Marc Kaeser wrote:
Hello Klaus,
I tried to find those software tokens so I can test where the problem
comes from. Unfortunately I haven't been able to find that software
"emulating" a token. You talk about ica_tok or swtok, but where can I
find those software-tokens? Do they come with another module for
Firefox? Google doesn't find anything about "ica_tok" and a search using
"swtok" (by the way, does that name mean "software token"?) as string
doesn't help very much.
Marc,
from my understanding, you were using opencryptoki as the PKCS#11
provider for NSS.
Opencryptoki provides a PKCS#11 layer for accessing cryptographic
hardware that doesn't come with a native PKCS#11 interface (thing of it
as a 'translation' library).
In addition to a TPM token, opencryptoki also supports other token types
as well:
* ICA (IBM Cryptographic Accelerator) - aimed at s390x-specific
hardware, but also supports software fallback since 1.3.9
* CCA (Secure Key token) - same as ICA, but proprietary
* software token - if I remember correctly, using OpenSSL
If I understand that correctly, I have to "load" another token into
another slot (using swtok or ica_tok) to see if cryptoki slotdeamon
finds it, and if it does, look if I can import the matching module in
Firefox?
I'm not sure if opencryptoki as shipped by the distros have the software
token enabled (I know Ubuntu has), but you could download the latest
opencryptoki from https://sourceforge.net/projects/opencryptoki/ and
build the the software token enabled.
After that, make sure you have the software token configured correctly
(that's usually done using pkcs11_startup automatically), initialize the
token using pkcsconf (see help) and point firefox to use the PKCS#11
library ({prefix}/lib/pkcs11/PKCS11_API.so)
Tell us of your results.
-Klaus
--
Klaus Heinrich Kiwi | kla...@br.ibm.com | http://blog.klauskiwi.com
Open Source Security blog : http://www.ratliff.net/blog
IBM Linux Technology Center : http://www.ibm.com/linux/ltc
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
