Thanks Nelson. My comments are inline. Nelson Bolyard wrote: > Subrata Mazumdar wrote, On 2008-02-28 17:18: > > >> I have two question about configuartion of PKCS#11 module in Firefox 3: >> >> - is there any documentation on how to configure MS CAPI as PKCS#11 >> module in Firefox 3 and certutil? >> > > MS CAPI is not a PKCS#11 module, and cannot be configured to be a PKCS#11 > module. MS CAPI uses MS's own crypto API. > > One of the NSS developers has done some work to write a PKCS#11 module > that interfaces to MS CAPI. That work is not (yet) an official part of > NSS, and is not supported (we don't take bug reports on it). Perhaps the > author will give us a status update on that work here in this newsgroup. Yes, I was referring to that work of PKCS#11 module that interface to MS CAPI. Since I saw the code under .../nss/lib/ckfw directory of FF3, I thought that it is going to be supported. >> - Also, is it possible to configure NSS softoken as PKCS#11 module >> (like we do in Java to access NSS) within NSS? >> > > Uh, NSS's softoken is always configured in NSS, by default. NSS can't run > without its softoken, AFAIK. > > >> My motivation is to access the keys/certs from profiles other than >> current profile of the browser. >> > > Ah, you want to configure softoken to use a different set of databases > rather than, or in addition to, the default. > Yes, what I meant was to access DBs from other browsers as "external tokens" in addition to the default (which is the internal token) of current browser . My only requirement is that I should be able configure the DBs as PKCS#11 module using the "load" button in the "Device Manager" dialog of Mozilla PSM for security devices. > The "rather than" case is pretty easy. The NSS library initialization > functions (named NSS_Init*) all take an argument which is the path name > of a directory in which the DBs are to be found. You just initialize > NSS pointing to a different set of DBs. > > The "in addition to" case is probably a little trickier, and may not work. > There is a function named SECMOD_OpenUserDB by which an application can > ask NSS to open another PKCS#11 slot/token in the softoken module, after > NSS has been initialized, using the DBs from a different directory. See > http://lxr.mozilla.org/security/ident?i=SECMOD_OpenUserDB > > Unfortunately, there are no test programs or example code that > use SECMOD_OpenUserDB, and it is not tested as part of our ongoing > automated QA. So it may or may not work, and isn't really supported > just yet, but may be by the time that NSS 3.12 is officially released. > Thanks for the info. I think I have enough hints to create a test case. Since my test environment is FF3 which in turn uses NSS 3.12, I should be able to follow your directions. I will try it out when I get a chance and post the test code if I am successful.
> /Nelson > _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
