Hi Oscar. Thanks,
So yes, the failure to find your token is a failure in firefox (psm in this case) to find a token that can do CKM_RSA_PKCS. Firefox looks for tokens that are writable that can to the PKCS mechanism since pretty much all it's operations is done with PKCS.
Oscar So wrote:
Yes: For SSL/TLS you will need to find the standard for PSS for TLS. It is most likely a new Cipher suite. SSL uses a very low level signature scheme, so you would need to modify the client auth code to support this.Hi Bob, 3) can decrypt S/Mime messages or do SSL client auth. That is a problem with the mechanisms... Answer: This feature is NOT supported, so I did not test this. The module was loaded correctly as you can see it in Device Manager (see attached image). But, during certificate request, my PKCS#11 module is suppose to pop up as one of the option to be chosen, but it wasn't. (see attached image). Does NSS and FireFox ONLY supports PKCS#1 padding ? Does it mean that I have to MODIFY FireFox to support PSS padding ?
For S/MIME, certificates, etc, you can add the new PSS OID to the built in oid table, point the mechanism to CKM_RSA_PSS. We have isolated many of the changes to nss proper for signing. Basically you need to modify nss/cryptohigh/sec_vfy.c and nss/cryptohi/sec_sign.c.
The firefox code meantioned above would have to change as well. That's more difficult. PKCS #1 is pretty ubiquitous, so it's important not to break that. PSS may be better as a new algorithm (rsa_pss?). This is important because the default rsa crmf request is going to try to do an PKCS1 signature as part of the key issuance process. If the keys is in your token and the PKCS #1 signature fails, things won't be happy (Note: adding the sign and verify support should fix this as long as you use the PSS oid in the keygen rather than the PKCS #1 oid, thus they feel like different algorithms).
In general, PKCS #11 does not provide algorithm transparency. In particular changes to Asymetric protocols typically cause a larger amount of pain than adding new symetric algorithms. (DSA and RSA_PKCS have no parameters, for instance).
One final note: if you add support for PSS, you should probably add PSS support to softoken so that NSS can at least verify signatures that you create;).
bob
Also, attached PKCS#11 log file. Here are the mechanism returned from my PKCS#11 module: 8: C_GetMechanismList [in] slotID = 0x0 [out] pMechanismList[4]: CKM_RSA_PKCS_KEY_PAIR_GEN CKM_RSA_PKCS_PSS CKM_RSA_X_509 CKM_SHA_1 Returned: 0 CKR_OK Thank you very much! Oscar
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
