> Dear newsgroup,
>
> Could you please give me a hand? I've got a problem understanding the
> relationship between physical/logical reader, slot, token, and
> PK11SlotInfo, NSSToken, PKCS11-Object, Symkeys, Secret keys, fixed
> keys, in NSS's PKCS11 implementation.
> Please just put a "true" or "false" after my lines, if you think my
> list of question's too long:
>
> If I remember well, the PKCS11 specs tell that there's exactly 1
> crypto-object per token (soft or hardware).
FALSE- A token can and does regularly have multiple crypto-objects
active at any given time. I suspect getting this wrong will make
understanding the rest impossible.
> This object can have several attributes, and can be a symetric key for
> different cryptography algorithms (mechanisms)like DES3, which is the
> one I'm interested in.
>
> A token, with lets say a DES3 symkey as object, can be plugged into a
> slot.
> I thought that's a 1:1 relationship too.
The 1:1 relationship I think you are refering to is slot to token. A
module can have any number of slots. Slots can have zero or one tokens
installed. Any number of crypto objects can reside in a token.
> PK11SlotInfo has info about that slot, and the (only one?) token it
> has plugged in (or not).
True.
> If that's true, I don't understand the key arrays
> PK11SymKey *freeSymKeysWithSessionHead;
> PK11SymKey *freeSymKeysHead;
> in PK11SlotInfo, and neither why they are tagged as "free".
These are an internal free list of empty key objects. The are a
performance enhancement to reduce the time to allocate a new symkey
object. They have nothing to do with actual symkeys. NOTE: I think your
confusion, however, is caused by the assumption that there is only one
possible key in a token. This is not true.
> Or, maybe, an idea that I just had: Does the slotinfo-object points to
> 1 token, but has several NSS-pk11symkeys-representations of the
> key-crypto-object in the token, with any of them with opened session,
> others not?? but why "free?"
For your purposes, ignore the freelist. Unless you are rewriting the
symkey low level handling code, there is nothing you need to worry about
with these values.
>
> Now I'm looking in pk11skey.c in order to find the place where a
> pk11SymKey NSS-Object (say a PK11SymKey) is created and "filled" with
> key-data from pkcs11-object in the token, to have an example and see
> how that works.
> (maybe it's a bad function to do so).
> "filled", if I understand correctly, means "has a session to...".
> But I guess the key data is copied to the raw-key-data of the
> pkcs11-object (or a pointer references it).
>
> My question is:
> What do those code-lines do? Why do I need them in order to find the
> key-id, before a key can be found using that key-id?
>
> PK11_SETATTRS(attrs, CKA_CLASS, &keyclass, sizeof(keyclass)); attrs++;
> PK11_SETATTRS(attrs, CKA_TOKEN, &ckTrue, sizeof(ckTrue)); attrs++;
> if (keyID) {
> PK11_SETATTRS(attrs, CKA_ID, keyID->data, keyID->len); attrs++;
> }
> tsize = attrs - findTemp;
> PORT_Assert(tsize <= sizeof(findTemp)/sizeof(CK_ATTRIBUTE));
This is a basic set up to do a PKCS #11 C_FindObjects. This call is
looking for a key that is already in the token. The call will return a
handle, which is the only address we have for the key. For the meaning
of this you really need to be familiar with the PKCS #11 spec.
>
>
> By the way, I don't know why this key is called "fixed", and do I need
> to have opened sessions at that point?
It's an unfortunate name. It's looking for a TokenKey (which is also an
unfortunate name). Fixed == Token == Persistant. A key that does not
disappear when the session it was created on goes away, or when the
token it's created on powers down.
> I don't know if FindFixedKey() looks into tokens
> or looks in existing NSS-PK11SymKey-Objects which already have
> sessions opened.
It's looking into the token, only for those symetric keys that are
Persistant.
>
>
> If you can see that I'm wrong in my structure-conception, please tell
> me ^^
Mostly at the very beginning;(.
If I may ask, what is it you are trying to accomplish?
bob
>
>
>
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
