On 06/10/2010 08:41 PM, 蓝黑王朝 wrote: > hi,Robert > > Thanks for your reply.I want to add additional crypto services, What services? > and it use to disabling the pkcs12 certificate exporting.I don't want > that user can export the pkcs12 certificate.Do you know other way that > can disable the pkcs12 certificate exporting? OK, this is good to know. You are dealing with the wrong slot. You want to replace "NSS User Private Key and Certificate Services" not "NSS Generic Crypto Services".
I presume you mean pkcs12 private keys associated with the certs (or from the user perspective "User Certs"). This is equivalent to task 3 below. You can't prevent export of keys from the NSS cert/key database, but you can create your own database which private keys cannot be exported from. NSS uses two mechanism to try to export keys: C_WrapKey() and C_GetAttribute(). If your token rejects wrapping private keys and does not allow the extracting of private attributes from keys (most don't), then users will not be able to export those keys from PKCS #12. This is common in many smart cards. To implement this, you simply need do supply: C_CreateObject, C_Sign*, C_GetAttribute, C_SetAttribute, and C_FindObjects*. You'll need to support these for CKO_CERTIFICATES and CKO_PRIVATE_KEYS. If you don't want NSS to generate keys for you, then you also need to support C_GenerateKeyPair. NOTE: Users will have to select your token then generating keys into. If they use another more liberal token (like the NSS User Private Key and Certificate Services", then they will still be able to export their keys. bob I highly recommend familiarizing your self with the PKCS #11 spec or none of they things I said will make sense. > > thanks. > > 在 2010年6月11日 上午12:34,Robert Relyea <rrel...@redhat.com > <mailto:rrel...@redhat.com>>写道: > > On 06/09/2010 09:15 PM, 蓝黑王朝 wrote: >> hi,all >> >> I want to create a soft token same as the firefox's "NSS Generic >> Crypto Services" token. I've done many searches, including this >> group for every message with *pkcs*11 in its title, and couldn't >> find answers which would satisfy me. I'd appreciate any pointer >> or help. > > Do you mean write one? You'll need the PKCS #11 spec located here: > There are a number of toolkits that you can use to get started: > > > All that being said, It's not clear to me what you are trying to > accomplish. > > 1. Do you just want to replace the firefox crypto services with > your own implementation? Which leads to the question why? > 2. Are you trying to add additional crypto services, in which case > you will probably have more work than just writing a PKCS #11 > module depending on what you are trying to add. > 3. Are you trying to use keys and/or certs that are stored in some > location NSS does not understand? > 4. Are you trying to have some or all your of your crypto go > through a peice of hardware? > > Tasks 3 and 4 are regularly accomplished by implementing PKCS #11 > module. Task 1 seems like a 'why do it' issue for to me, but is > basically the same idea as the hardware take over. > > bob >
-- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
