Closed Bug 1475274 Opened 7 years ago Closed 7 years ago

Provide a way to specify tokens with PKCS #11 URI

Categories

(NSS :: Libraries, enhancement)

Product:
NSS
Component:
Libraries
Type:
enhancement
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: ueno, Unassigned)

Details

Attachments

(1 file)

Bug 1475274, Provide a way to specify tokens by PKCS #11 URI
46 bytes, text/x-phabricator-request
Details | Review
While the patches in bug 1162897 made it possible to use PKCS #11 URI as a certificate nickname (through PK11_FindCertsFromNickname), it is still not possible to specify tokens with URI. It would be good if PK11_FindSlotByName() works similarly, so that the client applications[1] can use PKCS #11 URI instead of token names. [1] https://codesearch.debian.net/search?q=PK11_FindSlotByName&perpkg=1
This patch allows client applications to specify tokens unambiguously with PKCS #11 URI, instead of token name. It also includes a minor fixes to PKCS #11 URI handling that previously treated the scheme case sensitively.
Attachment #8991650 - Flags: review?(rrelyea)
Attachment #8991650 - Flags: review?(kaie)
Comment on attachment 8991650 [details] Bug 1475274, Provide a way to specify tokens by PKCS #11 URI In cert/cert.sh: # This token shouldn't have any keys ​ CU_ACTION="List keys in NSS Generic Crypto Services" ​ RETEXPECTED=255 ​ certu -K -f "${R_PWFILE}" -d ${P_R_SERVERDIR} -h ${GENERIC_CRYPTO_URI} ​ RETEXPECTED=0 Just remove this test. There are no keys or certs in the "Generic Crypto Services" token.
Attachment #8991650 - Flags: review?(rrelyea) → review+
(In reply to Robert Relyea from comment #2) Thank you for the review. > There are no keys or certs in the "Generic Crypto Services" token. That's the reason why I used it in the test actually. When a non-exitent token name is given, certutil defaults to look at "NSS Certificate DB". To differentiate the results, we need to use a separate token which doesn't have any object.
Bob, if I understand right, you suggested to duplicate the "NSS Certificate DB" token for testing, either by using modutil or by modifying pkcs11.txt. Is it really possible? I tried the following but haven't managed to get two tokens registered in the same database: ``` $ modutil -dbdir sql:nssdb -add another -libfile libsoftokn3.so ... ERROR: Failed to add module "another". Probable cause : "Unknown PKCS #11 error. $ modutil -dbdir sql:nssdb -rawlist library= name="NSS Internal PKCS #11 Module" ... $ modutil -dbdir sql:nssdb -rawadd 'library= name="another NSS Internal PKCS #11 Module" ...' $ modutil -dbdir sql:nssdb -list (only the default internal tokens are shown) ``` Could you provide the actual procedure to register multiple internal tokens?
I was recommending using the builtins, not adding a second NSS Certificate DB. Doing the latter would require sqllite and hand editing the pkcs11.txt file, the tools can't handle this (nor could dbm). modutil -dbdir sql:nssdb -add builtins -libfile libnssckbi.so bob
Comment on attachment 8991650 [details] Bug 1475274, Provide a way to specify tokens by PKCS #11 URI Robert Relyea has been removed from the revision. https://phabricator.services.mozilla.com/D2099
Attachment #8991650 - Flags: review+
(In reply to Robert Relyea from comment #5) > I was recommending using the builtins, not adding a second NSS Certificate > DB. Doing the latter would require sqllite and hand editing the pkcs11.txt > file, the tools can't handle this (nor could dbm). > > modutil -dbdir sql:nssdb -add builtins -libfile libnssckbi.so Thank you for the hint, I have updated the patch to use the NSS Builtin Objects token. (actually, the token is already registered in cert.sh, so I just replaced the name of the token checked).
Attachment #8991650 - Flags: review?(rrelyea)
Comment on attachment 8991650 [details] Bug 1475274, Provide a way to specify tokens by PKCS #11 URI r+ rrelyea
Attachment #8991650 - Flags: review?(rrelyea) → review+
Comment on attachment 8991650 [details] Bug 1475274, Provide a way to specify tokens by PKCS #11 URI Robert Relyea has been removed from the revision. https://phabricator.services.mozilla.com/D2099
Attachment #8991650 - Flags: review+
Thank you for the review; pushed: https://hg.mozilla.org/projects/nss/rev/d23206e032bd
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
Target Milestone: --- → 3.39
Attachment #8991650 - Flags: review?(kaie)
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: