On 11/06/2014 03:12 PM, Mike Gerow wrote:
Apologies if a dupe of this shows up. I had posted my last question without _properly_ subscribing to list and so it is stuck in some kind of moderator queue.I'm trying to add the opencryptoki PKCS#11 module to Chrome/Firefox's nssdb, and it seems to have worked properly: $ modutil -dbdir sql:$HOME/.pki/nssdb -list
Interesting that you got firefox to point to here...
Firefox doesn't cache pins for tokens anywhere. I don't think Chrome does either. It's a tricky thing that can easily cause problems if it goes wrong. If, for instance, you had a removable token and replaced that removable token with a different token. If the pin caching code isn't implemented correctly, you could hammer the token with retry attempts without the user every noticing, until they try to use the token for real.Listing of PKCS #11 Modules ----------------------------------------------------------- 1. NSS Internal PKCS #11 Module slots: 2 slots attached status: loaded slot: NSS Internal Cryptographic Services token: NSS Generic Crypto Services slot: NSS User Private Key and Certificate Services token: NSS Certificate DB 2. TPM library name: /usr/lib/x86_64-linux-gnu/opencryptoki/libopencryptoki.so.0 slots: 1 slot attached status: loaded slot: OpenCryptoki Software Backend token: IBM OS PKCS#11 ----------------------------------------------------------- The only issue is that when the application uses the module for the first time it requests a PIN from the user. I'm actually more interested in the privilege separation that a PKCS#11 module provides so I have this PIN set to a simple value that I don't really consider a secret.
I know some server products some pin caching so that you can use unattended operations, and the code records the token name so there is at least some attempt to prevent token smashage.
Upshot is "there probably isn't a way to do what you want, and providing one could be a slightly longer rope than we'd like to pass on to the users".
bob
Is it possible to add the PIN for the module to the nssdb as well so that I can prevent the user from being asked for it?
smime.p7s
Description: S/MIME Cryptographic Signature
-- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
