> > With my own PKCS11 provider installed I am seeing unnecessary password > prompts to login to my provider. When I try to connect to a site > with https, > and sometimes just to an http site, I am always getting prompts for my > password, even if the site does not use client authentication and > even if my > token is empty (no certs or keys). > > I discovered that the order of the slots returned by the P11 interface > C_GetSlotList() is important to the order in which Firefox/NSS > tries to find > the best slot supporting a particular mechanism. My P11 provider > is similar > to the internal NSS softtoken. It has 2 slots, one for generic crypto > without a token, and a second slot which has a token for certificate/key > storage. Both slots support identical mechanisms but the generic > slot does > not require a login. If C_GetSlotList() returns the slot with > the cert/key > token as slot[1] then it becomes the first slot searched to see if it > supports a required mechanism, even if the operation doesn't need > access to > a cert/key in the token. By changing the order I return the slots > I was able > to make my generic slot searched first. The reason behind this is because > NSS builds a linked list of slots supporting each mechanism, adding each > slot to the linked list with PK11_AddSlotToList(). Each new slot > is added to > the head of the list so by changing the order that I return the slots in > C_GetSlotList() I was able to force NSS to place my generic > provider earlier > in the list. However this did not prevent all the password prompts. > > SSL_AuthCertificate() is called to verify a certificate chain during an > SSL/TLS handshake. It ends up calling pk11_RetrieveCrls() which > then calls > PK11_GetAllTokens() which loads ever P11 token, including those > that need a > login. I am not certain how I can get around this. > > rob > I've seen this problem recently with a commercial PKCS11 provider I use and logged the following bug:
https://bugzilla.mozilla.org/show_bug.cgi?id=326637 As far as I can see the problem is new with FF1.5, it did not exist in FF1.0.7. Mark. > > _______________________________________________ > dev-tech-crypto mailing list > dev-tech-crypto@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-tech-crypto _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
