For such a tricky thing, although I dont like it, you could use a "proxy" library, like PKCS11SPY which forwards every call to your library, but sends the PIN when needed / at first use if your token is present (to avoid locking other cards).
If you need such behaviour, why just dont use NSS keystore without password? (not using an smartcard)did you follow https://wiki.mozilla.org/NSS_Shared_DB_Howto? did you find any problem using a shared db? Regards. On Fri, Nov 7, 2014 at 1:08 AM, Mike Gerow <ge...@google.com> wrote: > Thanks for the quick reply! I can see how caching the PIN would have > its issues, but I'm not interested in having NSS ask for the PIN once > and save it, but in configuring it to just use a provided PIN in the > first place. > > As I think about this more, though, I guess the solution might lie on > the PKCS#11 module side instead of in NSS, in that the token shouldn't > have its CKF_LOGIN_REQUIRED flag set (and of course be configured so > as not to require C_Login to be called before doing cryptographic > operations). > > But now my problem is that I have to convince opencryptoki to do > something it probably doesn't want to :-). Oh well, thanks again for > cluing me in. > > On Thu, Nov 6, 2014 at 3:58 PM, Robert Relyea <rrel...@redhat.com> wrote: > > On 11/06/2014 03:12 PM, Mike Gerow wrote: > >> > >> Apologies if a dupe of this shows up. I had posted my last question > >> without _properly_ subscribing to list and so it is stuck in some kind > >> of moderator queue. > >> > >> I'm trying to add the opencryptoki PKCS#11 module to Chrome/Firefox's > >> nssdb, and it seems to have worked properly: > >> > >> $ modutil -dbdir sql:$HOME/.pki/nssdb -list > > > > Interesting that you got firefox to point to here... > >> > >> > >> Listing of PKCS #11 Modules > >> ----------------------------------------------------------- > >> 1. NSS Internal PKCS #11 Module > >> slots: 2 slots attached > >> status: loaded > >> > >> slot: NSS Internal Cryptographic Services > >> token: NSS Generic Crypto Services > >> > >> slot: NSS User Private Key and Certificate Services > >> token: NSS Certificate DB > >> > >> 2. TPM > >> library name: > /usr/lib/x86_64-linux-gnu/opencryptoki/libopencryptoki.so.0 > >> slots: 1 slot attached > >> status: loaded > >> > >> slot: OpenCryptoki Software Backend > >> token: IBM OS PKCS#11 > >> ----------------------------------------------------------- > >> > >> The only issue is that when the application uses the module for the > >> first time it requests a PIN from the user. I'm actually more > >> interested in the privilege separation that a PKCS#11 module provides > >> so I have this PIN set to a simple value that I don't really consider > >> a secret. > > > > Firefox doesn't cache pins for tokens anywhere. I don't think Chrome does > > either. It's a tricky thing that can easily cause problems if it goes > wrong. > > If, for instance, you had a removable token and replaced that removable > > token with a different token. If the pin caching code isn't implemented > > correctly, you could hammer the token with retry attempts without the > user > > every noticing, until they try to use the token for real. > > > > I know some server products some pin caching so that you can use > unattended > > operations, and the code records the token name so there is at least some > > attempt to prevent token smashage. > > > > Upshot is "there probably isn't a way to do what you want, and providing > one > > could be a slightly longer rope than we'd like to pass on to the users". > > > > bob > > > >> > >> Is it possible to add the PIN for the module to the nssdb as well so > >> that I can prevent the user from being asked for it? > > > > > > > > > > -- > > dev-tech-crypto mailing list > > dev-tech-crypto@lists.mozilla.org > > https://lists.mozilla.org/listinfo/dev-tech-crypto > > > > -- > Mike Gerow > ge...@google.com > -- > dev-tech-crypto mailing list > dev-tech-crypto@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-tech-crypto > -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
