Hi,
I've been debugging openCryptoki for compatibility problems with
Mozilla NSS, and I noted that, when creating a certificate using
certutil, Mozilla NSS tries to create a token object with
CKA_CLASS=0xce534353, which is the 'vendor defined' class CKO_NSS_TRUST,
defined as ((CKO_VENDOR_DEFINED|NSSCK_VENDOR_NSS) + 3).
This breaks openCryptoki as it is not expecting to be able to create
custom objects (via C_CreateObject) using a 'vendor defined' class type
(but only CKO_DATA objects apparently).
Checking the spec (particularly v2.11 which ock implements), it reads:
"Object classes CKO_VENDOR_DEFINED and above are permanently reserved
for token vendors."
So at first impression it seems to me that ock's interpretation was
right - Vendor defined classes should be reserved for token vendors
(i.e., the ones implementing the interface), and not for any client
library to create it's own.
Comments? Anyone knows how other PKCS#11 libraries address this?
(particularly the ones which are compatible with Mozilla NSS)
Thanks,
-Klaus
--
Klaus Heinrich Kiwi | kla...@br.ibm.com | http://blog.klauskiwi.com
Open Source Security blog : http://www.ratliff.net/blog
IBM Linux Technology Center : http://www.ibm.com/linux/ltc
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
