Currently, there is no way to globally install a PKCS #11 module. Starting in NSS 3.4,
there is an underlying architecture that allows for this, but the application has to
set it up. How you solve this problem depends on how much time you have to throw at
the problem, and what your goals are.
The first, simplest and probably the quickest option to make this work is modify the
PSM code that loads NSS. In that code you will find PSM loading the built-in root cert
module explicitly. You could add your PKCS #11 module to that code. This kind of
change is probably the quickest for you, but would not likely be picked up by the
mozilla team (since it's product specific). This would only work on the versions of
mozilla you modify.
The second option would be find all the occurrences of secmod.db and explicitly add
your module using modutil. This option is risky if an application using secmod.db is
running. It's not as bad as modifying the cert and key databases, however, since NSS
does not old secmod.db open like it does other databases, so you are safe as long as
the application isn't either 1) starting NSS up at the same time you modify the db
file, or 2) is trying to administer (adding or deleting modules) at the same time you
modify the db file. This option will work will all versions of programs that use NSS
(including Netscape Communicator), but only for existing profiles. New profiles would
not get your change.
A third option, which would be more work, but be of general use for the mozilla
community would be to write a "DB Module".
<warning fire hose of pseudo documentation for currently undocumented portions
of NSS>
A "DB Module" is a shared library which manages a list of PKCS #11 modules. It
implements a single function:
char **
NSS_ReturnModuleSpecData(unsigned long function, char *parameters, void *spec)
function can be:
SECMOD_MODULE_DB_FUNCTION_FIND 0
SECMOD_MODULE_DB_FUNCTION_ADD 1
SECMOD_MODULE_DB_FUNCTION_DEL 2
SECMOD_MODULE_DB_FUNCTION_RELEASE 3
parameters are a string parameter passed down to the DB Module. The meaning of
parameters is completely up to the DB Module (For softoken, is a pointer to the
directory where secmod.db lives).
spec is a parameter which depends on the function.
FUNCTION_FIND: returns a null terminated array of PKCS #11 Module Spec strings
(described below). The spec parameter is NULL.
FUNCTION_ADD: add a new PKCS #11 module to your database. spec is a PKCS #11 Module
Spec for the module you wish to add. Returns NULL on failure, non-NULL on success.
FUNCTION_DELETE: remove a PKCS #11 module from your database. spec is the PKCS #11
Module Spec string for the module you wish to delete. Returns NULL on failure,
non-NULL on success.
FUNCTION_RELEASE: Frees the data returned from FUNCTOION_FIND. spec the pointer
returned from FUNCTION_FIND. Returns NULL on failure, non-NULL on success.
Typical PKCS #11 Module Spec Strings would look like:
library=dkck32.dll name="DataKey SignaSURE 3600" NSS="TrustOrder=50 ciphers= "
library=swft32.dll name="Netscape Software Fortezza"
parameters="keyfile=/u/relyea/keyfile" NSS="TrustOrder=50 ciphers=FORTEZZA
slotParams=0x1=[slotFlags='FORTEZZA']"
library=core32.dll name="Litronic Netsign"
library=dirlist.dll name="Automatic SmartCard Loader" parameters="$(WINDIR)/PKCS11"
NSS="Flags=pkcs11module"
At the end I'll include a more complete spec for a PKCS #11 Module Spec String.
The DB Module could read the file names out of 1) a flat file in a fixed system global
location, 2) a known registry key (WINDOWS ONLY), or 3) a fixed system global
directly. In case 3, you could list all the shared library in the directory, and look
for additional attributes in files name {shlibname}.atr. For modules which don't have
a .atr file the PKCS #11 Module Spec String would simply be:
library={shlibname}.DLL
(or .SO or .SHLB or whatever your platform's favorite share library extension is).
You then submit the your generic DB Module as well as, changes to automatically load
it in mozilla (as in. option 1, except this time you are specifying a generic mozilla
component). Once this is done, your installation simply involves adding your module to
the central list that your [now Mozilla's] generic DB Module reads from.
Option 4. Go into softoken and modify it's implementation of NSS_ReturnModuleSpecData
to add strings from a globally available directory or flat file. Not as 'clean' as
option 3, but probably quicker. Involves changes to NSS, which the NSS team would
definitely want to review (changes here are handled in a different process than
mozilla changes).
Hope this makes sense.
--------------------------------------
Definition of PKCS #11 Module Spec Strings
A set of name/value pairs of the form name=value.
Each name/value pair is separated by a blank value. A single line,
terminated by a '\n', '\r\n', or '\r' represents a single pkcs #11 library.
Names can be any alpha/numeric combination, and are parsed case insensitive.
Values can contain any printable ascii value, including UTF8 characters.
Values can contain imbedded blanks either through quoting the entire
value, or by escaping the imbedded blanks with '\'. The value is
considered quoted if the first character after the '=' is ', ", {, [,
(, or <. If the value is quoted, then the value is terminated with and
ending quote of the form ', ", ), ], }, or > matching the respective
starting quote. Ending quotes can be escaped. Imbedded '\' characters are
considered escape characters for the next character in the stream. Note
that case must be preserved in the values.
Recognized Names:
library - This specifies the path to the pkcs #11 library.
name - This specifies the name of the pkcs #11 library.
parameter - This specifies a pkcs #11 library parameter with the
application must pass to the pkcs #11 library at C_Initialize() time
(see below).
nss - This specifies NSS specific flags and info.
other names that may be specified will be ignored by NSS.
Each of these name/value pairs are optional.
If 'library' is not specified, the line represents some application
specific meta configuration data. Other applications and libraries can
safely ignore this line.
If 'name' is not specified, the application can use the library path
to describe the pkcs #11 library in any UI it may have.
If 'parameter' is not specified, no parameters are passed to the PKCS
#11 module. Passing of parameters in nonstandard PKCS #11 behavior,
so most for most modules this name will be missing.
if 'nss' is specified, it's value is taken as a nested list
of name value pairs which specify NSS specific flags
Valid names inside nss are:
flags - comma separated list of flag values, parsed case insensitive.
Valid flag values are:
internal - this library is actually the Netscape internal library
fips - this library is the Netscape internal fips library.
moduleDB - this library can be queried for lists of more PKCS #11
modules to load (the library in the library= portion is a DB Module).
moduleDBOnly - just a DB Module (not a PKCS #11 module as well.
critical - module must be loaded or NSS initialization will fail.
trustOrder - integer value specifying the order in which the trust
information for certificates specified by tokens on this pkcs #11
library should be rolled up (this option will make more sense once I
publish the other proposal I have promised). '0' means that tokens on
this library should not supply trust information (default). The relative
order of two pkcs#11 libraries which have the same trustOrder value is
undefined.
cipherOrder - integer value specifying the order in which tokens are
searched when looking for a token to do a generic operation
(DES/Hashing, etc).
ciphers - comma separated list of ciphers this token will enable that
isn't already enabled by the library (currently only FORTEZZA is
defined) (case-insensitive)..
slotParams - space separated list of name/value pairs where the name is
a slotID and the value is a space separated list of parameters related to
that slotID. Valid name value pairs are listed below:
askpw - specifies how to prompt for the password on this token:
every - ask every time you need to use a key on the token.
any - ask only when the token is not authenticated.
timeout - ask after 'timeout' seconds since the last use of the token.
timeout - time before reauthentication if askpw=timeout
slotFlags - Flags associated with this slot:
RSA - Token should be used as the default RSA device.
DSA - Token should be used as the default DSA device.
RC2 - Token should be used as the default RC2 device.
RC4 - Token should be used as the default RC4 device.
RC5 - Token should be used as the default RC5 device.
DES - Token should be used as the default DES device.
DH - Token should be used as the default DH device.
FORTEZZA - Token should be used as the default FORTEZZA device.
SHA1 - Token should be used as the default SHA1 device.
MD5 - Token should be used as the default MD5 device.
MD2 - Token should be used as the default MD2 device.
SSL - Token should be used as the default SSL device.
TLS - Token should be used as the default TLS device.
AES - Token should be used as the default AES device.
PublicCerts - Public keys and Certs can be read from this
token without authenticating.
RANDOM - Token should be used for random number generation.
rootFlags - trust related flags.
hasRootCerts - token has root certs.
hasRootTrust - token has root trust records.
Of most modules, no 'nss' would be specified.
If the application/library does not find its application/library
specific data, it should use it's defaults for this pkcs #11 library.
Parameter Passing:
If the parameter is specified, the application/library will strip the
value out, processing any outer quotes and escapes appropriately, and
pass the parameter to the pkcs #11 library when it calls C_Initialize().
A new CK_C_INITIALIZE_ARGS structure is defined as
typedef struct CK_C_INITIALIZE_ARGS {
CK_CREATEMUTEX CreateMutex;
CK_DESTROYMUTEX DestroyMutex;
CK_LOCKMUTEX LockMutex;
CK_UNLOCKMUTEX UnlockMutex;
CK_FLAGS flags;
CK_VOID_PTR LibraryParameters;
CK_VOID_PTR pReserved;
} CK_C_INITIALIZE_ARGS;
Applications/libraries must set LibraryParameters to NULL if no
parameter value is specified. PKCS #11 libraries which accept parameters
must check if the 'new' pReserved field is NULL if and only if
LibraryParameters field is not NULL.
Sample strings:
library= name="Netscape Internal Crypto Module"
parameters="configdir=/u/relyea/.netscape certprefix= secmod=secmod.db"
NSS="Flags=internal,moduleDB TrustOrder=1 CipherOrder=-1 ciphers=
slotParams={0x1=[slotFlags='RSA,DSA,DH,RC4,RC2,DES,MD2,MD5,SHA1,SSL,TLS,PublicCerts,Random']
0x2=[slotFlags='RSA' timeout=50 askpw=any]}"
library=dkck32.dll name="DataKey SignaSURE 3600" NSS="TrustOrder=50 ciphers= "
library=swft32.dll name="Netscape Software Fortezza"
parameters="keyfile=/u/relyea/keyfile" NSS="TrustOrder=50 ciphers=FORTEZZA
slotParams=0x1=[slotFlags='FORTEZZA']"
library=core32.dll name="Litronic Netsign"
Thomas Pornin wrote on Thu, 13 May 04, 3:21 AM:
> Hello,
>
> I have written a PKCS#11 module, which provides certificate and private
> key storage and usage. It works with Mozilla under Linux and Windows
> (2000, XP). Right now, if some user wants to use my module, he has to
> open a specially crafted HTML file which contains some JavaScript which
> "adds" the module (with pkcs11.addmodule).
>
> I would like to provide some system-wide installation procedure, such
> that the machine root or administrator installs the module, which then
> becomes automatically available and activated for all users. Is it
> doable, and, if yes, how ? More specifically:
> -- Will I need to modify and recompile part of Mozilla ?
> -- Will this require a new Mozilla installation or is it plugable into
> an existing installation ?
> -- Will this work for all users or just for future profile creations ?
> -- What about Thunderbird, Firefox, Netscape 7 ?
>
> Note that I will need this both for Windows (only the recent NT brand,
> i.e. 2000 and XP -- the module uses functions which do not exist in
> Windows 98 and Me) and for Linux (and other Unices).
>
> Thanks for all information,
>
>
> --Thomas Pornin
> _______________________________________________
> mozilla-crypto mailing list
> [EMAIL PROTECTED]
> http://mail.mozilla.org/listinfo/mozilla-crypto
_______________________________________________
mozilla-crypto mailing list
[EMAIL PROTECTED]
http://mail.mozilla.org/listinfo/mozilla-crypto
