Carlos Cid wrote:
>
> Hello there,
>
> We have been working on the development of a hardware accellerator to work
> with Netscape/iPlanet products and I have two questions :
>
> 1) We have been able to hack NSS in order to make it use the functions we
> provide instead. In the early stages of development we wish to test it with
> iPlanet servers. Is it possible to "substitute" Netscape built-in NSS by
> ours ? We thought it would be a matter of relinking the libraries, but we
> were unable to find the original ones. And even if we can add our NSS to
> netscape (or iPlanet servers), how can we be sure that it is in fact using
> our libraries and not the native ones ?
You won't be able to relink the iPlanet servers. You cannot substitute a
new NSS for the one linked into existing iPlanet servers. Even if you
could, I think that's the wrong approach. You don't want to substitute
all of NSS. You just want to substitute your crypto implementation.
> 2) Our aim is to develop a PKCS#11 module for our product.
Bingo. That's exactly the right approach. All existing iPlanet servers
that do SSL will work with a new PKCS#11 module without any modification
to the servers.
> Would we be able
> to obtain such module from NSS ? I mean, have only the PKCS#11 libraries
> "extracted" from NSS, without all the other stuff (or at least a base for
> the module), and then adding it as a PKCS#11 module to the server using
> modutil ? If yes, how ? Someone has already asked a similar question, but
> the answer was not very clear (it was just said that it was is possible).
NSS already contains sources for several different stand-alone PKCS#11
modules. Look in nss/lib/swfort/ and nss/lib/ckfw/builtins.
And NSS has some new code (lib/ckfw and lib/base) that is intended to
be a "framework" for new PKCS#11 modules. The PKCS#11 module in
lib/ckfw/builtins uses it, if I'm not mistaken.
> Thanks a lot
>
> Carlos
(Please continue to post all follow up questions to this newsgroup)
--
Nelson Bolyard
