On Thu, Jan 8, 2015 at 11:19 PM, Robert Relyea <rrel...@redhat.com> wrote:
> On 12/11/2014 12:33 AM, helpcrypto helpcrypto wrote: > >> Hi again, sorry for delay. >> >> Yes, you can (SHOULD) use SunPKCS#11 to access directly the >> libraries/modules. >> You can do it two ways: >> >> - attack libraries directly >> - parse (legacy) secmod.db on Firefox profile to list modules/libraries. >> > Actually this is a very good way to corrupt your database. Mozilla still > uses the old database, so accessing you NSS database from SunPKCS#11 with > another softoken module while you are running will corrupt your database. > Hi Bob As I pointed years ago, the only issue we have detected so far is writing on certs8.db wihile Mozilla (FF/TB) is running. Sometimes this could lead to corrupt files and they must be deleted to be freshly created again. We haven't found the exact reason or moment when this corruption occurs. Apart of those...30? 20? cases in 5 years with more than 100k operations each year, our experience is quite good. (Altough Applets sucks and we are thinking to move to plugins). The parsing we are making is just a "read only" operation on secmod.db to get the module names/libraries to invoke them from SunPKCS#11.. > Unfortunately the only safe way is to use JSS, as sucky as it is. You can > use JSS as just a provider and use your normal Java interfaces, however. > You don't need to use the direct to NSS bindings. > I remember i asked a few years ago about JSS and i received more or less the following response: "JSS is not intended for applets, so your question won't have an answer" Regards -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
