On 01/08/2010 10:08 AM, Klaus Heinrich Kiwi wrote: > Hi, > > I've been debugging openCryptoki for compatibility problems with > Mozilla NSS, and I noted that, when creating a certificate using > certutil, Mozilla NSS tries to create a token object with > CKA_CLASS=0xce534353, which is the 'vendor defined' class > CKO_NSS_TRUST, defined as ((CKO_VENDOR_DEFINED|NSSCK_VENDOR_NSS) + 3). > > This breaks openCryptoki as it is not expecting to be able to create > custom objects (via C_CreateObject) using a 'vendor defined' class > type (but only CKO_DATA objects apparently). What you you mean by 'breaks'. Does openCryptoki return an error (definitely not broken behaviour), or does it do something unfriendly like crash (definitely broken behaviour). > > Checking the spec (particularly v2.11 which ock implements), it reads: > "Object classes CKO_VENDOR_DEFINED and above are permanently reserved > for token vendors." > > So at first impression it seems to me that ock's interpretation was > right - Vendor defined classes should be reserved for token vendors > (i.e., the ones implementing the interface), and not for any client > library to create it's own. > > Comments? Anyone knows how other PKCS#11 libraries address this? > (particularly the ones which are compatible with Mozilla NSS)
NSS needs attributes that are not defined by PKCS #11. It uses these attributes in it's own PKCS #11 modules. You are free to return CKR_INVALID_ATTRIBUTE when you see these attributes (which is what you should return). NSS should be able to deal with that. If not let me know. (Most likely NSS will choose another token that supports this object and store it there). NOTE: In general, if NSS asks you to do something that you do not support, it is not necessarily an error for you to return that the request was not valid. NSS will switch to a different token in those cases. NSS depends on the PKCS #11 module properly signalling that it can't do something (or the session has been destroyed, or any number of other error conditions) rather than trying to build complex matrices of possible fail conditions and always asking for operations it expects to work. > > Thanks, > > -Klaus
-- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
