On 03/17/2016 06:17 AM, TĂșlio Gomes wrote:
Hello, i need to access a smartcard for signing documents with the private key stored inside it. The idea is to create a c++ component that will be used with a pnacl module inside chrome's browser.So i decided to use NSS, but i'm confused about what steps i need to do for load the smartcard, access the private key, sign and verify the document. I read almost all the existing documentation and didn find any sample to do that. So, here's my code: int main(int argc, char** argv) { SECMODModule *module; SECStatus rv; static char moduleName[] = "library=libwdpkcs_icp.so name=Token-libwdpkcs_icp"; module = SECMOD_LoadUserModule(moduleName, NULL, PR_TRUE); if(!module) { fprintf(stderr, "fail to load module"); exit(1); } PK11SlotInfo* slot = PK11_GetInternalSlot(); //didnt work. Returns nothing (0x0);
You need to initialize NSS itself first.
/*
* Ok, i load the module. What's next? I need to create a DB or i can
access the token directly? If so, how can i do this?
* Probably the next step is to get the slot info. But how?
*/
Once you do this, the token certs are available with any db certs that you may already have. Typically in NSS you look up the certs you are interested in. 'User' certs are certs with private keys associated with them. Once you select a cert, you can lookup the key. The you can use that key to sign, decrypt or unwrap. If the cert and key you select are in the token, NSS will use it.
You can find an example for decrypting here: https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/nss_sample_code/NSS_Sample_Code_sample4 In this example, the cert is found with: cert = PK11_FindCertFromNickname("TestCA", NULL);You can find the cert using on a smartcard with "tokename:certname" as the nickname.
If you create a database:
mkdir ./certs
certutil -N -d ./certs
use modutil to add your smart card
modutil -add Token-libwdpkcs_icp -lib libwdpkcs_icp.so -dbdir ./certs
You can then list all the certs on your smart card with
certutil -L -h all -d ./certs
(you'll be prompted for the pin for your smartcard).
You can also use
PK11_ListCertsInSlot() to find all the certs on your smart card.
You can use PK11_FindSlotByName() or PK11_FindSlotsByNames to find
the slot for your smart card.
/usr/include/nss3/pk11pub.h has a list of most of the functions that deal with smart cards.
**NOTE*** In the example, you'll need to fix the password function to actually prompt for the password. If you don't, you can lock your token if it has a fixed numbers of retries.
bob
https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/nss_sample_code/NSS_Sample_Code_sample4 SECMOD_DestroyModule(module); } Can anyone give me some help? Thanks in advance. ps: sorry for my english
smime.p7s
Description: S/MIME Cryptographic Signature
-- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
