On 11/08/2009 10:32 AM, Marc Kaeser wrote:
> Hello Robert,
>
> where can I get in touch with the NSS people you told me about? I want
> to try to do those modifications.
I'm one of them:).
>
> Now, in nsSDR, PK11GetInternalKeySlot(); adds a refcount
> (PK11ReferenceSlot()) to one of its slots ([0] or [1]), and returns
> slots[0] (or a ref to it) of the SECMODModule "InternalModule" if FIPS
> (still not exactly sure how FIPS mode works), slots[1] if not FIPS.
> But where do that InternalModule and its slots come from? I haven't
> been able to find out for the moment. Maybe after some initialization
> or something?
It's magic that knows the structure of the softoken. For what you want,
you don't need any of this. Simply store the SDR token name in the prefs
and use PK11_GetSlotByName() {warning I often give function spellings by
memory, so the actual function spelling may be different, you'll have to
look in the header file}. You'll want to change nsSDR rather than trying
to convince NSS to present your token as the default internal token (the
latter could cause you more pain than it's worth).The magic is in PK11_GetInternalKeySlot() is that normally softoken presents 2 tokens: 1. a crypto-only, readonly token that doesn't store any data and doesn't need a login to access. PSM will usually end up selecting this token to do most of it's crypto operations. 2. a 'database', r/w token that usually has a master password. PSM will usually end up selecting this token to do any permanent key/cert operations (store/lookup keys/certs, decrypt/encrypt/sign with keys in the database). This token requires authentication to do most of these operations. In FIPS mode, softoken presents: 3. a single token which combines all the crypto and key/cert storage operations. This token will require authentication for almost all operations (rng and hashing pretty much the only exceptions). PK11_GetInternalKeySlot returns token 2 (slot[1]) in non-fips mode and token 3 (slot[0]) in FIPS mode. A companion function returns the internal crypto slot returns token 1 in non-fips mode and token 3 in FIPS mode (both slot[0]). NOTE: Even though I explained this, it's important not to try to simulate either of these functions. In the latest version of NSS we've made some changes so the NSS could choose a completely different softoken module as the internal Keyslot. In general, when you see PK11_GetInternalKeySlot() called, the application is explicitly saying it is only supporting the internal softoken for operation. In general, such places are candidates for changing to something more generic. This is definately one of those candidates. bob
-- dev-tech-crypto mailing list [email protected] https://lists.mozilla.org/listinfo/dev-tech-crypto
