On 2009-12-14 07:19 PST, Konstantin Andreev wrote: > I have noticed that softoken's C_Sign() (and C_SignFinal too) terminates > signing operation if called with too small output buffer > [http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/security/nss/lib/softoken/pkcs11c.c&rev=1.111&mark=2277-2280,2292-2296#2260]. > > This seems to be incompatible with PKCS#11 since version >= 2 (15 Apr > 1997). Here is a cite from C_Sign definition: > > -- A call to C_Sign always terminates the active signing operation unless > it returns CKR_BUFFER_TOO_SMALL or is a successful call (i.e., one which > returns CKR_OK) to determine the length of the buffer needed to hold the > signature. > > Even worse, PK11_SignatureLen()->pk11_backupGetSignLength() relies on > that behavior, so the conformant PKCS#11 tokens will have stale signing > operation after PK11_SignatureLen() returns > [http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/security/nss/lib/pk11wrap/pk11obj.c&rev=1.21&mark=536-538#510]. > > Are there strong reasons for this incompatibility, and should this be > changed to conformant behavior ?
Please file a bug in bugzilla.mozilla.org. For extra credit, attach a patch that fixes it, including the dependencies you've noted. Thanks. /Nelson -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
