Hi all
We are trying to connect a WIM (WAP Identifier Module) smart card, using opensc software based.
We have already managed populating all certificates, keys, PIN objects in mozilla databases and run a sign text, or a client authentication.
We have registered TLS and SSL mechanisms in our module, but until now, we have not found the solution, to force Mozilla SLL/TLS module to use external plug in instead of internal module to generate the randow and key materials for TLS/SSL handshaking. We would like Mozilla SLL/TLS to continue to use internal module for symetrical cryptography operation (DES, RC2 ...)
Please could you help us: there are some PKCS11 FAQ not very clear about this subject: is there a solution ?
======= Our plugin provides several slots with different capabilities. For example, one does all the hashing/symmetric operations, while another does only asymmetric RSA operations. Can this kind of division lead to problems?
The only issue is dealing with keys. For example, if the RSA slot unwraps a key, Communicator needs to move that key to a slot that can do the symmetric operations. Communicator itself uses two tokens internally--one that provides generic cryptographic services without authentication, and one that provides operations based on the keys stored in the user's database and do need authentication. Communicator does this to avoid having to prompt for a password when performing an RSA verify operation, DES encryption, and so on. Therefore, Communicator can move keys around when necessary and possible.
In general, you should use different slots unless you have a good reason. Much of Communicator's token selection is based on where the key involved is currently stored. If the token that has your private keys doesn't also do symmetric operations, for example, it's likely that the internal token will end up doing the symmetric operations.
If multiple PKCS #11 modules are loaded, how does Communicator determine which ones to use for the mechanisms required by SSL?
Communicator uses the first slot it finds that can perform all the required operations. On servers, it's always the slot that contains the server's private key.
If I have a multipurpose token that supports all required PKCS #11 functions and provides RSA_KCS and DSA mechanisms but only provides the SKIPJACK_CBC64 mechanism for encryption and no DES or RC4, will Communicator use the token for the RSA_PKCS mechanisms and the internal Netscape PKCS #11 module for DES or RC4 for an SSL connection?
Once Communicator starts using a token for a given operation (like S/MIME or SSL), it works hard to keep using that same token (so keys don't get moved around). Symmetric operations supported by Communicator include the following: CKM_DES2_XXX, CKM_DES_XXX, CKM_RC2_XXX. Communicator knows about all the mechanisms defined in PKCS #11 version 2.01, but will not perform those that aren't defined by Communicator's policy mechanism.
Regards
Hubert
__________________________________________________
__________________________________________________
Hubert HELAINE
NEC Technologies (UK) Ltd FMDC
E-mail : [EMAIL PROTECTED]
__________________________________________________
