On 11/06/2014 04:08 PM, Mike Gerow wrote:
Still has the same issue, if you configure a pin, but don't tie it to a token (rather than a slot), you could have that pin applied to the wrong device. The functionality you described above is what servers do (the user configures the password for a set of tokens beforehand, not automatic pin caching.Thanks for the quick reply! I can see how caching the PIN would have its issues, but I'm not interested in having NSS ask for the PIN once and save it, but in configuring it to just use a provided PIN in the first place.
You are correct. If you don't have CKF_LOGIN_REQUIRED set, NSS won't prompt for the password. That's how NSS keeps from getting password prompts when doing raw SSL (the internal crypto services slot is separate from the database slot and doesn't require a password). In FIPS mode you will get password prompts when doing raw SSL.As I think about this more, though, I guess the solution might lie on the PKCS#11 module side instead of in NSS, in that the token shouldn't have its CKF_LOGIN_REQUIRED flag set (and of course be configured so as not to require C_Login to be called before doing cryptographic operations).
bob
But now my problem is that I have to convince opencryptoki to do something it probably doesn't want to :-). Oh well, thanks again for cluing me in.
No problem
smime.p7s
Description: S/MIME Cryptographic Signature
-- dev-tech-crypto mailing list [email protected] https://lists.mozilla.org/listinfo/dev-tech-crypto
