It's a fact that the 'izenpe' token is the one that's causing Firefox to lock
the NSS files.
It is a pkcs#11 module based on opensc drivers.
I've tested shareable NSS with a JSS-based program, watching the opensc logs,
and the pkcs#11 module gets the smartcard locked and unlocked atomically for
each certificate query operation.
Conversely, when the pkcs#11 module gets started via Firefox the pkcs#11 module
locks the smartcard until the browser is closed, disabling any concurrent
access to the NSS certificates, so as making it non-shareable.
Initially the pkcs#11 token session does not get started when opening Firefox.
It gets started manually starting / terminating the session through the PSM
manager, or and this is IMHO the worst case, while surfing an SSL client-based
authentication where the certificate it's stored in the smartcard.
This behaviour is informed in the opensc configuration file
<pre>
# By default, the OpenSC PKCS#11 module will
# try to lock this card once you have authenticated
# to the card via C_Login. This is done so that no
# other user can connect to the card and perform
# crypto operations (which may be possible because
# you have already authenticated with the card).
#
# However, this also means that no other application
# that _you_ run can use the card until your application
# has done a C_Logout or C_Finalize. In the case of
# Netscape or Mozilla, this does not happen until
# you exit the browser.
# Default: false
#lock_login = false;
</pre>
____
Is there any information I could read about why the PSM locks the driver until
exit, instead of making an atomic needy use of it?
Thanks in advance,
Irune :: Zylk.net
----- Mensaje original -----
De: "Wan-Teh Chang" <w...@google.com>
Para: "mozilla's crypto code discussion list"
<dev-tech-crypto@lists.mozilla.org>
Enviados: Jueves, 13 de Enero 2011 3:32:43
Asunto: Re: Firefox PSM locks NSS
On Tue, Jan 11, 2011 at 4:48 AM, Irune Prado Alberdi <ipr...@zylk.net> wrote:
>
> While if I terminate the pkcs11 session in firefox I can successfully acces
> the token
> <pre>
> $ certutil -d sql:. -K -h izenpe
> certutil: Checking token "Builtin Object Token" in slot "NSS Builtin Objects"
> certutil: no keys found
> certutil: Checking token "NSS Generic Crypto Services" in slot "NSS Internal
> Cryptographic Services"
> certutil: no keys found
> certutil: Checking token "NSS Certificate DB" in slot "NSS User Private Key
> and Certificate Services"
> certutil: no keys found
> certutil: Checking token "IZENPE" in slot "Gemplus GemPC Twin 00 00"
> Enter Password or Pin for "IZENPE":
> < 0> rsa ad22bafb47cd03a443e7777e3c04e4914f5cc52a PRUEBAS EFACTUR
> </pre>
Perhaps it's the "IZENPE" token, not the NSS sqlite3 DB, that blocks certutil.
The first slot, "NSS Builtin Objects", doesn't use sqlite3, so this
shows a later slot can block certutil from output anything. So any
later slot, not just the NSS DB slot, could be the cause of the
blocking.
Wan-Teh
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
