Hello, I contacted the Sun support for the Sun Metaslot issue.
What happens is that when I run "cryptoadm enable metaslot token=ks", the
Sun Metaslot hides the hardware token and hence Sun Metaslot and the
softtoken gets displayed in modutil list output.
Now I tried without "cryptoadm enable metaslot token=ks", this is the output
of modutil -list
bash-3.00# modutil -list -dbdir .
Listing of PKCS #11 Modules
-----------------------------------------------------------
1. NSS Internal PKCS #11 Module
slots: 2 slots attached
status: loaded
slot: NSS Internal Cryptographic Services
token: NSS Generic Crypto Services
slot: NSS User Private Key and Certificate Services
token: NSS Certificate DB
2. SCA
library name: /usr/lib/libpkcs11.so
slots: 2 slots attached
status: loaded
slot: ks
token: ks
slot: Sun Crypto Softtoken
token: Sun Software PKCS#11 softtoken
-----------------------------------------------------------
Where ks is the keystore I created in the card.
Again if I enable metaslot for the softtoken,(cryptoadm enable metaslot
token="Sun Software PKCS#11 softtoken") then Sun Metaslot hides the Sun
softtoken as below
Listing of PKCS #11 Modules
-----------------------------------------------------------
1. NSS Internal PKCS #11 Module
slots: 2 slots attached
status: loaded
slot: NSS Internal Cryptographic Services
token: NSS Generic Crypto Services
slot: NSS User Private Key and Certificate Services
token: NSS Certificate DB
2. SCA
library name: /usr/lib/libpkcs11.so
slots: 2 slots attached
status: loaded
slot: Sun Metaslot
token: Sun Metaslot
slot: ks
token: ks
Now the SSL handshake succeeds only when I enable Sun Metaslot for the
hardware keystore. In all the other cases( disabling metaslot or enabling
metaslot for sun softtoken) I get handshake failure.
My vague assumption is that is is due to the fact that in FIPS mode, all the
algorithms should be done at the place where the certificates are stored. So
when I access my h/w keystore through "Sun Metaslot", from NSS POV,
everything is done at Sun Metaslot, but "Sun Metaslot" is internally
forwarding algorithms not supported by the card to software
providers(somehow RSAprivate is also getting forwarded to software provider
even though it is supported in the card, which is the original problem!!!).
But in the other 2 cases (disabling metaslot or enabling metaslot for sun
softtoken), all the algorithms should happen in the hardware and hence the
handshake fails, as i think the card does not support some authentication
algorithms ( i think HMAC).
So my question is, is there any logs in NSS that I can check to see where
the algorithms are actually implemented?
Rishi
On Thu, Aug 20, 2009 at 4:16 AM, Nelson B Bolyard <nel...@bolyard.me> wrote:
> On 2009-08-19 06:30 PDT, Rishi wrote:
> > OK , we have made some progress, we could disable the softtoken by
> > commenting the line softtoken_extra.so in mca.conf in /kernel/drv/.
> > Now we got an SSL handshake error "bad MAC". This we thought would be
> > because the crypto card does not support hashing algorithms in 1.0
> > firmware, hence we updated the firmware of sca6000 to 1.1.
> >
> > Again created the keystore in the card. Created new NSS DB as before,
> > and created certificates in the keystore.
> > -Verified that the certificates are stored in the keystore using
> > "pktool list token=ks objtype=both". It listed both the RSA private
> > key and cert.
> > -cryptoadm list -v, shows mca0 as a hardware provider, indicating that
> > the card is properly configured.
> > -modutil -list -dbdir . displays the keystore as a token as
> > METASLOT_ENABLED is set to false.
> >
> > Now the issue is that whenever we try to access the certificates
> > through NSS using apache mod_nss, it finds the certificate for the
> > first time and on subsequent tries, fails. Actually it tries to access
> > the cert from the card a huge number of times and fails. Also the mca/
> > 0 disappears from the cryptoadm list -v output. Now the card is shown
> > as failed and we have to reboot to get the card working again.
>
> Rishi, IMO, You need help from Sun support. It is not normally necessary
> to disable metaslot. The fact that you find it necessary to do so tells me
> something is wrong with your Sun PKCS#11 software configuration, but I
> don't know what. It's not an NSS problem. Sorry.
> --
> dev-tech-crypto mailing list
> dev-tech-crypto@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-tech-crypto
>
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
