With my own PKCS11 provider installed I am seeing unnecessary password
prompts to login to my provider. When I try to connect to a site with https,
and sometimes just to an http site, I am always getting prompts for my
password, even if the site does not use client authentication and even if my
token is empty (no certs or keys).
I discovered that the order of the slots returned by the P11 interface
C_GetSlotList() is important to the order in which Firefox/NSS tries to find
the best slot supporting a particular mechanism. My P11 provider is similar
to the internal NSS softtoken. It has 2 slots, one for generic crypto
without a token, and a second slot which has a token for certificate/key
storage. Both slots support identical mechanisms but the generic slot does
not require a login. If C_GetSlotList() returns the slot with the cert/key
token as slot[1] then it becomes the first slot searched to see if it
supports a required mechanism, even if the operation doesn't need access to
a cert/key in the token. By changing the order I return the slots I was able
to make my generic slot searched first. The reason behind this is because
NSS builds a linked list of slots supporting each mechanism, adding each
slot to the linked list with PK11_AddSlotToList(). Each new slot is added to
the head of the list so by changing the order that I return the slots in
C_GetSlotList() I was able to force NSS to place my generic provider earlier
in the list. However this did not prevent all the password prompts.
SSL_AuthCertificate() is called to verify a certificate chain during an
SSL/TLS handshake. It ends up calling pk11_RetrieveCrls() which then calls
PK11_GetAllTokens() which loads ever P11 token, including those that need a
login. I am not certain how I can get around this.
rob
_______________________________________________
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
