Wan-Teh Chang wrote: > On Mon, Jul 7, 2008 at 8:17 AM, avih <[EMAIL PROTECTED]> wrote: >> Also, I tried using softokn3.dll copied to a new directory (from >> Firefox 3 installation) as a starting point. After it complained while >> loading, I added more and more files untill it loaded properly. I >> ended with the following files in a clean directory: >> >> softokn3.dll >> freebl3.chk >> mozcrt19.dll >> nspr4.dll >> nssutil3.dll >> plc4.dll >> plds4.dll >> softokn3.chk >> sqlite3.dll > > Yes, this is the correct list of files you need to use softokn3.dll > as a standalone PKCS #11 library. There is an optional DLL > nssdbm3.dll for accessing the old Berkeley DB. (Firefox 3 > is still using nssdbm3.dll.) mozcrt19.dll is only needed > when you use the NSS binaries from a Firefox 3 installation. > If you build NSS from source code, you won't need mozcrt19.dll. > >> The dll now loads ok, I got the function list pointer ok, but every >> pFunctionList->C_Initialize(&ArgsInitialize) call that I tried (both >> valid and invalid combination of arguments) returns with an error code >> 48 (CKR_DEVICE_ERROR). >> >> I've read about a config file, but couldn't quite understand if it >> only relates to java binding, how to use such file, I've read about >> pointing it to a db file, but couldn't quite find examples of such >> usages, and generally, how to make the dll load properly, initialize >> and function as a working pkcs11 front-end with a soft-token back-end. > > The following wiki page documents how to initialize the NSS softoken > for the FIPS mode of operation: > http://developer.mozilla.org/en/docs/FC_Initialize > > The key difference is that you need to use NSS's extended > CK_C_INITIALIZE_ARGS structure, which has a LibraryParameters > field. The wiki page has two examples of the LibraryParameters strings, > with a link to the specification of that string. > > In the NSS source tree, pk11mode.c is a test program that demonstrates > how to use the softoken in FIPS and non-FIPS modes: > http://lxr.mozilla.org/security/source/security/nss/cmd/pk11mode/pk11mode.c > > Finally, you can refer to our FIPS Security Policy (pp. 4-5 and 28-31) for how > to use the softoken as a standalone PKCS #11 library: > http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/1401val2007.htm#814 > > Wan-Teh
Still couldn't manage to C_Initialize. I copied the entire initialization sequence from pk11mode.c, and it still always return CKR_DEVICE_ERROR. I tried without any cli args (default values), tried the mozilla line of library initialization (copied from the FC_Initialize wiki page) , while pointing the path to a new directory that I created that contains all of the profile files (without any subdirectories), added the nssdbm3.dll because when I pointed it to a firefox profile, it would probably use the berkly DB files of firefox (cert8, key3, secmod ?), tried both fips and non fips modes ([F]C_GetFunctionList ), all to no avail. It always fails to initialize with the same error value. Also, what I've done so far was trial and error stuff. I'd still appreciate a more complete procedure to create such stand alone soft-token pkcs11 instance. i.e.: 1. What minimal set of DLL/DB/Other files should I use (let's keep the discussion to a firefox 3 installation, possibly with a new user profile as the base for these files) and where should I put them? 2. Can I use no DB files and let the library create them on the fly? what are the consequences? Can I use the firefox DB files instead? what are the implications/limitations of that? What should I know about those DB files? 3. what possible/minimal-set values of LibraryParameters would be compatible with such stand alone instance? thanks in advance, avih _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
