On 8/29/2011 2:08 AM, helpcrypto helpcrypto wrote: > I alreay see that links and, as i told you earlier, must be a > Mozilla/NSS bad implementation, cause it asks again and again, no > matter if CKR_OK or CKR_INVALID_ATTRIBUTE.
They must be not caching the result. It should not be must overhead to return CKR_INVALID_ATTRIBUTE. There might even be some argument, that a PKCS#11 module might respond differently at some time in the future, and so this may not be a bug. > anyway, ill argue this things with the mozilla people. Thanks a lot > for your time and help. Much appreciatted. > > 2011/8/26 Douglas E. Engert<[email protected]>: >> >> >> On 8/26/2011 2:46 AM, helpcrypto helpcrypto wrote: >>> 2011/8/25 Douglas E. Engert<[email protected]>: >>>> >>>> The OpenSC pkcs11/pkcs11-display.c has definitions for all these. >>>> #define CKO_NETSCAPE 0xCE534350 >>>> >>>> #define CKO_NETSCAPE_CRL (CKO_NETSCAPE + 1) >>>> #define CKO_NETSCAPE_SMIME (CKO_NETSCAPE + 2) >>>> #define CKO_NETSCAPE_TRUST (CKO_NETSCAPE + 3) >>>> #define CKO_NETSCAPE_BUILTIN_ROOT_LIST (CKO_NETSCAPE + 4) >>>> >>>> There are vendor attributes too. >>> >>> These are the values im talking about...i guess somewhere must be >>> documented what they are for. >> >> PKCS#11 allows for vendor defined objects and attributes and NSS implements >> some soft tokens that can support storing of CA certs, with TRUST, and CRLs >> and other objects or attributes needed by NSS. >> >> You can find the documentations and source for NSS here: >> >> http://www.mozilla.org/projects/security/pki/nss/ >> >> In Release 3.12 the names are changed from CKO_NETSCAPE_ to CKO_NSS_ >> with the same values: >> >> http://www.mozilla.org/projects/security/pki/nss/nss-3.12/nss-3.12-release-notes.html >> >> In the NSS CVS source these are defined in >> ./mozilla/security/nss/lib/util/pkcs11n.h >> >> >>> >>>> >>>> Looks like looking for a CRL. >>>> >>>> When OpenSC PKCS#11 sees these, it returns 0 objects and CKR_OK >>> >>> I dont know in OpenSC, but doenst matter if i return 0+CKR_OK or not. >>> It still ask many times. >> >> See this thread: >> http://www.mail-archive.com/[email protected]/msg08609.html >> >> One of the NSS developers, says you can return CKR_INVALID_ATTRIBUTE >> and it might stop asking. >> >> >>> >>>> >>>> Add to the environment something like this: >>>> >>>> PKCS11SPY=/opt/smartcard/lib/your-pkcs11.so >>>> PKCS11SPY_OUTPUT=/tmp/tb.spy.txt >>>> >>>> >>>> You can use the OpenSC pkcs11-spy.so with TB and your own PKCS#11 module. >>>> make the pkcs11-spy.so or pkcs11-spy.dll the security device. >>>> >>>> >>>> >>>> When OpenSC PKCS#11 sees these, it returns 0 objects and CKR_OK >>>> >>> >>> Thanks a lot for your help. >>> _______________________________________________ >>> opensc-devel mailing list >>> [email protected] >>> http://www.opensc-project.org/mailman/listinfo/opensc-devel >> >> -- >> >> Douglas E. Engert<[email protected]> >> Argonne National Laboratory >> 9700 South Cass Avenue >> Argonne, Illinois 60439 >> (630) 252-5444 >> _______________________________________________ >> opensc-devel mailing list >> [email protected] >> http://www.opensc-project.org/mailman/listinfo/opensc-devel >> > _______________________________________________ > opensc-devel mailing list > [email protected] > http://www.opensc-project.org/mailman/listinfo/opensc-devel -- Douglas E. Engert <[email protected]> Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 _______________________________________________ opensc-devel mailing list [email protected] http://www.opensc-project.org/mailman/listinfo/opensc-devel
