Closed
Bug 1475274
Opened 6 years ago
Closed 6 years ago
Provide a way to specify tokens with PKCS #11 URI
Categories
(NSS :: Libraries, enhancement)
NSS
Libraries
Tracking
(Not tracked)
RESOLVED
FIXED
3.39
People
(Reporter: ueno, Unassigned)
Details
Attachments
(1 file)
While the patches in bug 1162897 made it possible to use PKCS #11 URI as a certificate nickname (through PK11_FindCertsFromNickname), it is still not possible to specify tokens with URI. It would be good if PK11_FindSlotByName() works similarly, so that the client applications[1] can use PKCS #11 URI instead of token names. [1] https://codesearch.debian.net/search?q=PK11_FindSlotByName&perpkg=1
Reporter | ||
Comment 1•6 years ago
|
||
This patch allows client applications to specify tokens unambiguously with PKCS #11 URI, instead of token name. It also includes a minor fixes to PKCS #11 URI handling that previously treated the scheme case sensitively.
Reporter | ||
Updated•6 years ago
|
Attachment #8991650 -
Flags: review?(rrelyea)
Attachment #8991650 -
Flags: review?(kaie)
Comment 2•6 years ago
|
||
Comment on attachment 8991650 [details] Bug 1475274, Provide a way to specify tokens by PKCS #11 URI In cert/cert.sh: # This token shouldn't have any keys CU_ACTION="List keys in NSS Generic Crypto Services" RETEXPECTED=255 certu -K -f "${R_PWFILE}" -d ${P_R_SERVERDIR} -h ${GENERIC_CRYPTO_URI} RETEXPECTED=0 Just remove this test. There are no keys or certs in the "Generic Crypto Services" token.
Attachment #8991650 -
Flags: review?(rrelyea) → review+
Reporter | ||
Comment 3•6 years ago
|
||
(In reply to Robert Relyea from comment #2) Thank you for the review. > There are no keys or certs in the "Generic Crypto Services" token. That's the reason why I used it in the test actually. When a non-exitent token name is given, certutil defaults to look at "NSS Certificate DB". To differentiate the results, we need to use a separate token which doesn't have any object.
Reporter | ||
Comment 4•6 years ago
|
||
Bob, if I understand right, you suggested to duplicate the "NSS Certificate DB" token for testing, either by using modutil or by modifying pkcs11.txt. Is it really possible? I tried the following but haven't managed to get two tokens registered in the same database: ``` $ modutil -dbdir sql:nssdb -add another -libfile libsoftokn3.so ... ERROR: Failed to add module "another". Probable cause : "Unknown PKCS #11 error. $ modutil -dbdir sql:nssdb -rawlist library= name="NSS Internal PKCS #11 Module" ... $ modutil -dbdir sql:nssdb -rawadd 'library= name="another NSS Internal PKCS #11 Module" ...' $ modutil -dbdir sql:nssdb -list (only the default internal tokens are shown) ``` Could you provide the actual procedure to register multiple internal tokens?
Comment 5•6 years ago
|
||
I was recommending using the builtins, not adding a second NSS Certificate DB. Doing the latter would require sqllite and hand editing the pkcs11.txt file, the tools can't handle this (nor could dbm). modutil -dbdir sql:nssdb -add builtins -libfile libnssckbi.so bob
Comment 6•6 years ago
|
||
Comment on attachment 8991650 [details] Bug 1475274, Provide a way to specify tokens by PKCS #11 URI Robert Relyea has been removed from the revision. https://phabricator.services.mozilla.com/D2099
Attachment #8991650 -
Flags: review+
Reporter | ||
Comment 7•6 years ago
|
||
(In reply to Robert Relyea from comment #5) > I was recommending using the builtins, not adding a second NSS Certificate > DB. Doing the latter would require sqllite and hand editing the pkcs11.txt > file, the tools can't handle this (nor could dbm). > > modutil -dbdir sql:nssdb -add builtins -libfile libnssckbi.so Thank you for the hint, I have updated the patch to use the NSS Builtin Objects token. (actually, the token is already registered in cert.sh, so I just replaced the name of the token checked).
Reporter | ||
Updated•6 years ago
|
Attachment #8991650 -
Flags: review?(rrelyea)
Comment 8•6 years ago
|
||
Comment on attachment 8991650 [details] Bug 1475274, Provide a way to specify tokens by PKCS #11 URI r+ rrelyea
Attachment #8991650 -
Flags: review?(rrelyea) → review+
Comment 9•6 years ago
|
||
Comment on attachment 8991650 [details] Bug 1475274, Provide a way to specify tokens by PKCS #11 URI Robert Relyea has been removed from the revision. https://phabricator.services.mozilla.com/D2099
Attachment #8991650 -
Flags: review+
Reporter | ||
Comment 10•6 years ago
|
||
Thank you for the review; pushed: https://hg.mozilla.org/projects/nss/rev/d23206e032bd
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → FIXED
Target Milestone: --- → 3.39
Updated•6 years ago
|
Attachment #8991650 -
Flags: review?(kaie)
You need to log in
before you can comment on or make changes to this bug.
Description
•