Closed Bug 1475274 Opened 6 years ago Closed 6 years ago

Provide a way to specify tokens with PKCS #11 URI

Categories

(NSS :: Libraries, enhancement)

Product:
NSS
Component:
Libraries
Type:
enhancement
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: ueno, Unassigned)

Details

Attachments

(1 file)

Bug 1475274, Provide a way to specify tokens by PKCS #11 URI
46 bytes, text/x-phabricator-request
Details | Review 
While the patches in bug 1162897 made it possible to use PKCS #11 URI as a certificate nickname (through PK11_FindCertsFromNickname), it is still not possible to specify tokens with URI.

It would be good if PK11_FindSlotByName() works similarly, so that the client applications[1] can use PKCS #11 URI instead of token names.

[1] https://codesearch.debian.net/search?q=PK11_FindSlotByName&perpkg=1
This patch allows client applications to specify tokens unambiguously with PKCS #11 URI, instead of token name.  It also includes a minor fixes to PKCS #11 URI handling that previously treated the scheme case sensitively.
Attachment #8991650 - Flags: review?(rrelyea)
Attachment #8991650 - Flags: review?(kaie)
Comment on attachment 8991650 [details]
Bug 1475274, Provide a way to specify tokens by PKCS #11 URI

In cert/cert.sh:
          # This token shouldn't have any keys
	​  CU_ACTION="List keys in NSS Generic Crypto Services"
	​  RETEXPECTED=255
	​  certu -K -f "${R_PWFILE}" -d ${P_R_SERVERDIR} -h ${GENERIC_CRYPTO_URI}
	​  RETEXPECTED=0

Just remove this test. There are no keys or certs in the "Generic Crypto Services" token.
Attachment #8991650 - Flags: review?(rrelyea) → review+
(In reply to Robert Relyea from comment #2)

Thank you for the review.

> There are no keys or certs in the "Generic Crypto Services" token.

That's the reason why I used it in the test actually.  When a non-exitent token name is given, certutil defaults to look at "NSS Certificate DB".  To differentiate the results, we need to use a separate token which doesn't have any object.
Bob, if I understand right, you suggested to duplicate the "NSS Certificate DB" token for testing, either by using modutil or by modifying pkcs11.txt.  Is it really possible?

I tried the following but haven't managed to get two tokens registered in the same database:

```
$ modutil -dbdir sql:nssdb -add another -libfile libsoftokn3.so
...
ERROR: Failed to add module "another". Probable cause : "Unknown PKCS #11 error.

$ modutil -dbdir sql:nssdb -rawlist
library= name="NSS Internal PKCS #11 Module" ...

$ modutil -dbdir sql:nssdb -rawadd 'library= name="another NSS Internal PKCS #11 Module" ...'

$ modutil -dbdir sql:nssdb -list
(only the default internal tokens are shown)
```

Could you provide the actual procedure to register multiple internal tokens?
I was recommending using the builtins, not adding a second NSS Certificate DB. Doing the latter would require sqllite and hand editing the pkcs11.txt file, the tools can't handle this (nor could dbm).

modutil -dbdir sql:nssdb -add builtins -libfile libnssckbi.so

bob
Comment on attachment 8991650 [details]
Bug 1475274, Provide a way to specify tokens by PKCS #11 URI

Robert Relyea has been removed from the revision.

https://phabricator.services.mozilla.com/D2099
Attachment #8991650 - Flags: review+
(In reply to Robert Relyea from comment #5)
> I was recommending using the builtins, not adding a second NSS Certificate
> DB. Doing the latter would require sqllite and hand editing the pkcs11.txt
> file, the tools can't handle this (nor could dbm).
> 
> modutil -dbdir sql:nssdb -add builtins -libfile libnssckbi.so

Thank you for the hint, I have updated the patch to use the NSS Builtin Objects token.
(actually, the token is already registered in cert.sh, so I just replaced the name of the token checked).
Attachment #8991650 - Flags: review?(rrelyea)
Comment on attachment 8991650 [details]
Bug 1475274, Provide a way to specify tokens by PKCS #11 URI

r+ rrelyea
Attachment #8991650 - Flags: review?(rrelyea) → review+
Comment on attachment 8991650 [details]
Bug 1475274, Provide a way to specify tokens by PKCS #11 URI

Robert Relyea has been removed from the revision.

https://phabricator.services.mozilla.com/D2099
Attachment #8991650 - Flags: review+
Thank you for the review; pushed:
https://hg.mozilla.org/projects/nss/rev/d23206e032bd
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → FIXED
Target Milestone: --- → 3.39
Attachment #8991650 - Flags: review?(kaie)
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: