Helge Bragstad wrote: > Hello, > > I'm using a PKCS #11 module with Mozilla 1.7.12 for > email/authentication. The token at hand *require* message digest to be > calculated in the token, so the MechanismInfo for CKM_RSA_PKCS indicates > this by the setting these flags only: CKF_HW | CKF_DECRYPT | CKF_UNWRAP. > (Not CKF_SIGN!). Further the MechanismInfo for CKM_SHA1_RSA_PKCS sets > the flags: CKF_HW | CKF_SIGN. Nevertheless, when signing an email with > mail tool, it does C_SignInit with Mechanism type = CKM_RSA_PKCS, which > then returns CKR_MECHANISM_INVALID. After this the mail tool gives up. > > The question is: Is there any way to make NSS to use CKM_SHA1_RSA_PKCS > for signing rather than CKM_RSA_PKCS?
Based on the contents of this search: http://lxr.mozilla.org/security/search?string=CKM_SHA1_RSA_PKCS I conclude that NSS implements CKM_SHA1_RSA_PKCS in its "softoken" PKCS#11 module, and that PK11wrap knows how to use it, and that pk11util (NSS test program for PKCS#11) knows how to excersize it, but no other code in NSS libraries ever uses that mechanism. Does your module implement C_GetOperationState and C_SetOperationState to save and restore the intermediate states of the SHA1 hash in CKM_SHA1_RSA_PKCS ? That might be necessary for NSS to use it. Also, I'm not sure that CKM_SHA1_RSA_PKCS is usable for SSL/TLS client authentication. I should look into that. I suggest you file an NSS RFE (request for enhancement) in bugzilla.mozilla.org, asking for NSS to try to use CKM_SHA1_RSA_PKCS when it is available and CKM_RSA_PKCS does not have CKF_SIGN. You might indicate what applications you want that for, e.g. S/MIME? SSL/TLS client authentication? SSL/TLS servers? Form signing? -- Nelson B _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
