Hi, I've been debugging openCryptoki for compatibility problems with Mozilla NSS, and I noted that, when creating a certificate using certutil, Mozilla NSS tries to create a token object with CKA_CLASS=0xce534353, which is the 'vendor defined' class CKO_NSS_TRUST, defined as ((CKO_VENDOR_DEFINED|NSSCK_VENDOR_NSS) + 3).
This breaks openCryptoki as it is not expecting to be able to create custom objects (via C_CreateObject) using a 'vendor defined' class type (but only CKO_DATA objects apparently). Checking the spec (particularly v2.11 which ock implements), it reads: "Object classes CKO_VENDOR_DEFINED and above are permanently reserved for token vendors." So at first impression it seems to me that ock's interpretation was right - Vendor defined classes should be reserved for token vendors (i.e., the ones implementing the interface), and not for any client library to create it's own. Comments? Anyone knows how other PKCS#11 libraries address this? (particularly the ones which are compatible with Mozilla NSS) Thanks, -Klaus -- Klaus Heinrich Kiwi | [email protected] | http://blog.klauskiwi.com Open Source Security blog : http://www.ratliff.net/blog IBM Linux Technology Center : http://www.ibm.com/linux/ltc ------------------------------------------------------------------------------ This SF.Net email is sponsored by the Verizon Developer Community Take advantage of Verizon's best-in-class app development support A streamlined, 14 day to market process makes app distribution fast and easy Join now and get one step closer to millions of Verizon customers http://p.sf.net/sfu/verizon-dev2dev _______________________________________________ Opencryptoki-tech mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/opencryptoki-tech
