On 07/12/2010 09:54 AM, Antti Andreimann wrote: You'll find https://developer.mozilla.org/en/PKCS11_Implement helpful in dealing with PKCS #11 and NSS. It's a bit dated, but it provides a minimum set (something that will work with even ancient versions of the browser). > PKCS#11 implementation in Mozilla is broken in many ways: > 1. It doesn't like when slots disappear > When the code was implemented. Slots were only allowed to grow, not disappear. I suspect a simple change to UpdateSlotList may fix this, as long as you are prepared to deal with old slot numbers sent to you without crashing (returning an error is fine). As dave pointed out writing bugs upstream would be a good way to get these fixed. > 2. It breaks when module initially exposes zero slots > I would be happy to review any patches you may have that fixes this issue the source is in mozilla/security/nss/pk11wrap. My guess is you may only need to have SECMOD_HasRemovableSlots() return true if the mod->slotCount == 0 (pk11util.c). > 3. It doesn't set it's slot flags (eg. friendly) for all slots, > but only for those that were visible when the security module was > loaded from JavaScript. New slots get default flags, which can be > wrong. > That's on purpose. Most tokens out of the box do not meet the requirements of 'Publicly readable certs'. The rules for this can be found buried the the strings document (I thought it was in the PKCS #11 faq, but I didn't see it there):
*PublicCerts* - The certificates on this token can be read without
authenticating to this token, and any user certs on this token have
a matching public key which is also readable without authenticating.
Setting this flags means NSS will not try to authenticate to the
token when searching for Certificates. This removes spurious
password prompts, but if incorrectly set it can also cause NSS to
miss certificates in a token until that token is explicitly logged in.
Most tokens fail to provide a matching public key with the cert, so
setting the flag will result in the token appearing to contain no user
certs.
It's unfortunate that the mozilla UI has removed the ability to tweak
these flags and you need to use java script or external applications to
set these flags.
> These are the exact reasons why the original "virtual slot" system was
> implemented. It's best not to mess around with the slot count when
> dealing with NSS in the first place.
>
The original version of PKCS #11 didn't allow you to mess with the slots
on the fly in any case. There is a very specific protocol in the spec
that explains when you can change the slot count (This has to do with
they way PKCS #11 is specified, since you need to get the slot count
first then get the list of slots. If you
> What happened to the previous "working" virtual slot implementation?
> When using PKCS#11, who cares about the "real" physical readers anyway?
> Why not just expose a number of empty slots and then fill them with
> tokens as they are inserted.
This is certainly safer for many implementations. Not all NSS apps
bother to call UpdateSlotList(), so even if you make the above changes,
NSS will never see the new slots.
> "onepin-pkcs11" to "firefox-sucks-pkcs11" and please do not touch those
> hacks until the bloody NSS has been fixed for good.
>
Patches for review are welcome, but you should at least writes some bugs
about this first.;).
bob
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ opensc-devel mailing list [email protected] http://www.opensc-project.org/mailman/listinfo/opensc-devel
