NSS has been facing these issues for a while now. After trying to get something going in the PKCS #11 working group we finally implemented this internally:
https://developer.mozilla.org/en/PKCS11_Module_Specs They way it looks externally is: https://wiki.mozilla.org/NSS:Roadmap#SQLite-Based_Shareable_Certificate_and_Key_Databases Most notably the 'How LINUX Applications should initialize NSS. <https://wiki.mozilla.org/NSS_Shared_DB_And_LINUX>'. When we implemented sqlite for the key and cert DB, we moved our PKCS #11 configuration to a flat text file called pkcs11.txt here's a typical pkcs11.txt file: library=libcoolkeypk11.so name=CoolKey PKCS #11 Module library=libnsssysinit.so name=NSS Internal PKCS #11 Module parameters=configdir='sql:/etc/pki/nssdb' certPrefix='' keyPrefix='' secmod='secmod.db' flags= updatedir='' updateCertPrefix='' updateKeyPrefix='' updateid='' updateTokenDescription='' NSS=trustOrder=75 cipherOrder=100 slotParams={0x00000001=[slotFlags=RSA,RC4,RC2,DES,DH,SHA1,MD5,MD2,SSL,TLS,AES,RANDOM askpw=any timeout=30 ] } Flags=internal,moduleDBOnly,critical The fields are: library points to a shared library to load name specifies a UI name to manage the token parameters is a string passed to the PKCS #11 module. The format of this string is module specific. NSS knows the format of the softoken string. NSS NSS specific information associated with this token, only parsed by NSS Flags are supposed to be application independent flags, parsed by everyone. NSS ignores other fields, so something like freedesktop= with freedesktop specific parameters would just be skipped over by NSS. There is a blank line between PKCS #11 modules. ---------------------------------------------------------- On Linux, the idea is applications open the system database ('sql:/etc/pki/nssdb') and they will automatically load the PKCS #11 modules in both the system and their own user database (that way users can install tokens without administrative privelleges, but the tokens only apply to that user). To date, not all applications have moved to this new model. The difficultly for legacy applications is updating the user's new database from the old one safely. NSS uses dynamically loaded modules to figure out what PKCS #11 modules to load. The NSS softoken functions as one of these modules (as well as a PKCS #11 module itself). libnsssysinit.so is one of these modules. The idea here is libnsssysinit could be replaces by a module that gets the PKCS #11 information from some other database. It could even do complicated parsing stuff based on requesting application, user, and an administrator's policy. The point here is we can dynamically change where and how NSS gets it's PKCS #11 information to load. While we believe we've solved the problem for NSS, we also recognize that there may be a need for other solutions as well. It's possible to get NSS to load PKCS #11 information stored in some other format by adding a shared library that reads that other storage information and builds NSS PKCS11_Module_Specs (described by the first document) and presents them to NSS. bob > For the last little while I've been working on p11-kit, and integrating > it into various projects across the open source community. > > http://p11-glue.freedesktop.org/p11-kit.html > > One of the main issues it tries to solve, is that of a standard > configuration/registry for PKCS#11 modules. This has several benefits: > > * A package that installs a PKCS#11 module can install config file > which allows it to be automatically detected by other apps (whether > or not they enable it automatically). > > * A system configuration which can be overridden by the user. So that > a sysadmin can install a PKCS#11 module for all users. > > * Optional lockdown of module config, where users can't trivially > modify which PKCS#11 modules are loaded across the Desktop. > > The documentation format is documented here: > > http://p11-glue.freedesktop.org/doc/p11-kit/config.html > > I'd love to help make it possible for NSS to use this config system as > well (along side its current setup). I believe the config system as > designed is flexible enough to handle NSS's special needs, and I've > looked over the pkcs11.txt style configuration while developing this. > > But since we're in the early stages of finalizing p11-kit, it'd be great > to hear any areas where the config stuff falls short. > > Cheers, > > Stef
-- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
