On 09/02/2009 06:39 PM, Klaus Heinrich Kiwi wrote:
On 09/02/2009 07:15 PM, Nelson B Bolyard wrote:
OK, so I presume that you have some program that already knows how to
use
NSS as an SSL client or SSL server. Perhaps it is Firefox?
Maybe I haven't made myself clear the first time. I was actually
hoping I could use the NSS testsuite to test my PKCS#11 module
FWIW this bz was opened with a similar purpose in mind ...
https://bugzilla.mozilla.org/show_bug.cgi?id=333174
(well, I have a few pkcs#11 tests of my own - I was in fact hoping I
could exercise the PKCS#11 API between opencryptoki and NSS)
In other words, ideally I'd like to run the NSS testsuite, but instead
of relying on the NSS soft PKCS#11 token, I'd like to use my own.
That program undoubtedly has a set of NSS .db files, including
(probably)
secmod.db, cert8.db and key3.db. secmod.db tells NSS about all the
PKCS#11
modules that it must load to perform its tasks. It is queried and
modified
using the NSS utility program modutil. Firefox also has a GUI
preferences
panel for this purpose. You add your PKCS#11 module to the set of known
PKCS#11 modules, specifying the path name of the PKCS#11 module shared
library, and giving the module a recognizable module display name.
I am able to use modutil and add opencryptoki to my global list of NSS
modules:
kla...@klausk-laptop:~$ sudo modutil -add openCryptoki -libfile
/usr/local/lib/pkcs11/PKCS11_API.so -dbdir /etc/pki/nssdb/
...
Module "openCryptoki" added to database.
kla...@klausk-laptop:~$ sudo modutil -list -dbdir /etc/pki/nssdb
Listing of PKCS #11 Modules
-----------------------------------------------------------
1. NSS Internal PKCS #11 Module
slots: 2 slots attached
status: loaded
slot: NSS Internal Cryptographic Services
token: NSS Generic Crypto Services
slot: NSS User Private Key and Certificate Services
token: NSS Certificate DB
2. openCryptoki
library name: /usr/local/lib/pkcs11/PKCS11_API.so
slots: 1 slot attached
status: loaded
slot: Linux 2.6.29.6-217.2.16.fc11.i586 Linux (Soft)
token: IBM OS PKCS#11
-----------------------------------------------------------
kla...@klausk-laptop:~$
Funny thing is that I'm not able to do the same using the GUI
interface at my Firefox 3.5.2 (a not so useful "unable to load module"
dialog appears).
Now I'm not even sure if what I did with modutil was sufficient to
start testing. Is there any way to quickly verify that the pkcs#11
module was correctly loaded (say, query the available mechanisms from
the slot)?
If you're operating a server, you need to put your private key and
corresponding certificate into your (hardware or software) token,
and you need to tell your server to use the certificate found in that
token. The exact method depends on the server program, but identifying
certs by their token names and CKA_LABEL attribute strings is common.
If your module does all of the mechanisms that NSS needs, then that is
about all that you need to do for a server.
For a client, you may need to do more to tell NSS to prefer performing
operations in your token rather than in NSS's software token. This is
all done through the modutil program.
I can't help you more than that until I know more about your specific
situation.
I don't have a direct workload yet to exercise the interface between
NSS Apps and my token yet. In OpenSSL world, I can generally use
openssl 's_server' and 's_client' to create ad-hoc SSL connections
and, by restricting the advertised ciphers in the client, test what's
being offloaded to the token (or 'engine' in openssl's jargon).
The direct equivalent I think would be to configure Apache to use
mod_nss and use any ssl client to do the test. But I'd also like to
test more PKCS#11 mechanisms, if possible.
Thanks,
-Klaus
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
