Re: Using Softoken as standalone pkcs#11 module?
Wan-Teh Chang wrote: I finally found the email we sent to the PKCS #11 Working Group. It is archived at http://islab.oregonstate.edu/emails/cryptoki-01/0410. I emailed you a copy of this on Tuesday. Did you receive it?
Re: Using Softoken as standalone pkcs#11 module?
Wan-Teh Chang wrote: Christoph Brueckner wrote: hi Julien, thanks for your reply. Julien Pierre wrote: At this time softoken is still tied to NSS. It requires an initialization string to be passed to C_Initialize. If you can make your other applicaitons pass that string, you might be able to use it. What is the syntax of that initialization string? I couldnt find any docs regarding a init string for C_Initialize. I am looking for the documentation of that initialization string. I will post the URL here once I find it. I finally found the email we sent to the PKCS #11 Working Group. It is archived at http://islab.oregonstate.edu/emails/cryptoki-01/0410. Note that it may be slightly out of date. I plan to publish an updated version as a NSS technical note. Wan-Teh
Re: Using Softoken as standalone pkcs#11 module?
hi Wan-Teh, thanks for your reply. I am looking for the documentation of that initialization string. I will post the URL here once I find it. Do you have any other documentation for softoken or the ckfw? Please tell me where i can find it or send it to me via email. After reading the softoken source code for plenty of hours ;-) i am just wondering why the softoken seems to need the secmod.db? Its quite clear to me that the softoken needs a key.db and cert.db for storing the keys and certificates persistently. But the secmod.db is managing all pkcs#11 modules available to NSS? So i thought softoken is just one of these modules registered in the secmod.db? For which purpose does softoken need the secmod.db? To make my goals more understandable: I am using a java crypto device which i want to make available to mozilla and other apps through a PKCS#11 module. This crypto device only supports private key storage and some RSA based private key crypto operations, so i want to integrate it into the pkcs#11 softoken by just directing all private key retrieval and private key crypto functions of softoken to my java crypto devices. Hope this is possible with softoken. I read something in the NSS-API-Guidlines of a Lowkey and Crypto layer. But unfortunaly there is not that much informations about these layers. Are there any docs regardings these two layers or softoken? Maybe some internal developer docs? Thanks in advance Christoph Brueckner
Re: Using Softoken as standalone pkcs#11 module?
hi Jens, uff, i thought i was the only one one this planet who's struggling with the softoken ;-) But now i have it actually running! Jens B. Jorgensen wrote: My suspicion was the same as yours so I searched through secmod.db and found a string containing the path to my profile since the module would certainly need this. I pulled out the string: Finally i get it running. First i modified the softoken's nsc_CommonInitialize a little bit: SNIP CK_RV nsc_CommonInitialize(CK_VOID_PTR pReserved, PRBool isFIPS) { CK_RV crv = CKR_OK; SECStatus rv; CK_C_INITIALIZE_ARGS *init_args = (CK_C_INITIALIZE_ARGS *) pReserved; int i; int moduleIndex = isFIPS? NSC_FIPS_MODULE : NSC_NON_FIPS_MODULE;CBR CK_C_INITIALIZE_ARGS myInitArgs; char *params= configdir=\'C:/Dokumente und Einstellungen/mes/Anwendungsdaten/Mozilla/Profiles/Default User/5ucspxqs.slt\'certPrefix=\'\'keyPrefix\'\'secmod=\'secmod.db\'; myInitArgs.LibraryParameters = params; init_args = myInitArgs; . . . /SNAP Note that this is only a quick hack to get the softoken running without passing a CK_C_INITIALIZE to C_Initialize. Later i will use environment variables or ini files to supply the profile dir and the secmod.db name. NOTE: I assume you are using Windows ;-) Then you will have to use a slash as fileseparator instead of backslash! First i used backslashs in the configdir string, which causes an error when calling C_Initiliaze. Actually C_GetFunctionList is really all it needs to export. C_GetFunctionList gets you pointers to all the other functions. Ok. This was my fault. Of course its sufficent to just export C_GetFunctionList. With the little modification above in the softoken function i could call C_Initialize passing a NULL_PTR without any problem. Ok, now things are a little clearer. Perhaps you might instead look at encapsulating openssl to do the encryption? openssl is truly a standalone library and though its interface is poorly documented I have used it on a couple of occasions and haven't had too much trouble getting things to work. Hmm. I just want to use the existing encryption part of the softoken. The softoken has a crypto token in slot 1 which performs all cryptographic operations like sign,encrypt. Slot 2 seems to be responsible for the key and certstorage. By the way though if you want to ultimately use this pkcs11 module in mozilla/netscape you don't have to implement all the other encryption stuff at all. For example I have a Dallas Semiconductor Java iButton crypto token which has a pkcs11 module. Thats funny. My external secure devices is java based too. On that device i store my private keys and i want to do all the private key associated crypto operations. In fact bouncycastle for java is providing all the crypto operations on my secure crypto devices. Unfortunatly there is no PKCS#11 API for my secure java device, so i decided to make it accessible for applications through pkcs#11. Since i dont want to waste time implementing things which are already done, i thought of modifying the pkcs#11 softoken. Softoken can do all the dirty stuff (session management, object management and public key related crypto operations). But instead of retrieving the private keys from the key3.db i want to modify the softoken to retrieve the private keys from my secure device. Hope this is possible with softoken? Has this something to do with the so called lowkey and crypto -layer of NSS? Unfortunatly i didn't found any documentation for the softoken, ckfw or fortcrypt. :-( If some out there has some documentation or diagramms for the softoken or ckfw please tell me where i can find it. Thanks in advance Christoph Brueckner
Re: Using Softoken as standalone pkcs#11 module?
Christoph Brueckner wrote: hi Jens, uff, i thought i was the only one one this planet who's struggling with the softoken ;-) But now i have it actually running! Jens B. Jorgensen wrote: My suspicion was the same as yours so I searched through secmod.db and found a string containing the path to my profile since the module would certainly need this. I pulled out the string: Finally i get it running. First i modified the softoken's nsc_CommonInitialize a little bit: SNIP CK_RV nsc_CommonInitialize(CK_VOID_PTR pReserved, PRBool isFIPS) { CK_RV crv = CKR_OK; SECStatus rv; CK_C_INITIALIZE_ARGS *init_args = (CK_C_INITIALIZE_ARGS *) pReserved; int i; int moduleIndex = isFIPS? NSC_FIPS_MODULE : NSC_NON_FIPS_MODULE;CBR CK_C_INITIALIZE_ARGS myInitArgs; char *params= configdir=\'C:/Dokumente und Einstellungen/mes/Anwendungsdaten/Mozilla/Profiles/Default User/5ucspxqs.slt\'certPrefix=\'\'keyPrefix\'\'secmod=\'secmod.db\'; myInitArgs.LibraryParameters = params; init_args = myInitArgs; . . . /SNAP Note that this is only a quick hack to get the softoken running without passing a CK_C_INITIALIZE to C_Initialize. Later i will use environment variables or ini files to supply the profile dir and the secmod.db name. NOTE: I assume you are using Windows ;-) Then you will have to use a slash as fileseparator instead of backslash! First i used backslashs in the configdir string, which causes an error when calling C_Initiliaze. You are the man! Changing the backslashes to forward slashes was the magic. I figured this would work since I found this in the secmod db but it didn't. This now works for me. That is *so* cool. Very nice. Actually C_GetFunctionList is really all it needs to export. C_GetFunctionList gets you pointers to all the other functions. Ok. This was my fault. Of course its sufficent to just export C_GetFunctionList. With the little modification above in the softoken function i could call C_Initialize passing a NULL_PTR without any problem. Ok, now things are a little clearer. Perhaps you might instead look at encapsulating openssl to do the encryption? openssl is truly a standalone library and though its interface is poorly documented I have used it on a couple of occasions and haven't had too much trouble getting things to work. Hmm. I just want to use the existing encryption part of the softoken. The softoken has a crypto token in slot 1 which performs all cryptographic operations like sign,encrypt. Slot 2 seems to be responsible for the key and certstorage. By the way though if you want to ultimately use this pkcs11 module in mozilla/netscape you don't have to implement all the other encryption stuff at all. For example I have a Dallas Semiconductor Java iButton crypto token which has a pkcs11 module. Thats funny. My external secure devices is java based too. On that device i store my private keys and i want to do all the private key associated crypto operations. In fact bouncycastle for java is providing all the crypto operations on my secure crypto devices. Unfortunatly there is no PKCS#11 API for my secure java device, so i decided to make it accessible for applications through pkcs#11. Since i dont want to waste time implementing things which are already done, i thought of modifying the pkcs#11 softoken. Softoken can do all the dirty stuff (session management, object management and public key related crypto operations). But instead of retrieving the private keys from the key3.db i want to modify the softoken to retrieve the private keys from my secure device. Hope this is possible with softoken? Has this something to do with the so called lowkey and crypto -layer of NSS? Unfortunatly i didn't found any documentation for the softoken, ckfw or fortcrypt. :-( If some out there has some documentation or diagramms for the softoken or ckfw please tell me where i can find it. Well, I can't offer any help with this. But now we both have the PKCS11 module working though and that is very cool. BTW if you're a Python user I have a python wrapper module for pkcs11. It makes testing stuff and messing around with a PKCS11 module very easy. I haven't implemented all of the PKCS11 functions for it yet (I've only done the ones I needed, naturally) but adding more should be easy since a lot of the stuff would be easy to cut and paste modify from what I have. Email me if you want it as I don't think I have it posted anywhere at the moment. Thanks in advance Christoph Brueckner -- Jens B. Jorgensen [EMAIL PROTECTED]
Re: Using Softoken as standalone pkcs#11 module?
Christoph Brueckner wrote: Ok. But why does softoken and builtin module only export the C_GetFunctionList function? I thought softoken and builtin are real PKCS#11 Modules. Why don't they export functions like C_Initialize, and all the other PKCS#11 functions directly? Instead softoken exports C_GetFunctionList, NSC_GetFunctionList, FC_GetFunctionList. What is the difference between these 3 functions? softoken was developed for NSS, and NSS needs to be able to handle multiple PKCS#11 devices simultaneously. As such, NSS uses the C_GetFunctionList interface and the corresponding table of function pointers to access a given module. NSS cannot simply call C_XXX functions directly, or there would be symbol conflict between modules. I imagine C_GetFunctionList is exported because that is the symbol other applications would look for when loading the softoken. NSC_GetFunctionList is the softoken's particular implementation of that function (you should find symbols for all the C_XXX functions prepended by 'NS'). FC_GetFunctionList is there because the softoken can be used in two modes, normal and FIPS-compliant. The FC_XXX functions are the FIPS version of the usual C_XXX stuff. -Ian
Re: Using Softoken as standalone pkcs#11 module?
Christoph, Interesting, I was trying to do a similar thing and posted to the group but got no reply. I've gotten partway down the road that Julien describes. Read on for more details. Christoph Brueckner wrote: hi Julien, thanks for your reply. Julien Pierre wrote: At this time softoken is still tied to NSS. It requires an initialization string to be passed to C_Initialize. If you can make your other applicaitons pass that string, you might be able to use it. What is the syntax of that initialization string? I couldnt find any docs regarding a init string for C_Initialize. I guess this has something to do with telling softoken where the key.db and cert.db is located? My suspicion was the same as yours so I searched through secmod.db and found a string containing the path to my profile since the module would certainly need this. I pulled out the string: configdir='C:\\Documents and Settings\\jbj1\\Application Data\\Mozilla\\Profiles\\jens\\7zkdfliy.slt' certPrefix='' keyPrefix='' secmod='secmod.db' flags= manufacturerID='Mozilla.org' libraryDescription='PSM Internal Crypto Services' cryptoTokenDescription='Generic Crypto Services' dbTokenDescription='Software Security Device' cryptoSlotDescription='PSM Internal Cryptographic Services' dbSlotDescription='PSM Private Keys' FIPSSlotDescription='PSM Internal FIPS-140-1 Cryptographic Services' FIPSTokenDescription='PSM FIPS-140-1 User Private Key Services' minPS=0 This seemed to have gotten me part of the way. Instead of CKR_ARGUMENTS_BAD instead then I would get a different error, don't remember exactly which one now. I looked at the PSM source for a while but decided before I would go on first I would try to see if it would be possible to get it to work. I posted my message to this list on 1/7 but nobody replied so that's where I left it. I saw your message today and of course this rekindled my interest. Is this C_Initalize thing the only change which made softoken not fully PKCS#11 compatible? Are there any other things which make softoken not fully PKCS#11 compatible? This was the main thing I was asking too. From looking at the source and the way it already perverted the CK_C_INITIALIZE_ARGS structure I was concerned there would be lots of other changes that I didn't want to deal with. I would love to hear an answer to this. I think the problem I was running into was with the synchronization. It didn't like me to specify none and didn't seem to like it if I passed mutex functions either. Anyone? softoken was written separately and isn't based on ckfw. Since it implements nearly all functions in the specification, making softoken use CKFW wouldn't make sense. Ok. But why does softoken and builtin module only export the C_GetFunctionList function? I thought softoken and builtin are real PKCS#11 Modules. Why don't they export functions like C_Initialize, and all the other PKCS#11 functions directly? Instead softoken exports C_GetFunctionList, NSC_GetFunctionList, FC_GetFunctionList. What is the difference between these 3 functions? Actually C_GetFunctionList is really all it needs to export. C_GetFunctionList gets you pointers to all the other functions. By the way I have had no trouble at all using the nssckbi.dll PKCS11 module. This is the builtin module that stores all the root certs and it seems to behave like a proper pkcs11 module just fine. My goal is to modify the softoken in terms of its private key handling. Thats because i have a device which stores the private key securely and it performs some private key crypto operations. I want to make the secure device available through pkcs#11. So i thought of modifing the softoken , keeping all public key and public crypto operations and modify all private key operations and storage calls to my secure device. So i dont have to spend much time to implement crypto operations like encrypt or verify, certstorage which can easily be done by the softoken. Is this a reasonable approach or am i totally wrong? Ok, now things are a little clearer. Perhaps you might instead look at encapsulating openssl to do the encryption? openssl is truly a standalone library and though its interface is poorly documented I have used it on a couple of occasions and haven't had too much trouble getting things to work. By the way though if you want to ultimately use this pkcs11 module in mozilla/netscape you don't have to implement all the other encryption stuff at all. For example I have a Dallas Semiconductor Java iButton crypto token which has a pkcs11 module. Its module implements all the attribute get/set and find stuff, initialization etc. but the only crypto is supports is C_WrapKey, C_UnwrapKey, C_GenerateKeyPair, and C_Sign. mozilla is happy with this and just uses what it needs. best regards Christoph Brueckner -- Jens B. Jorgensen [EMAIL PROTECTED]
Re: Using Softoken as standalone pkcs#11 module?
Christoph Brueckner wrote: hi Julien, thanks for your reply. Julien Pierre wrote: At this time softoken is still tied to NSS. It requires an initialization string to be passed to C_Initialize. If you can make your other applicaitons pass that string, you might be able to use it. What is the syntax of that initialization string? I couldnt find any docs regarding a init string for C_Initialize. I am looking for the documentation of that initialization string. I will post the URL here once I find it. Is this C_Initalize thing the only change which made softoken not fully PKCS#11 compatible? I think so. We proposed that extension to the PKCS #11 working group. Wan-Teh
Re: Using Softoken as standalone pkcs#11 module?
hi Julien, thanks for your reply. Julien Pierre wrote: At this time softoken is still tied to NSS. It requires an initialization string to be passed to C_Initialize. If you can make your other applicaitons pass that string, you might be able to use it. What is the syntax of that initialization string? I couldnt find any docs regarding a init string for C_Initialize. I guess this has something to do with telling softoken where the key.db and cert.db is located? Is this C_Initalize thing the only change which made softoken not fully PKCS#11 compatible? Are there any other things which make softoken not fully PKCS#11 compatible? softoken was written separately and isn't based on ckfw. Since it implements nearly all functions in the specification, making softoken use CKFW wouldn't make sense. Ok. But why does softoken and builtin module only export the C_GetFunctionList function? I thought softoken and builtin are real PKCS#11 Modules. Why don't they export functions like C_Initialize, and all the other PKCS#11 functions directly? Instead softoken exports C_GetFunctionList, NSC_GetFunctionList, FC_GetFunctionList. What is the difference between these 3 functions? My goal is to modify the softoken in terms of its private key handling. Thats because i have a device which stores the private key securely and it performs some private key crypto operations. I want to make the secure device available through pkcs#11. So i thought of modifing the softoken , keeping all public key and public crypto operations and modify all private key operations and storage calls to my secure device. So i dont have to spend much time to implement crypto operations like encrypt or verify, certstorage which can easily be done by the softoken. Is this a reasonable approach or am i totally wrong? best regards Christoph Brueckner
Using Softoken as standalone pkcs#11 module?
hi, NSS is using the softoken as internal pkcs#11 module. Is it possible to turn the softoken into a real standalone pkcs#11 module, which can be used by other applications beside Netscape/Mozilla? What is this cryptoki framework (ckfw) all about? Is it possible to integrate the softoken into the ckfw, or does the softoken largly depend on NSPR and other netscape stuff? Does someone actually integrated the softoken into the ckfw to build a standalone pkcs#11 softoken? Is there any documentation for the softoken and the ckfw. Unfortunatly i didnt find any :-( Its hard to understand ckfw and softoken without any diagramms or documentations. best regards Christoph Brueckner
Re: Using Softoken as standalone pkcs#11 module?
Christoph Brueckner wrote: hi, NSS is using the softoken as internal pkcs#11 module. Is it possible to turn the softoken into a real standalone pkcs#11 module, which can be used by other applications beside Netscape/Mozilla? What is this cryptoki framework (ckfw) all about? Is it possible to integrate the softoken into the ckfw, or does the softoken largly depend on NSPR and other netscape stuff? Does someone actually integrated the softoken into the ckfw to build a standalone pkcs#11 softoken? Is there any documentation for the softoken and the ckfw. Unfortunatly i didnt find any :-( Its hard to understand ckfw and softoken without any diagramms or documentations. best regards Christoph Brueckner At this time softoken is still tied to NSS. It requires an initialization string to be passed to C_Initialize. If you can make your other applicaitons pass that string, you might be able to use it. You may also have to use NSPR in your application for certain things like locking, as softoken uses NSPR. CKFW is a cryptoki framework. Its purpose is to provide a template for a PKCS#11 module implementation. It contains sample code for all PKCS#11 functions. It speeds up writing a PKCS#11 module by making it possible to write only a little bit of code for the PKCS#11 functions that are of interest to your module, while using the sample implementations for the rest. CKFW is used as the basis for the root certificate module, for example. It is also used in other products that ship their own PKCS#11 modules, such as Netscape Enterprise Server 6.1. softoken was written separately and isn't based on ckfw. Since it implements nearly all functions in the specification, making softoken use CKFW wouldn't make sense.