On 7/13/2010 12:59 PM, Robert Relyea wrote: > On 07/12/2010 09:54 AM, Antti Andreimann wrote: > > You'll find https://developer.mozilla.org/en/PKCS11_Implement helpful in > dealing with PKCS #11 and NSS. It's a bit dated, but it provides a > minimum set (something that will work with even ancient versions of the > browser). >> PKCS#11 implementation in Mozilla is broken in many ways: >> 1. It doesn't like when slots disappear >> > When the code was implemented. Slots were only allowed to grow, not > disappear. I suspect a simple change to UpdateSlotList may fix this, as > long as you are prepared to deal with old slot numbers sent to you > without crashing (returning an error is fine). As dave pointed out > writing bugs upstream would be a good way to get these fixed. >> 2. It breaks when module initially exposes zero slots >> > I would be happy to review any patches you may have that fixes this > issue the source is in mozilla/security/nss/pk11wrap. My guess is you > may only need to have SECMOD_HasRemovableSlots() return true if the > mod->slotCount == 0 (pk11util.c). >> 3. It doesn't set it's slot flags (eg. friendly) for all slots, >> but only for those that were visible when the security module was >> loaded from JavaScript. New slots get default flags, which can be >> wrong. >> > That's on purpose. Most tokens out of the box do not meet the > requirements of 'Publicly readable certs'. The rules for this can be > found buried the the strings document (I thought it was in the PKCS #11 > faq, but I didn't see it there): > > *PublicCerts* - The certificates on this token can be read without > authenticating to this token, and any user certs on this token have > a matching public key which is also readable without authenticating. > Setting this flags means NSS will not try to authenticate to the > token when searching for Certificates. This removes spurious > password prompts, but if incorrectly set it can also cause NSS to > miss certificates in a token until that token is explicitly logged in. > > Most tokens fail to provide a matching public key with the cert, so > setting the flag will result in the token appearing to contain no user > certs.
But OpenSC should/can accommodate this by reading the cert and constructing a public key object. The pkcs15-piv.c does this if an attempt is made to read the public key. Maybe this could could be adapted for all cards. > > It's unfortunate that the mozilla UI has removed the ability to tweak > these flags and you need to use java script or external applications to > set these flags. >> These are the exact reasons why the original "virtual slot" system was >> implemented. It's best not to mess around with the slot count when >> dealing with NSS in the first place. >> > The original version of PKCS #11 didn't allow you to mess with the slots > on the fly in any case. There is a very specific protocol in the spec > that explains when you can change the slot count (This has to do with > they way PKCS #11 is specified, since you need to get the slot count > first then get the list of slots. If you >> What happened to the previous "working" virtual slot implementation? >> When using PKCS#11, who cares about the "real" physical readers anyway? >> Why not just expose a number of empty slots and then fill them with >> tokens as they are inserted. > This is certainly safer for many implementations. Not all NSS apps > bother to call UpdateSlotList(), so even if you make the above changes, > NSS will never see the new slots. >> "onepin-pkcs11" to "firefox-sucks-pkcs11" and please do not touch those >> hacks until the bloody NSS has been fixed for good. >> > Patches for review are welcome, but you should at least writes some bugs > about this first.;). > > bob > > > > _______________________________________________ > opensc-devel mailing list > opensc-devel@lists.opensc-project.org > http://www.opensc-project.org/mailman/listinfo/opensc-devel -- Douglas E. Engert <deeng...@anl.gov> Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 _______________________________________________ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
