Re: PKCS#11 API
I have seen this. It appears to be a packing issue with respect to the 2-byte version value that is at the start of the function list. By default (I'm generalising here) a compiler will pack that on a 4-byte boundary, but it must be packed on a 1- or 2-byte boundary. So what happens is the application starts reading the function pointers 2-bytes off, and hence the addresses are incorrect. The way I solved it was to put a #pragm pack(1) (I'm using Visual C++) around the function pointer list. Hope that helps. Carla Schaffner [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] If I call the function C_Initialize with the pointer from C_FunctionList, it doesn't find the function and throws the error Segmentation fault. (example from the rsa PKCS#11 v2 Spec) CK_FUNCTION_LIST_PTR pFunctionList; CK_C_Initialize pC_Initialize; CK_RV rv; rv = C_GetFunctionList(pFunctionList); if (rv == CKR_OK) { fprintf(stdout, FunktionList OK!\n); } pC_Initialize = pFunctionList-C_Initialize; // call C_Initalize funktion rv = (*pC_Initialize)(NULL_PTR); -- if I call the function C_Initialize without C_FunctionList pointer it works. rv = C_Initialize(NULL_PTR); where is th problem? Jean-Marc Desperrier wrote: Carla Schaffner wrote: Thanks for your answer! But in this example (rsa security) it looks like it could be used without a pointer...or am I wrong? This sample could be using some macro that hides the dereferencing of the pointer, but even that doesn't explain why it does not seem to call GetFunctionList first. Directly calling the function is very unusual. Despite that the PKCS#11 v2 says you should use C_GetFunctionList, in most implementations the PKCS#11 library still exports the sub-function so you could call them directly. But in most any case, you want your programm to interface with any pkcs#11 module, so you never statically link it with a given PKCS#11 library which the only way to directly call the function. So whether you do it as it should be, using C_GetFunctionList, or use a dynamic library loading function to locate the function address, you always end up calling a pointer, so your sample is very strange and not really functionnal. ___ mozilla-crypto mailing list [EMAIL PROTECTED] http://mail.mozilla.org/listinfo/mozilla-crypto
Write protected PKCS#11 Soft Token?
Hi there, I am testing out the NSS 3.8 PKCS#11 Soft Token, and have managed to load it correctly and initialise it correctly. However I note from the returned flags of C_GetTokenInfo that the token is write protected, and this is obviously why my calls to C_GenerateKey are failing with CKR_TOKEN_WRITE_PROTECTED. Could someone please tell me how I remove the write protection from the token? Is it necessary for me to login to the NSS Certificate DB token to do this? Here is the debug out from my application - does anyone know what the Unknown token flag 0x8000 is, that is returned by C_GetTokenInfo? Pkcs11_Initialize Copying elements from caller-provided init structure Initializing with: configDir='c:/nss/config' certPrefix='' keyPrefix='' secmod='secmod.db' Calling C_Initialize with modified init structure snetpk11.dll: DllMain(hModule=0x0023, dwReason=2) snetpk11.dll: DllMain(hModule=0x0023, dwReason=2) C_Initialize succeeded Pkcs11_GetSlotList(tokenPresent=1) C_GetSlotList succeeded: pSlotList=0x, *pulCount=2 Pkcs11_GetSlotList(tokenPresent=1) C_GetSlotList succeeded: pSlotList=0x008218C0, *pulCount=2 [0] = SlotID 1 [1] = SlotID 2 Pkcs11_GetTokenInfo(slotID=1) C_GetTokenInfo succeeded: label=NSS Generic Crypto Services, manufacturerID=mozilla.org, model=NSS 3, serialNumber=, flags=0x8003, ulMaxSessionCount=0, ulSessionCount=0, ulMaxRwSessionCount=0, ulMaxPinLen=0, ulMinPinLen=0, ulTotalPublicMemory=0, ulFreePublicMemory=0, ulTotalPrivateMemory=0, ulFreePrivateMemory=0 Token Flags: CKF_RNG, CKF_WRITE_PROTECTED, Unknown Flags: 0x8000. Pkcs11_GetTokenInfo(slotID=2) C_GetTokenInfo succeeded: label=NSS Certificate DB, manufacturerID=mozilla.org, model=NSS 3, serialNumber=, flags=0x800c, ulMaxSessionCount=0, ulSessionCount=0, ulMaxRwSessionCount=0, ulMaxPinLen=255, ulMinPinLen=0, ulTotalPublicMemory=1, ulFreePublicMemory=1, ulTotalPrivateMemory=1, ulFreePrivateMemory=1 Token Flags: CKF_LOGIN_REQUIRED, CKF_USER_PIN_INITIALIZED, Unknown Flags: 0x8000. Pkcs11_OpenSession(slotID=1, flags=0x6) Session Flags: CKF_RW_SESSION, CKF_SERIAL_SESSION. C_OpenSession succeeded: *phSession=0x1 Pkcs11_GenerateKey(hSession=0x1, pMechanism-mechanism=0x131) C_GenerateKey failed: CKR_TOKEN_WRITE_PROTECTED Pkcs11_CloseSession(hSession=0x1) C_CloseSession succeeded Pkcs11_Finalize C_Finalize succeeded ___ mozilla-crypto mailing list [EMAIL PROTECTED] http://mail.mozilla.org/listinfo/mozilla-crypto
Re: Why a SSL server can't get certificate of client?
Hi, yangbingyu wrote: I'm trying to use a SSL server with NSS,but I get a error that is -12199(No certificate authority is trusted for SSL client authentication), The error is quite explicit. In the server database, you need to add the CA certificates that you trust for client authentication, and mark them trusted. You can perform both operations using certutil. ___ mozilla-crypto mailing list [EMAIL PROTECTED] http://mail.mozilla.org/listinfo/mozilla-crypto