Gentlemen, I'm trying to get NSS working with a 3rd party (Certicom) PKCS#11 library for the ultimate goal of having an ECC CA (Dogtag). I've asked on the Dogtag IRC channel and someone has told me they followed the instructions below more than once and had it working. I believe they also used a Certicom module but they weren't sure whether it was the FIPS module or not. I am trying to do all this with the FIPS module.
In previous tries I was stopped at the password changing step where I was just not able to initialize the user pin of the token. After hacking the NSS code a little we found that C_Login was returing 183 which is CKR_SESSION_READ_ONLY_EXISTS when the call right before this was to open a RW session. Because the certicom library creates a folder for its "permanent object database", I was able to copy one created from running Certicom's little sample program to where NSS was creating it and after that NSS reported that the user pin was initialized and I could do a certutil -K and use the password that the Certicom sample program set to login to the token and list keys. I originally tried this with a RHEL4 with CS7.3 box and am now using a Fedora 8 with Dogtag 1.0.0 box and I got the same behavior on both systems. I'm running into problems long before I get to the CA setup though so I'm not sure how much that matters at the moment. I received the following 2 libraries from Certicom: libsbcpgse.so (The PKCS#11 library) and libsbgse2.so (The crypto implementation). On to what I tried: The first step is to build the ECC capable NSS and install it on the system and I have followed the directions here: http://pki.fedoraproject.org/wiki/ECC_Capable_NSS After I build/install NSS, I start to run through the command line Tests (from http://pki.fedoraproject.org/wiki?title=ECC_Enabling_Dogtag#Command_Line _Tests). I do the following: [EMAIL PROTECTED] Linux2.6_x86_glibc_PTH_DBG.OBJ]# mkdir /tmp/ecc-tests [EMAIL PROTECTED] Linux2.6_x86_glibc_PTH_DBG.OBJ]# cd /tmp/ecc-tests [EMAIL PROTECTED] ecc-tests]# certutil -d . -N Enter a password which will be used to encrypt your keys. The password should be at least 8 characters long, and should contain at least one non-alphabetic character. Enter new password: Re-enter password: [EMAIL PROTECTED] ecc-tests]# modutil -dbdir . -add certicom -libfile /usr/lib/libsbcpgse.so WARNING: Performing this operation while the browser is running could cause corruption of your security databases. If the browser is currently running, you should exit browser before continuing this operation. Type 'q <enter>' to abort, or <enter> to continue: Using database directory .... Module "certicom" added to database. ------------------------- At this point I compiled and ran the sample program from Certicom and copied the .certicom folder into /root/ then skipped the NSS command to change the password ------------------------- [EMAIL PROTECTED] ecc-tests]# modutil -dbdir . -list certicom Using database directory .... ----------------------------------------------------------- Name: certicom Library file: /usr/lib/libsbcpgse.so Manufacturer: Certicom Corp. Description: SB API for PKCS 11 with SB GSE PKCS #11 Version 2.20 Library Version: 1.0 Cipher Enable Flags: None Default Mechanism Flags: None Slot: FIPS Generic Crypto Services V1.0.1c Slot Mechanism Flags: None Manufacturer: Certicom Corp. Type: Software Version Number: 1.0 Firmware Version: 0.0 Status: Enabled Token Name: Certicom FIPS Crypto Services Token Manufacturer: Certicom Corp. Token Model: 1.0.1c Token Serial Number: Token Version: 1.0 Token Firmware Version: 0.0 Access: Write Protected Login Type: Public (no login required) User Pin: NOT Initialized Slot: FIPS Certificate/Key Services V1.0.1c Slot Mechanism Flags: None Manufacturer: Certicom Corp. Type: Software Version Number: 1.0 Firmware Version: 0.0 Status: Enabled Token Name: Certicom FIPS Cert/Key Services Token Manufacturer: Certicom Corp. Token Model: 1.0.1c Token Serial Number: Token Version: 1.0 Token Firmware Version: 0.0 Access: NOT Write Protected Login Type: Login required User Pin: Initialized ----------------------------------------------------------- [EMAIL PROTECTED] ecc-tests]# certutil -d . -G -h "Certicom FIPS Cert/Key Services" -k ec -q nistp256 Enter Password or Pin for "Certicom FIPS Cert/Key Services": A random seed must be generated that will be used in the creation of your key. One of the easiest ways to create a random seed is to use the timing of keystrokes on a keyboard. To begin, type keys on the keyboard until this progress meter is full. DO NOT USE THE AUTOREPEAT FUNCTION ON YOUR KEYBOARD! Continue typing until the progress meter is full: |************************************************************| Finished. Press enter to continue: Generating key. This may take a few moments... [EMAIL PROTECTED] ecc-tests]# certutil -d . -R -h "Certicom FIPS Cert/Key Services" -k ec -q nistp256 -s "CN=cfu1003" -a -o req.1003b Enter Password or Pin for "Certicom FIPS Cert/Key Services": A random seed must be generated that will be used in the creation of your key. One of the easiest ways to create a random seed is to use the timing of keystrokes on a keyboard. To begin, type keys on the keyboard until this progress meter is full. DO NOT USE THE AUTOREPEAT FUNCTION ON YOUR KEYBOARD! Continue typing until the progress meter is full: |************************************************************| Finished. Press enter to continue: Generating key. This may take a few moments... certutil: signing of data failed: An I/O error occurred during security authorization. Thanks, Dave _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
