So, the likely problem is your token is not claiming to be a RW token.
All that being said, PKCS #11 does have a restriction that you can't have any RO session at the same time you have a logged in SSO session. Since restricting RO sessions will basically bring NSS to it's knees, there really is no provision in NSS for managing SSO states on the card. In general NSS expects tokens to be manages 'off-line'. The basic reasons for this are:
1) Most token initialization is way to complicated to be accomplished using the defined PKCS #11 interfaces. 2) As a result few tokens are consistent in implementing the SSO and token initialization methods. 3) Most token system provisioning happens either on trusted workstations, or through mechanisms like OpenPlatform connections (the latter has no visibility to PKCS #11). 4) NSS is primarily focused on user's usage (the 99% case), which in PKCS #11 is mutually exclusive to Security Officer Management.
bob Nicolas Justin wrote:
Hello I try to use the PK11_InitPin function of the NSS to change the user PIN using the SSO PIN, from a XPCOM component in Mozilla (1.7, NSS 3.9), but I always get a CKR_SESSION_READ_ONLY_EXISTS error from my crypto device. It seems that Mozilla opens a RO session on the token, then my component opens another when opening a slot. Since I could only pass _my_ slot to PK11_InitPin(), PK11_GetRWSession() could not transform my session to RW since there is already a RO session opened (the Mozilla one). Should I have to close the Mozilla session on the token before calling PK11_InitPin() ? how ? Should I have to temporarly stop Mozilla to automatically open a session on inserted token ? how ? Or maybe I'm just going the wrong way :) Thanks in advance.
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
