On 01/14/2015 02:59 PM, Robert Daniels wrote: > John, > > Some additional observations. > > If I debug with a breakpoint over the password callback, it's never > called when invoking pkcs12_export, however it is invoked when > calling find_key_by_any_cert.
Hmmm ... that seems odd. It's NSS that decides if it needs to acquire a password in order to perform an operation. So I guess there are two possibilities here, either NSS never invoked the password callback or the python binding somehow failed to invoke the callback you set. However I would expect if that were the case you would get a subsequent error about not have permission to access the key. What version of python-nss are you using? > I also notice 2 flavors of the callbacks for password, one taking 2 > parameters and the other 3, which is confusing. find_any_key_bt_cert > only works with the 3-parameeter flavor. I used a 2-param callback as > was given in the sample code for test_pkcs12.py > > cb1(slot, retry, password) > > cb2(slow, retry) FYI The API docs for python-nss are here: https://mozilla.github.io/python-nss-docs/ Specifically the doc for setting the password callback is here: https://mozilla.github.io/python-nss-docs/nss.nss-module.html#set_password_callback which says: The callback has the signature: password_callback(slot, retry, [user_data1, ...]) -> string or None I think the reason you're confused is that the callback takes 2 required parameters (slot & retry), all other parameters are optional. You decide what you need to pass to the callback. In traditional C or Java code such callbacks usually have 1 user data parameter, if you only need to pass one value you pass that in the user data parameter, if you need 2 or more values you're forced to pass a complex structure. But because Python has a more relaxed calling convention it's easy to support the equivalent of "varargs" (variable arguments), so all you have to do is make sure your callback and what you pass have the same signature. If you pass 3 args make sure the callback accepts 3 args, etc. As for why pkcs12 is not working for you I can't say. There were bug fixes along the way, hence why I'm wondering about the version. I do know other projects are using the pkcs12 functionality, that combined with the unit test suggests it works in the cases we know about. If you're still stuck it might come down to sharing your db with me and allowing me to run it under the debugger. However, I'm real busy at the moment and I'm not sure I can take the time out, but if I can I'll try to help. -- John -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
