Atha wrote:
Hello to allWe curently use an open+custom PKI that supports smartcards with IE. Now we want to extend our capabilities to support also smartcards in mozilla clients with PKCS#11. The functionality that we need is:1. key-pair generation ON PKCS#11 enabled smartcard 2. Creation of the certificate request 3. Load of the created certificate to the smartcard
You need a PKCS #11 module with the following:
1) The module needs to be marked as writeable. 2) You need to support CKM_RSA_PKCS (assuming you are using RSA keys/certs). 3) You need to support C_CreateObject. 4) If you want to do on card key pair generation, then you need to support a. CKM_RSA_GENERATE_KEY_PAIR.b. C_GenerateKeyPair. I would suggest getting the token to work with off card generation first (You can then test most of the infrastructure, including getting and using certificates.) For this you simply need to support C_CreateObject for private keys. Once you have everything working, you can add C_GenerateKeyPair support.
Note: once you have 1-3, mozilla will also support importing keys and certs into the token via pkcs12 (Import the pkcs12 file just as you would normally. If you have a blank token plugged in, you will be prompted where you would like the key and cert to go.
My main problem is that i have made a lot of effort to find out which is the best point to start? I have already tried without success, due to inexpirience in java and java script programming and of the confusing (for my opinion) information that i have found on internet. Mainly i have tried with JavaScript and the info from: http://developer.mozilla.org/en/docs/JavaScript_cryptoThis usually means something is missing or wrong with your PKCS #11 module. If you grab the NSS source and build pk11util, you can isolate the loading issue. (at least make sure the library is basically loadable). I would use the device loader UI until you solve the problems with your PKCS #11 module.For example:1. I get an error "Cannot load module" when i try to "pkcs11.addmodule("gj","c:\..\settoki.dll",0,0)
The most common problems in loading a new module are as follows: 1) the shared library has missing dependencies and PR_LoadLibrary fails. 2) the C_GetFunctionList entry point can not be found. 3) C_Initialize or C_GetFunctionList failed.
2. Even if i find out how to load the module i am not sure how to syntax the "FLAGS" in order to have keypair-generation ON/BY the smartcard and not mozilla and after that how to tell to crypto.generateCRMFRequest to use smartcard.
For most smart cards, the default flags is fine.
You need to make your token as 'Need Login'. Mozilla will automatically prompt for the PIN when it needs to use the token.3. the SmartCard has a PIN, how can i prompt for the PIN? ....
Obviously you found the FAQ. I'll update it with answers to your current questions.I am tottaly confused ... :(Thus, does anybody have sugestion, docs, example code, guiedlines... even in JAVA or C?
bob
Thank you very much in advanced _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
