Re: [opensc-devel] Half OT: PKCS#11+Mozilla

Thu, 25 Aug 2011 06:22:02 -0700 


On 8/25/2011 7:58 AM, helpcrypto helpcrypto wrote:
> Sorry for the little OT.
>
> I would like to know if OpenSC PKCS#11 module added on
> Firefox/Thunderbird has the same "problem" im having on my PKCS#11
> library.
>
> Seems that Mozilla its invoking C_FindObjectsInit asking for objects
> with CK_OBJECT_CLASS = 0xCE534351 or 0xCE534352 or 0xCE534353 or
> 0xCE534354 around 171 times.
> This type is a mask for VENDOR_DEFINED ones, and seems to be related to NSS.

The OpenSC pkcs11/pkcs11-display.c has definitions for all these.
  #define CKO_NETSCAPE 0xCE534350

  #define CKO_NETSCAPE_CRL                (CKO_NETSCAPE + 1)
  #define CKO_NETSCAPE_SMIME              (CKO_NETSCAPE + 2)
  #define CKO_NETSCAPE_TRUST              (CKO_NETSCAPE + 3)
  #define CKO_NETSCAPE_BUILTIN_ROOT_LIST  (CKO_NETSCAPE + 4)

There are vendor attributes too.

> As far as i know, returning CKR_OK and 0 objects, or even better
> CKR_ATTRIBUTE_TYPE_INVALID should tell Mozilla "I DONT HAVE ANY OF
> THIS", and Mozilla "should" stop asking.
> Instead of this, it asks again...again...and again until boredom
> (maybe its because i have 171 CAs on my keystore? No clue.

Looks like looking for a CRL.

When OpenSC PKCS#11 sees these, it returns 0 objects and CKR_OK

Add to the environment something like this:

PKCS11SPY=/opt/smartcard/lib/your-pkcs11.so
PKCS11SPY_OUTPUT=/tmp/tb.spy.txt


>
> Mozilla/NSS people doesnt seem to know anything about this (or they
> look to other side).
> As im not an OpenSC user, and have no idea of how to trace/log this
> stuff, i ask for the guys that would have been fighting against this.

You can use the OpenSC pkcs11-spy.so with TB and your own PKCS#11 module.
make the pkcs11-spy.so or pkcs11-spy.dll the security device.


> Is this also happening to you? Do you implement that VENDOR_DEFINED
> (undocumented?) types? Could you give me a hand?

When OpenSC PKCS#11 sees these, it returns 0 objects and CKR_OK

>
> Thanx a lot anyway.
> _______________________________________________
> opensc-devel mailing list
> opensc-devel@lists.opensc-project.org
> http://www.opensc-project.org/mailman/listinfo/opensc-devel
>
>

-- 

  Douglas E. Engert  <deeng...@anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444
_______________________________________________
opensc-devel mailing list
opensc-devel@lists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/opensc-devel

Reply via email to