On 11/18/2016 12:49 AM, Alexei Mayanov wrote:
Hello! I'm developing PKCS11 library for my device. This library is based
on pkcs11-proxy (https://github.com/SUNET/pkcs11-proxy). It work good with
different apps but with Firefox I can't login with client certificate on to
the test site. Firefox doesn't present me the list of certificates on the
device. I made log of calls of PKCS11 API functions from my library and
can't determine the reason of problem. And I don't know what is happening
inside NSS that cause the problems. Is it possible to enable some debug
info in NSS library that Firefox uses? Thanks in advance!
Hmm,
Have you installed the PKCS #11 module in firefox?
if not, go to the advanced preferences
(about:preferences#advanced) and click the 'security devices'
button, then click the 'Load' button.
If so, Does it show up in the security devices dialog
(about:preferences#advanced)?
if not, it means NSS couldn't load your pkcs #11 module, Usually the
dlopen failed for some reason, though it could be NSS opened the
module but had some issues initializing it. If you are getting into
your C_GetFunctionList() function, then the dlopen worked fine. NSS
will then call C_Initialize(), and then the normal C_GetSlots, etc.
If so, Does it show that the device is present?
If your module is loaded, it should show the slots in the security
devices dialog (If not you module did not give NSS any slots). You
can click on the slots to see the status of each slot. If there is a
card plugged in, the status should be present. If not the status
should be not present. If NSS had an error initializing the slot,,
it should show a status of disabled. The latter means that NSS
couldn't get everything it needs for the slot to be useful (like
being able to create a session). Errors here are usually problems
with session management in the token.
If so Do you get a password prompt for your device if you bring up the
cert dialog?
If not (and your token is present), it means that you probably
didn't make your token as requiring a password properly, or you told
NSS you were already logged in (again session management). NOTE:
this may be OK if you don't require a password to find the keys on
your token. For most tokens, though, this will cause a problem.
If password handling is OK, do you see any certs from your token in the
cert dialog?
Be sure to check all the tabs (particularly 'Your Certificates' and
'Others'). If no certificates are showing up, then there is probably
something wrong with your C_FindObject* functions. If the
certificates are showing up under 'Others' and not 'Your
Certificates', then there is probably something wrong with your link
of certificates to keys, or your ability to match private keys.
certificates which have keys associated with them should have a
CKA_ID attribute with is matches the CKA_ID of the private key
associated with the certificate. NSS will lookup the CKA_ID from the
cert and then search for a private key with that same CKA_ID. If it
finds that key, it will mark it as a 'user' certificate. Only 'user'
certificates show up in 'Your Certificates' and only 'Your
Certifcates' are used in ssl client auth operations.
If all this is working, you probably aren't dealing with an issue of
your module, but a configuration issue with the server and firefox.
Best regards,
Alex
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
