Wan-Teh Chang wrote, On 2008-07-28 18:20: > On Mon, Jul 28, 2008 at 5:44 PM, Nelson B Bolyard <[EMAIL PROTECTED]> wrote: >> NSS's own PKCS#11 module claims to be 2.10 (don't know why, because it >> has many features from 2.20). > > I believe we claim to be 2.20. See the NSC_GetInfo function: > http://mxr.mozilla.org/security/ident?i=NSC_GetInfo
There's also a version number at the beginning of the CK_FUNCTION_LIST but on closer inspection, I see that it's version 1.10, not 2.10. I'm surprised it doesn't match the version in NSC_GetInfo. I'm also surprised that callers of C_GetFunctionList will NEVER get the FIPS mode function list. That seems wrong to me. I can understand that NSC_GetFunctionList will always return the non-FIPS table, and FC_GetFunctionList will always return the FIPS table, but I am surprised that C_GetFunctionList doesn't switch between the two. It means that a program that accesses that module using only the function names given in the PKCS#11 spec itself will never get FIPS mode. :( >> There is a PKCS#11 module that uses Windows' key and cert stores as its >> stores, although it is unsupported. One could write a PKCS#11 module that >> uses PEM files in some directory as its store, and if done well, NSS would >> very likely work with it. But I have no incentive to write such a thing. >> Please feel free. > > Daniel Stenberg mentioned that Red Hat wrote such a PKCS #11 module. > I also remember hearing about that before. I just did a web search for > "PKCS #11 module OpenSSL PEM files", and found it in this page: > http://rcritten.fedorapeople.org/nss_compat_ossl.html Kudos to Rob! I wish we had some info about it in Mozilla's web pages, even if they're just links to Red Hat's pages. _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
