On 01/08/2010 05:10 PM, Robert Relyea wrote: > NSS needs attributes that are not defined by PKCS #11. It uses these > attributes in it's own PKCS #11 modules. You are free to return > CKR_INVALID_ATTRIBUTE when you see these attributes (which is what you > should return). NSS should be able to deal with that. If not let me > know. (Most likely NSS will choose another token that supports this > object and store it there). > > NOTE: In general, if NSS asks you to do something that you do not > support, it is not necessarily an error for you to return that the > request was not valid. NSS will switch to a different token in those > cases. NSS depends on the PKCS #11 module properly signalling that it > can't do something (or the session has been destroyed, or any number of > other error conditions) rather than trying to build complex matrices of > possible fail conditions and always asking for operations it expects to > work.
Given what you just said, openCryptoki seems to be correctly returning CKR_TEMPLATE_INCOMPLETE when NSS is trying to C_CreateObject() with vendor-defined object classes. In our traces we see NSS querying and trying to create objects using CKO_NSS all the time so I was expecting this to be the reason behind some of our compatibility problems, but looking more closely now it seems it doesn't relate. The issue I'm seeing, in case anyone is interested: I can create self-signed certificates (certutil -S ... -x) but fail at creating a cert signed by another CA cert in my database (certutil -S ... -c 'nickname'). --- output --- [r...@popcorn klausk]# certutil -S -d test-nssdb/ -h mytoken -n TestCert5 -s "cn=popcorn.ltc.austin.ibm.com,o=ibm,ou=ibm,c=us" -t u,u,u -c dummyCAcert3 Enter Password or Pin for "mytoken": <..snip..> Finished. Press enter to continue: Generating key. This may take a few moments... certutil: could not find certificate named "dummyCAcert3": security library: bad database. certutil: unable to create cert (security library: bad database.) ---- end ---- Traces shows that the C_GenerateKeyPair() succeeds, but then, after querying for the modulus and setting CKA_ID for both keys, NSS apparently tries to sign something using the (newly generated) private key handle (isn't that odd?) Everything returns CKR_OK but NSS goes to CloseAllSessions and C_Finalize(), returning the above message. Any clues? Thanks, -Klaus -- Klaus Heinrich Kiwi | [email protected] | http://blog.klauskiwi.com Open Source Security blog : http://www.ratliff.net/blog IBM Linux Technology Center : http://www.ibm.com/linux/ltc ------------------------------------------------------------------------------ This SF.Net email is sponsored by the Verizon Developer Community Take advantage of Verizon's best-in-class app development support A streamlined, 14 day to market process makes app distribution fast and easy Join now and get one step closer to millions of Verizon customers http://p.sf.net/sfu/verizon-dev2dev _______________________________________________ Opencryptoki-tech mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/opencryptoki-tech
