Hi Bob, here is my experience so far with the NSS PKCS#11 and CAPI. I tried out the NSS PKCS#11 DLL for CAPI with Firefox3 security device manager and I was able to load the DLL as PKCS#11 module. Last time (a few months ago) I treid with Firefox2 and it did not work. I was actually suprised to see that NSS PKCS#11 DLL for CAPI is automatically built in when I complied the Firefox3 source.
The browser now list all the certs in the personal certificate store (of MS Crypto service) in the "your certificate" tab of PSM certificate manager. I can view the certificate, backup using PKCS#12 file and export as X.509 cert. I can neither generate key-pair nor use the private key to sign either a PKCS#10 CSR or another Cert. It always prompts for (as mentioned in the README file) password with a smart card dialog window. I do not even know the password of MS Crypto store because MS Crypto tool (certmgr.msc) allows me to view and import cert without any password. I have to investigate this little bit more. If I cancel the password prompt, it crashed the browser. Is there a way to avoid CAPI generated prompt for password? Can I use nsIPK11Token.checkPassword() to explicitly login to the token for MS Certificate store so that password propmt is not shown at all? Have you able to do access the private key from the "MS certificate store" token? -- Subrata Robert Relyea wrote: > Nelson B Bolyard wrote: >> Chris Hills wrote, On 2008-07-03 10:47: >> >> >>> From what I have read in this group, there is already some >>> experimental code in NSS, but I have no idea as to its functionality >>> or usability. >>> >> >> The files are in >> http://lxr.mozilla.org/security/source/security/nss/lib/ckfw/capi/ >> Work on that project stopped ~2.5 years ago. >> You're welcome to try it. >> > I ran with this module for over a year, there is probably some memory > leaks, but in general it worked well. > This module maps existing CAPI modules into PKCS #11 (gives Firefox > access to capi modules -- most notably *THE* capi module (microsoft > cert store). >> My guess is that it does a good job at doing the things that it does, >> but has limited functionality (doesn't do all the things you might >> like). >> > If you are looking for the reverse (use a PKCS #11 module with capi > applications), then you want to look here: > http://directory.fedoraproject.org/wiki/CoolKey#Windows_CSP > > bob >> _______________________________________________ >> dev-tech-crypto mailing list >> dev-tech-crypto@lists.mozilla.org >> https://lists.mozilla.org/listinfo/dev-tech-crypto >> > _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
