Christoph Brueckner wrote:
hi Jens,
uff, i thought i was the only one one this planet who's
struggling with the softoken ;-) But now i have
it actually running!
"Jens B. Jorgensen" wrote:
My suspicion was the same as yours so I searched through secmod.db and found a
string containing the path to my profile since the module would certainly need
this. I pulled out the string:
Finally i get it running. First i modified the softoken's
nsc_CommonInitialize a little bit:
<SNIP>
CK_RV nsc_CommonInitialize(CK_VOID_PTR pReserved, PRBool isFIPS)
{
CK_RV crv = CKR_OK;
SECStatus rv;
CK_C_INITIALIZE_ARGS *init_args = (CK_C_INITIALIZE_ARGS *)
pReserved;
int i;
int moduleIndex = isFIPS? NSC_FIPS_MODULE : NSC_NON_FIPS_MODULE;CBR
CK_C_INITIALIZE_ARGS myInitArgs;
char *params= "configdir=\'C:/Dokumente und
Einstellungen/mes/Anwendungsdaten/Mozilla/Profiles/Default
User/5ucspxqs.slt\'certPrefix=\'\'keyPrefix\'\'secmod=\'secmod.db\'";
myInitArgs.LibraryParameters = params;
init_args = &myInitArgs;
.
.
.
</SNAP>
Note that this is only a "quick hack" to get the softoken running
without passing a CK_C_INITIALIZE to C_Initialize. Later
i will use environment variables or ini files to supply the
profile dir and the secmod.db name.
NOTE: I assume you are using Windows ;-) Then you will have to use
a slash as fileseparator instead of backslash!
First i used backslashs in the configdir string,
which causes an error when calling C_Initiliaze.
You are the man! Changing the backslashes to forward slashes was the magic. I
figured this would work since I found this in the secmod db but it didn't. This
now works for me. That is *so* cool. Very nice.
Actually C_GetFunctionList is really all it needs to export. C_GetFunctionList
gets you pointers to all the other functions.
Ok. This was my fault. Of course its sufficent to just export
C_GetFunctionList. With the little modification above in the softoken
function
i could call C_Initialize passing a NULL_PTR without any problem.
Ok, now things are a little clearer. Perhaps you might instead look at
encapsulating openssl to do the encryption? openssl is truly a standalone
library and though its interface is poorly documented I have used it on a couple
of occasions and haven't had too much trouble getting things to work.
Hmm. I just want to use the existing encryption part of the
softoken. The softoken has a crypto token in slot 1 which performs
all cryptographic operations like sign,encrypt.....
Slot 2 seems to be responsible for the key and certstorage.
By the way though if you want to ultimately use this pkcs11 module in
mozilla/netscape you don't have to implement all the other encryption stuff at
all. For example I have a Dallas Semiconductor Java iButton crypto token which
has a pkcs11 module.
Thats funny. My external secure devices is java based too. On that
device
i store my private keys and i want to do all the private key
associated crypto operations. In fact bouncycastle for java is providing
all the crypto operations on my secure crypto devices.
Unfortunatly there is no PKCS#11 API for my secure java device, so i
decided to make it accessible for applications through pkcs#11.
Since i dont want to waste time implementing things which are
already done, i thought of modifying the pkcs#11 softoken.
Softoken can do all the "dirty" stuff (session management, object
management and public key related crypto operations). But instead of
retrieving the
private keys from the "key3.db" i want to modify the softoken to
retrieve the private keys from my secure device.
Hope this is possible with softoken? Has this something
to do with the so called "lowkey" and "crypto" -layer of NSS?
Unfortunatly i didn't found any documentation for the softoken,
ckfw or fortcrypt. :-(
If some out there has some documentation or diagramms for the
softoken or ckfw please tell me where i can find it.
Well, I can't offer any help with this. But now we both have the PKCS11 module
working though and that is very cool. BTW if you're a Python user I have a
python wrapper module for pkcs11. It makes testing stuff and messing around with
a PKCS11 module very easy. I haven't implemented all of the PKCS11 functions for
it yet (I've only done the ones I needed, naturally) but adding more should be
easy since a lot of the stuff would be easy to cut and paste modify from what I
have. Email me if you want it as I don't think I have it posted anywhere at the
moment.
Thanks in advance
Christoph Brueckner
--
Jens B. Jorgensen
[EMAIL PROTECTED]
