On 10/24/2009 12:34 AM, Marc Kaeser wrote: > Thx a lot, > > But what if I just want to "hardcode" the use of another token, > without any ability to choose the one sdr should use? My first idea > was to replace slot = GetInternalModule() by slot = > GetSlotByName(const char * name); because they're declared to be of > the same type/struct. The first ist named "get...Module", the second > "get... Slot", so I guess this is maybe because the internal module > has just one slot with one token attached?
For Encrypt, that would be handled by the taking the slot as a parameter. Then your application would have an opportuntity to use PK11_GetSlotByName() to acquire the slot you wanted to hard code. For Decrypt, that would be the reason for providing a function that allowed to to specify the slot to > > Another idea would be to replace the internal token by an Opencryptoki > - token (IBM Trousers-> TPM), if available. Check if available, if no, > use software token, if yes, use opencryptoki->Trousers->TPM by > default, without the ability to choose. By default, use > Opencryptoki/the TPM. If there is none, continue to use the NSS > software one. That would be transparent and older applications would > still work, if there's no need to choose a token, and if the app > doesn't use pkcs11 functions that are not implemented in trousers. Coding that kind of specific into NSS itself would likely not be accepted upstream, but the application could still code that logic in it if it wanted using an API that allows the application to specify a slot to use for encrypt. > > At that point, my goal is to achieve that the tpm takes care of my > keys instead of NSS's softtoken, in the simplest possible way, so > mozStorage uses tpm-protected keys to encrypt/decrypt in Firefox. I > wonder if it would be a better idea to use IBM's Trousers API inside > the softtoken-libraries instead of trying to use pkcs11/opencryptoki > to access the TPM via Trousers with NSS, and replace the softtoken. So > I wouldn't have to fix anything in NSS, just tell the softtoken to use > the API to "hide" its keys in the TPM if one is available. What do you > think? Which way would be the fastest/simplest to implement? Are you talking about your own specific version of Firefox, and you don't care about getting updates, or if you want this as a generally available feature in Firefox? The NSS team is not likely to accept a patch that hard codes any tokens in NSS itself. In fact, Mozilla isn't likely to either, so your best bet is to figure out a preference that the user sets to get access to the SDR key for encryption, then provide patches similar to what I described for NSS. This will require more interaction with the NSS and PSM teams, but the result is something that would be beneficial to a much wider audiance, and thus more likely to be accepted (or even lobbied for :).... and the work to do that will almost certainly be less than trying to stay in sync with various new releases of NSS and Firefox. bob > > > Marc > > > > > > "Robert Relyea" <[email protected]> schrieb im Newsbeitrag > news:[email protected]...
-- dev-tech-crypto mailing list [email protected] https://lists.mozilla.org/listinfo/dev-tech-crypto
