Re: Access NSS (shared) DB with OpenSSL?

Thu, 03 Nov 2016 10:01:34 -0700 

thanks again for you explanation and hints. So first good point ist, that
it is possible to access the NSS Database with OpenSSL library.

I will take a look into the hints you gave me like curl, wpa_supplicant,
etc.

2016-11-03 16:58 GMT+01:00 David Woodhouse <dw...@infradead.org>:

> On Thu, 2016-11-03 at 13:41 +0100, Matthias B. wrote:
> > Thanks ro reply and thanks for the information, but is there a way to
> > access the NSS (shared) Database with OpenSSL in C++? The Code you
> > told me is using the binary files. So first i want a solution for
> > accessing it in C++-Code. Is it possible in a (easy) way?
>
> Sure. I gave command-line examples because they're fairly trivial, but
> they were pointing you in the right direction.
>
> For read-only access (using certs and keys which exist in the NSS db),
> you can use the PKCS#11 engine. Look in curl, wpa_supplicant, and other
> things for examples. It goes something like:
>
>  ENGINE *e = ENGINE_by_id("pkcs11");
>  ENGINE_init(e);
>  EVP_PKEY *pkey = ENGINE_load_private_key(e, "pkcs11:...", ...);
>
> Using the LOAD_CERT_CTRL engine command is slightly more complex but
> I'll leave that as an exercise for the reader. Again, examples in curl,
> wpa_supplicant, etc.
>
> For writing to the token, you're going to want to use libp11 directly.
>
> Note that my trivial example made use of p11-kit. That's how we do the
> system-wide configuration on Linux of which PKCS#11 tokens should be
> visible to which processes. The engine will load p11-kit-proxy.so by
> default, and thus load (and proxy, as the name implies" all the tokens
> indicated by the system configuration. My 'nss.config' file that I
> showed first was the per-user configuration which asked it to load the
> NSS softokn module.
>
> For your special case, you might want to load the NSS softokn module
> *directly* instead of going through p11-kit. In which case, make sure
> you use PKCS11_CTX_init_args() to set the arguments that point it to
> the correct database directory, etc.
>
> --
> dwmw2
>
>
>
-- 
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto

Reply via email to