To whom it may concern, I have a PKCS#11 device that supports ECC operations. In particular C_GetMechanismList includes the following items:
CKM_ECDH1_DERIVE CKM_ECDH1_COFACTOR_DERIVE CKM_EC_KEY_PAIR_GEN CKM_ECDSA The module is added to Firefox using nsIPKCS11::addModule with 0 for both the cryptoMechanismFlags and the cipherFlags. If I put Firefox into FIPS mode it uses my PKCS#11 module to perform ECC computations during TLS negotiation where ecdhe is being preferred by the server. In particular, it will call C_GenerateKeyPair (to generate an ECC key pair), C_DeriveKey (to derive a shared secret), C_GetAttributeValue (to obtain the shared secret), C_CreateObject (to add an RSA public key for some reason), and C_WrapKey (to wrap the secret key with the recently added RSA key). Fundamentally I think this should work, but Firefox tends to "hang" after C_WrapKey returns. That's something that I'm continuing to examine. Anyway, the crux of the problem with respect to this mailing list is that I don't think Firefox should be using the token to perform these operations as I set flags in addModule to 0. Any guidance on this issue you can provide is most welcome. Thanks in advance, Jonathan -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
