On 05/26/2010 06:57 AM, Bud P. Bruegger wrote:
> Hello everyone,
>
> I thought this was an FAQ but couldn't find anything searching around.
>
> I'd like to put my key3db, cert8db on a USB pen drive to have a
> portable soft token with some user certs that I can use from
> several PCs (work, home) that all run Firefox.
>
> Can someone point out how to go about this?
>
> I assume I need to use certutil to create the key and cert db files and
> assume that there is only one secmod.db for a browser. I also read
> that the pkcs#11 module is libsoftokn3.so (on linux) but don't
> understand how to tell it to search for the db files in a certain
> directory...
>
> Also, is there a way of using some script (maybe calling modutil) to
> automate the loading of the USB based soft token?
>
So, there isn't currently a 'usb based softoken'. While you can put your
keys and certs anywhere, its usually pretty difficult to convince an
application to use your alternate database. Recent changes to NSS has
made that possible, but it's more a of 'it can be done in your system'
rather than 'it's easy for a random user to do'.*
Add to that that softoken itself has no support for insertion/removal of
it's database on the fly. It can happen under program control (you can
tell softoken 'now load this database', and 'now unload this database',
from inside a program, but softoken doesn't pull for the existance of
the database).
Now in my paragraph above I have been talking about 'softoken' all one
word. This is a very specific use. softoken is the 'internal' pkcs #11
module that comes with NSS and reads your key3 and cert8 db's from your
disk. That is not the only way NSS can find certs and keys. From the
rest of NSS's perspective different pkcs #11 modules are roughly
'equivalent'. You could create a PKCS #11 module that detects that a new
USB is loaded and presents a new token to the application when that
happens, then marks the token as removed when the USB goes way. At this
point no one has actually written such a pkcs #11 module :(.
bob
[* if you have the latest version of NSS you could do the following:
set the following environment variable: NSS_DEFAULT_DB_TYPE=sql (how
do do this varies by OS and shell). This will cause NSS to use the
sqlite DB.
run certutil -K -d {nssdb} -X where {nssdb} is your application's
normal NSS database location. This will create cert9 key4 and pkcs11.txt
You can hand edit pkcs11.txt and add the following lines at the end:
library=
name="USB database"
parameters="configdir=sql:{path_to_usb_device}
tokenDescription='NSS USB database'"
NSS="flags=internal"
Replacing {path_to_usb_device} with the actual path to your usb device
when it is connected. Now place whatever cert9 and key4 you want on the
token. If you want to use cert8 and key3 you can change sql: to dbm:. I
don't recommend it as you are likely to have database corruption in the
database if you ever remove you token without shutting down the
application if you use dbm:. You can mitigate that by specifying
flags=readonly on the parameters line.
This probably won't do what you want, however, because the USB needs to
be in place when you start your application, and cannot be removed on
the fly....]
> many thanks for any help
>
> -b
>
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
