Re: SSL objects and NSS code communicating with PKCS#11 module
On 03/05/2014 01:21 AM, Raad Bahmani wrote: > Hello Robert, > > thank your for your answer ! > > >>> 3) Which algorithm is used for login with SSL ? >> I'm not sure what you mean by 'login with SSL'. Do you mean create an >> SSL handshake? do you mean client auth? do you mean login to the token >> to use SSL? > you are right, my question is vaguely formulated ! > I guess it would be: "client authentication" > > This is the scenario: > > 1) A user opens a web-page where he can log in using his SSL certificate. > 2) He clicks on a link which says: "Log-In with SSL Certificate". > 3) Firefox handles this request by calling functions of my PKCS#11 module. > > Where do I find the code which calls the functions of my module? You don't need to implement the SSL key exchange algorithms for this, you simply need to implement signing. Your best bet is: https://developer.mozilla.org/en-US/docs/PKCS11_Implement Your token profile is 'Signing tokens' When you see requests for attributes or objects that aren't part of the PKCS #11 spec, you should respond as the PKCS #11 spec directs for unknown attributes and objects. NOTE: if you have a list of mixed attributes, PKCS #11 requires you to fill in all the attributes you do understand and mark the ones you don't with length of -1. These additional attributes are not necessary to be able to create client auth connections. > > > > >>> C_FindObjects with: >>> session-handle: 100 >>> ulMaxObjectCount: 1 >> What did you return here? This is a very basic Find object call looking >> for an object that you probably don't support, You should return no >> object here. > As I mentioned, my module *simulates* a smart-card, so always a dummy > ID/Handle is returned when for example a session is required to be > created or when the C_FindObjects is called. > > If a dummy object-handle is not returned the firefox keeps calling the > C_Find* functions as you can see bellow. Once your token is loaded, firefox will ask it for all sorts of objects. If you don't know the object, you should always return 'no such object'. If you pretend to return an object you don't know about, things will not end well... In simulating a smart card, do you claim to be a hardware device? If so NSS will just ask you at token insertion of a full range of objects ahead of time and then never bother you (assuming you have only a small number of certs/crls/etc). What I see below is exactly what I expect (NSS asking you, do you know this cert? do you have the CRL for this CA, etc.). You should expect to see these calls continually if you are functioning correctly. bob > > > > > > msg 29: C_GetSlotInfo > msg 30: C_FindObjectsInit with: > msg 31: session-handle: 100l > msg 32: ulCount: 4l > msg 33: template > msg 34: -- > msg 35: Attr0 Type L: 1l > msg 36: Attr0 Type X: 1l > msg 37: Attr0 Value L: 1l > msg 38: Attr0 Value X: 1 > msg 39: Attr0 ulValueLen: 1l > msg 40: -- > msg 41: Attr1 Type L: 0l > msg 42: Attr1 Type X: 0l > msg 43: Attr1 Value L: 1l > msg 44: Attr1 Value X: 1 > msg 45: Attr1 ulValueLen: 8l > msg 46: -- > msg 47: Attr2 Type L: 129l > msg 48: Attr2 Type X: 129l > msg 49: Attr2 Value L: 831291696l > msg 50: Attr2 Value X: 318c8130 > msg 51: Attr2 ulValueLen: 143l > msg 52: -- > msg 53: Attr3 Type L: 130l > msg 54: Attr3 Type X: 130l > msg 55: Attr3 Value L: 235733762l > msg 56: Attr3 Value X: e0d0302 > msg 57: Attr3 ulValueLen: 5l > msg 58: C_FindObjects with: > msg 59: session-handle: 100l > msg 60: ulMaxObjectCount: 1l > msg 61: C_FindObjectsFinal (100l) > msg 62: C_FindObjectsInit with: > msg 63: session-handle: 100l > msg 64: ulCount: 4l > msg 65: template > msg 66: -- > msg 67: Attr0 Type L: 1l > msg 68: Attr0 Type X: 1l > msg 69: Attr0 Value L: 1l > msg 70: Attr0 Value X: 1 > msg 71: Attr0 ulValueLen: 1l > msg 72: -- > msg 73: Attr1 Type L: 0l > msg 74: Attr1 Type X: 0l > msg 75: Attr1 Value L: 1l > msg 76: Attr1 Value X: 1 > msg 77: Attr1 ulValueLen: 8l > msg 78: -- > msg 79: Attr2 Type L: 129l > msg 80: Attr2 Type X: 129l > msg 81: Attr2 Value L: 831291696l > msg 82: Attr2 Value X: 318c8130 > msg 83: Attr2 ulValueLen: 143l > msg 84: -- > msg 85: Attr3 Type L: 130l > msg 86: Attr3 Type X: 130l > msg 87: Attr3 Value L: 15470093l > msg 88: Attr3 Value X: ec0e0d > msg 89: Attr3 ulValueLen: 3l > msg 90: C_FindObjects with: > msg 91: session-handle: 100l > msg 92: ulMaxObjectCount: 1l > msg 93: C_FindObjectsFinal (100l) > msg 94: C_FindObjectsInit with: > msg 95: session-handle: 100l > msg 96: ulCount: 4l > msg 97: template > msg 98: -- > msg 99: Attr0 Type L: 1l > msg 100: Attr0 Type X: 1l > msg 101: Att
Re: SSL objects and NSS code communicating with PKCS#11 module
Bonjour, Le lundi 3 mars 2014 13:31:20 UTC+1, Raad Bahmani a écrit : > I need to implement a PKCS11-library which simulates a smart-card and > responds to login attempts with SSL certificates. Your simulated smartcard won't do any login with SSL cert (it won't go that high). When the Mozilla product will perform the TLS handshake and the server asks for a client authentication, it will search for acceptable certificates in all the connected devices and display a list to the user. If the user chooses a certificate whose private key is stored in your simulated smartcard, the Mozilla product will ask your simulated smartcard to perform a signature operation. > I have found out that SSL needs the following mechanisms, so the > "C_GetMechanismList" of my library specifies them as supported. > > - CKM_SSL3_PRE_MASTER_KEY_GEN > - CKM_SSL3_MASTER_KEY_DERIVE > - CKM_SSL3_KEY_AND_MAC_DERIVE > - CKM_SSL3_MD5_MAC > - CKM_SSL3_SHA1_MAC You obviously also need to implement them, not only declare them as supported. And I don't think those are necessary at all for client auth. > When trying to login using SSL the following functions are called before > the firefox crashes ! :/ > > These are my questions: > > 1) What are these objects: ce534354, ce534353, b316030, > 102, 318c8130, e0d0302 These are pointers. Please read PKCS#11 v2+. -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: SSL objects and NSS code communicating with PKCS#11 module
Hello Robert, thank your for your answer ! >> 3) Which algorithm is used for login with SSL ? > I'm not sure what you mean by 'login with SSL'. Do you mean create an > SSL handshake? do you mean client auth? do you mean login to the token > to use SSL? you are right, my question is vaguely formulated ! I guess it would be: "client authentication" This is the scenario: 1) A user opens a web-page where he can log in using his SSL certificate. 2) He clicks on a link which says: "Log-In with SSL Certificate". 3) Firefox handles this request by calling functions of my PKCS#11 module. Where do I find the code which calls the functions of my module? >> C_FindObjects with: >> session-handle: 100 >> ulMaxObjectCount: 1 > >What did you return here? This is a very basic Find object call looking >for an object that you probably don't support, You should return no >object here. As I mentioned, my module *simulates* a smart-card, so always a dummy ID/Handle is returned when for example a session is required to be created or when the C_FindObjects is called. If a dummy object-handle is not returned the firefox keeps calling the C_Find* functions as you can see bellow. msg 29: C_GetSlotInfo msg 30: C_FindObjectsInit with: msg 31: session-handle: 100l msg 32: ulCount: 4l msg 33: template msg 34: -- msg 35: Attr0 Type L: 1l msg 36: Attr0 Type X: 1l msg 37: Attr0 Value L: 1l msg 38: Attr0 Value X: 1 msg 39: Attr0 ulValueLen: 1l msg 40: -- msg 41: Attr1 Type L: 0l msg 42: Attr1 Type X: 0l msg 43: Attr1 Value L: 1l msg 44: Attr1 Value X: 1 msg 45: Attr1 ulValueLen: 8l msg 46: -- msg 47: Attr2 Type L: 129l msg 48: Attr2 Type X: 129l msg 49: Attr2 Value L: 831291696l msg 50: Attr2 Value X: 318c8130 msg 51: Attr2 ulValueLen: 143l msg 52: -- msg 53: Attr3 Type L: 130l msg 54: Attr3 Type X: 130l msg 55: Attr3 Value L: 235733762l msg 56: Attr3 Value X: e0d0302 msg 57: Attr3 ulValueLen: 5l msg 58: C_FindObjects with: msg 59: session-handle: 100l msg 60: ulMaxObjectCount: 1l msg 61: C_FindObjectsFinal (100l) msg 62: C_FindObjectsInit with: msg 63: session-handle: 100l msg 64: ulCount: 4l msg 65: template msg 66: -- msg 67: Attr0 Type L: 1l msg 68: Attr0 Type X: 1l msg 69: Attr0 Value L: 1l msg 70: Attr0 Value X: 1 msg 71: Attr0 ulValueLen: 1l msg 72: -- msg 73: Attr1 Type L: 0l msg 74: Attr1 Type X: 0l msg 75: Attr1 Value L: 1l msg 76: Attr1 Value X: 1 msg 77: Attr1 ulValueLen: 8l msg 78: -- msg 79: Attr2 Type L: 129l msg 80: Attr2 Type X: 129l msg 81: Attr2 Value L: 831291696l msg 82: Attr2 Value X: 318c8130 msg 83: Attr2 ulValueLen: 143l msg 84: -- msg 85: Attr3 Type L: 130l msg 86: Attr3 Type X: 130l msg 87: Attr3 Value L: 15470093l msg 88: Attr3 Value X: ec0e0d msg 89: Attr3 ulValueLen: 3l msg 90: C_FindObjects with: msg 91: session-handle: 100l msg 92: ulMaxObjectCount: 1l msg 93: C_FindObjectsFinal (100l) msg 94: C_FindObjectsInit with: msg 95: session-handle: 100l msg 96: ulCount: 4l msg 97: template msg 98: -- msg 99: Attr0 Type L: 1l msg 100: Attr0 Type X: 1l msg 101: Attr0 Value L: 1l msg 102: Attr0 Value X: 1 msg 103: Attr0 ulValueLen: 1l msg 104: -- msg 105: Attr1 Type L: 0l msg 106: Attr1 Type X: 0l msg 107: Attr1 Value L: 3461563219l msg 108: Attr1 Value X: ce534353 msg 109: Attr1 ulValueLen: 8l msg 110: -- msg 111: Attr2 Type L: 129l msg 112: Attr2 Type X: 129l msg 113: Attr2 Value L: 831291696l msg 114: Attr2 Value X: 318c8130 msg 115: Attr2 ulValueLen: 143l msg 116: -- msg 117: Attr3 Type L: 130l msg 118: Attr3 Type X: 130l msg 119: Attr3 Value L: 820776461l msg 120: Attr3 Value X: 30ec0e0d msg 121: Attr3 ulValueLen: 3l msg 122: C_FindObjects with: msg 123: session-handle: 100l msg 124: ulMaxObjectCount: 1l msg 125: C_FindObjectsFinal (100l) msg 126: C_FindObjectsInit with: msg 127: session-handle: 100l msg 128: ulCount: 4l msg 129: template msg 130: -- msg 131: Attr0 Type L: 1l msg 132: Attr0 Type X: 1l msg 133: Attr0 Value L: 1l msg 134: Attr0 Value X: 1 msg 135: Attr0 ulValueLen: 1l msg 136: -- msg 137: Attr1 Type L: 0l msg 138: Attr1 Type X: 0l msg 139: Attr1 Value L: 3461563219l msg 140: Attr1 Value X: ce534353 msg 141: Attr1 ulValueLen: 8l msg 142: -- msg 143: Attr2 Type L: 129l msg 144: Attr2 Type X: 129l msg 145: Attr2 Value L: 187792688l msg 146: Attr2 Value X: b317d30 msg 147: Attr2 ulValueLen: 127l msg 148: -- msg 149: Attr3 Type L: 130l msg 150: Attr3 Type X: 130l msg 151: Attr3 Value L: 1573122l msg 152: Attr3 Value X: 180102 msg 153: Attr3 ulValueLen: 3l msg 154: C_FindObjects with: msg 155: s
Re: SSL objects and NSS code communicating with PKCS#11 module
On 03/03/2014 04:31 AM, Raad Bahmani wrote: > Hello together, > > I need to implement a PKCS11-library which simulates a smart-card and > responds to login attempts with SSL certificates. > > I have found out that SSL needs the following mechanisms, so the > "C_GetMechanismList" of my library specifies them as supported. > > - CKM_SSL3_PRE_MASTER_KEY_GEN > - CKM_SSL3_MASTER_KEY_DERIVE > - CKM_SSL3_KEY_AND_MAC_DERIVE > - CKM_SSL3_MD5_MAC > - CKM_SSL3_SHA1_MAC > > When trying to login using SSL the following functions are called before > the firefox crashes ! :/ > > These are my questions: > > 1) What are these objects: ce534354, ce534353, b316030, > 102, 318c8130, e0d0302 It's not clear without context. These look like they could either be object ID's or Attribute ID's. The ones starting with ce5343xx are NSS specific attributes or objects. Your library can reject or ignore them (depending on context. 102 looks like a regular PKCS #11 addribute or id (depending on context). The others look like memory addresses, so there's nothing I can really tell about them. NSS never used those as PKCS #11 id's > 2) Where can I find (in cross-reference ) the source code of firefox/NSS > which communicates with my library ? The NSS specific id's are defined in lib/util/pkcs11n.h > 3) Which algorithm is used for login with SSL ? I'm not sure what you mean by 'login with SSL'. Do you mean create an SSL handshake? do you mean client auth? do you mean login to the token to use SSL? > > Thank you in advance. > - Raad > > > > > +--- > C_GetFunctionList > +--- > C_Initialize > +--- > C_GetInfo > +--- > C_GetSlotList > +--- > C_GetSlotList > +--- > C_GetSlotInfo > +--- > C_GetTokenInfo > +--- > C_GetMechanismList > +--- > C_OpenSession with: > lag: 4l > slotId: 22l > +--- > C_FindObjectsInit with: > session-handle: 100 > ulCount: 1 > Attr0 Value: ce534354 > +--- > C_FindObjects with: > session-handle: 100 > +--- > C_FindObjectsFinal > +--- > C_GetSlotInfo > +--- > C_FindObjectsInit with: > session-handle: 100 > ulCount: 4 > > template > Attr0 Type: 1 > Attr0 Value: 1 > Attr0 ulValueLen: 1 > -- > Attr1 Type: 0l > Attr1 Value: ce534353 > Attr1 ulValueLen: 8 > -- > Attr2 Type: 129l > Attr2 Value: b316030 > Attr2 ulValueLen: 98l > -- > Attr3 Type: 130l > Attr3 Value: 102 > Attr3 ulValueLen: 3l > +--- > C_FindObjects with: > session-handle: 100 > ulMaxObjectCount: 1 What did you return here? This is a very basic Find object call looking for an object that you probably don't support, You should return no object here. > +--- > C_FindObjectsFinal > +--- > C_FindObjectsInit with: > session-handle: 100l > ulCount: 4l > template: > Attr0 Type: 1l > Attr0 Value X: 1 > Attr0 ulValueLen: 1l > -- > Attr1 Type: 0l > Attr1 Value: 1 > Attr1 ulValueLen: 8l > -- > Attr2 Type: 129l > Attr2 Value: 318c8130 > Attr2 ulValueLen: 143l > -- > Attr3 Type L: 130l > Attr3 Value: e0d0302 > Attr3 ulValueLen: 5l Here the objects are all standard PKCS #11 objects. You seemed to be confused about the attribute values. Please look at the PKCS #11 spec for what those values are. They are all there (note your tool is printing them as long decimal integers, but they are listed in the spec as hex values). > +--- > C_FindObjects with: > session-handle: 100l > ulMaxObjectCount: 1l > +--- > C_FindObjectsFinal It looks like you found an object and returned it as handle 71l > +--- > C_GetAttributeValue with: > session-handle: 100l > hObject: 71l > ulCount: 2l > > template: > Attr0 Type X: 1l You are missing something here, our template should have 2 objects in it smime.p7s Description: S/MIME Cryptographic Signature -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto