Alon Bar-Lev wrote:
This is probably because the token does not keep it's login state. NSS does not try to remember if a particular token has been logged in or logged out, it will always ask to token to see if it needs to be logged in or not. If the token does not update and maintain it's internal login state, NSS will end up logging into the token every time it queries. Login state is returned through the C_GetSessionInfo() call. This allows vendors to control the login state of their tokens independent of NSS. NOTE: one common error in tokens is the failure to update the session state of *ALL* sessions on login or logout.Hello,I am using Mozilla applications for a long time I enjoy it, but the PKCS#11 implementation always worried me.1. It prompts for PIN every time the token is accessed (Does not use the public objects if exists).
2. It does not prompt for token insert if the token is unavailable. For example, you started SSL session using a certificate on a token, then remove it, at next negotiation you should be prompted to insert your token.Unfortunately there is no way for NSS to know that it needs your particular token. We are currently working on dealing with this from the UI level (several error messages now,
3. Every key negotiation there is a PIN prompt without reuse of last credentials.
This is a bug in your pkcs #11 module (see 1 above).
This looks like you are not keeping a consistent session state. NSS detects card insertion and removal by verifying that the global session it opens when it first initializes the card is still valid. If that session is not maintained (the token looses that session or returns an error on C_GetSessionInfo()), NSS can only assume that the token in the reader is different from the last token it was talking to, so it rereads all the objects off the token. This particular error will cause the pin prompt problems above (NSS sees that same session as logged out). You should examine what is happenning in your C_GetSessionInfo() call.4. Every key negotiation all objects are re-read from token.
bob
Lately, I spent time in introducing PKCS#11 to open source projects, started with OpenVPN (merged), then OpenSSH (not yet), lately I've finished integrating PKCS#11 into QCA (Qt Cryptographic Architecture, merged) so that KDE 4 will be able to use smartcards.Now I think I am ready to help you.If you like, I am willing to help you make the PKCS#11 implementation better. I guess this cannot be done without making some changes in the NSS interface.I've implemented a pkcs11-helper module that abstracts the use of PKCS#11. It handles multiple providers, works on Linux and Windows, supports session caching, object serialization, PIN prompt, token prompt, PIN cache period, protected authentication and more.Attached is my header file so you might get an idea of what can be done. Best Regards, Alon Bar-Lev.
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
