directly affect the results of PK11_GetBestSlot and PK11_GetBestSlotMultiple. You do it by telling
NSS to use that module (or module+slot) as the default (or one of the
defaults) for that "mechanism" (algorithm).
To modify that DB, you can use the NSS command line tool modutil.
modutil (no options) gives you a detailed usage message.
modutil -dbdir DB -list (where DB is the name of the directory containing secmod.db) will show you a summary of the contents of the secmod.db, showing some info about each PKCS11 module, and each slot and tooken in each module.
modutil -dbdir DB -list "module name" (where "module name" is the name of the module as displayed above) will show you details about the named module and each of its slots and tokens. The list of "default" mechanisms for the module and each of its tokens is shown as "Mechanism Flags".
modutil -dbdir DB -default "module name" -mechanisms LIST modutil -dbdir DB -default "module name" -mechanisms LIST -slot "SLOT" is how you set the list of defalt mechanisms on a module or slot. SLOT is a Token name (not slot name) as listed by modutil -list. Mechanism lists are colon-separated. The following mechanisms are recognized: RSA, DSA, RC2, RC4, RC5, DES, DH, FORTEZZA, SHA1, MD5, MD2, SSL, TLS, RANDOM, FRIENDLY
example:
modutil -dbdir DB -default "NSS Internal PKCS #11 Module" \ -slot "NSS Certificate DB" -mechanisms \ "RSA:DSA:RC4:DES:DH:SHA1:MD5:MD2:SSL:TLS:RANDOM:FRIENDLY"
Multiple modules and/or slots can be marked as defaults for any of those mechanisms.
"FRIENDLY" is not a real mechanism, but rather tells NSS that this module or slot does not require the user to be logged in before seeing the token's internally-stored certificates.
Thanks, Aleksey Sanin
Hope this helps.
-- Nelson B _______________________________________________ mozilla-crypto mailing list [email protected] http://mail.mozilla.org/listinfo/mozilla-crypto
