Re: Firefox PSM locks NSS
Hiya,
I've tried the same test with Chromium and it worked correctly as Wan-Teh said.
The database does not get locked.
My Firefox profile NSS files are soft links to the shared ones, as explained in
the NSS Shared Howto document
https://wiki.mozilla.org/NSS_Shared_DB_Howto
Could it be a matter of my pkcs11.txt configuration? I've built everything with
the modutils tool (create new database, add opensc module for my smartcard and
set FRIENDLY flag) but maybe Firefox needs some other flag not to get locked
that I've not considered.
pre
$ cat ~/.pki/nssdb/pkcs11.txt
library=
name=NSS Internal PKCS #11 Module
parameters=configdir='sql:.' certPrefix='' keyPrefix='' secmod='' flags=
updatedir='' updateCertPrefix='' updateKeyPrefix='' updateid=''
updateTokenDescription=''
NSS=Flags=internal,critical trustOrder=75 cipherOrder=100
slotParams=(1={slotFlags=[RSA,DSA,DH,RC2,RC4,DES,RANDOM,SHA1,MD5,MD2,SSL,TLS,AES,Camellia,SEED,SHA256,SHA512]
askpw=any timeout=30})
library=./libnssckbi.so
name=Root Certs
NSS=trustOrder=100
library=/usr/lib/opensc/opensc-pkcs11.so
name=izenpe
NSS=slotParams={0x=[slotFlags=PublicCerts ]
0x0001=[slotFlags=PublicCerts rootFlags=hasRootTrust]
0x0002=[slotFlags=PublicCerts ] 0x0003=[slotFlags=PublicCerts ]
0x0004=[slotFlags=PublicCerts ] 0x0005=[slotFlags=PublicCerts ]
0x0006=[slotFlags=PublicCerts ] 0x0007=[slotFlags=PublicCerts ]
0x0008=[slotFlags=PublicCerts ] 0x0009=[slotFlags=PublicCerts ]
0x000a=[slotFlags=PublicCerts ] 0x000b=[slotFlags=PublicCerts ]
0x000c=[slotFlags=PublicCerts ] 0x000d=[slotFlags=PublicCerts ]
0x000e=[slotFlags=PublicCerts ] 0x000f=[slotFlags=PublicCerts ] }
/pre
I had to activate the FRIENDLY flag in order Chrome to correctly obtain the
smartcard's certificate. I'm new to Chrome so maybe there's another way to do
this. Firefox doesn't require it and asks for the PIN.
Irune Prado :: Zylk.net
-
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: Firefox PSM locks NSS
If your module locks the DB while in R/W mode, that would explain it. Even that is bad, but it's not as bad a user experience when you have the friendly flag set. NSS will access opensc driver following pkcs11.txt configuration which is the same for Chromium, Firefox and the certutil tool I'm also using for testing. Try it with FF. No newness, every access after the start of the driver sesion by the PSM of Firefox gets locked. If your module locks the DB while in R/W mode, that would explain it. Thats why I think it's something related to the pkcs11.txt Irune Prado :: Zylk.net - - Mensaje original - De: Nelson B Bolyard nel...@bolyard.me Para: mozilla's crypto code discussion list dev-tech-crypto@lists.mozilla.org Enviados: Jueves, 13 de Enero 2011 13:16:07 Asunto: Re: Firefox PSM locks NSS On 2011-01-13 03:58 PDT, Irune Prado Alberdi wrote: I've tried the same test with Chromium and it worked correctly as Wan-Teh said. The database does not get locked. [snip] I had to activate the FRIENDLY flag in order Chrome to correctly obtain the smartcard's certificate. I'm new to Chrome so maybe there's another way to do this. Firefox doesn't require it and asks for the PIN. That's a big clue, I think. The friendly flag tells NSS that the module supports a read only mode wherein it is not necessary to login to read the certificates and other public objects on the device. Without that, NSS assumes that the device only supports read/write mode, and login is necessary to go any access. If your module locks the DB while in R/W mode, that would explain it. Even that is bad, but it's not as bad a user experience when you have the friendly flag set. Try it with FF. -- /Nelson Bolyard -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Firefox PSM locks NSS
Hi! Firstly forgive me any mislearned NSS-related technical concepts, I'm new to this. I'm trying to access a NSS shareable database (3.1.2 with NSS_DEFAULT_DB_TYPE=sql) while having a Firefox NSS session already initialized over the pkcs11 module of my smartcard. My test is really simple but I don't get to know why firefox locks the database. Up to this point I can properly work with my certificates in firefox but when I try to simultaneously access it via certutil I get blocked pre ~/.pki/nssdb$ certutil -d sql:. -K -h izenpe /pre While if I terminate the pkcs11 session in firefox I can successfully acces the token pre $ certutil -d sql:. -K -h izenpe certutil: Checking token Builtin Object Token in slot NSS Builtin Objects certutil: no keys found certutil: Checking token NSS Generic Crypto Services in slot NSS Internal Cryptographic Services certutil: no keys found certutil: Checking token NSS Certificate DB in slot NSS User Private Key and Certificate Services certutil: no keys found certutil: Checking token IZENPE in slot Gemplus GemPC Twin 00 00 Enter Password or Pin for IZENPE: 0 rsa ad22bafb47cd03a443ee3c04e4914f5cc52a PRUEBAS EFACTUR /pre Hope you can guide me, best regards, Irune -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
