Thank you very much Nelson! Yes, it seems that P11's C_InitPIN only talks about tokens which apparently is not the same thing as a key.
This is a bit unfortunate, because there are several things in progress like IETF's KEYPROV and yours truly's KeyGen2 that require a per-key PIN-setting ability. Although a bit on the slimy side, do you think that an extension to the softtoken implementation would be rejected by the owner(s) of the code? But of course such an idea goes nowhere unless there is a way to store PINs as well. The following shows 3 out of 10 MySQL tables of the PoC keystore I'm currently working with: http://webpki.org/papers/keygen2/sql-databases-as-universal-keystores.pdf I would be interested in upgrading the soft token but I can't fund such a development and it would also be of little interest unless there are some other features added to the Mozilla core such as XML security. Another possibility would be to create a new P11 provider that through JNI wraps to Java which has excellent support for just about anything you want. I guess that FireFox uses very few P11 functions for TLS client-auth which is really the only existing mechanism associated with client keys, right? Anders ----- Original Message ----- From: "Nelson B Bolyard" <[EMAIL PROTECTED]> To: "mozilla's crypto code discussion list" <dev-tech-crypto@lists.mozilla.org> Sent: Saturday, August 23, 2008 23:02 Subject: Re: Soft token provider capabilities Anders Rundgren wrote, On 2008-08-23 01:21: > I have decided to give FF crypto programming a try. > I have a few initial questions that this list hopefully knows about. > Pointers to the associated rather difficult-to-find Mozilla docs > would be much appreciated. > > Q1. Does the built-in soft token provider offer the ability to > programmatically set an initial PIN-code for a key? I'm not exactly sure what you're asking for here, but if you're asking about separate PINs for each (private) key, the answer is: no. Mozilla's PKCS#11 softoken follows the original PKCS#11 "token" model, where there is one authentication action that covers the entire contents of the "token", and once authenticated to the token, one has access to all the keys in that token. It does not support separate PINs for each key. > Q2. Can you perform crypto operations with the soft-token > provider using XPCOM and JavaScript? This is a question about PSM, the FF code that interfaces FF to the NSS crypto libraries and provides the "scriptable" interfaces that are accessible from Java. Unfortunately, this mailing list doesn't get much participation from the folks who really know PSM. I'm not a PSM expert, but I'll try to give you a few pointers. All of PSM's scriptable interfaces are defined in ".idl" files. Those files contain comments about the methods they declare. AFAIK, that is the only documentation for PSM's interfaces. (I'd be happy to be proven wrong about that! :) Most of PSM's .idl files can be found here: <http://mxr.mozilla.org/security/find?text=&kind=text&string=.idl> But there are a few more not in that group, such as those seen here: <http://mxr.mozilla.org/mozilla/search?string=crypt&find=netwerk/base/public/.*idl> There are probably others, but I don't have a list or a URL for them. Not all of those interfaces are "public", but presumably the ones in the "public" directory all are. I hope this helps some. Sorry I can't help more with the PSM stuff. _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
