Ühel kenal päeval, T, 2010-07-13 kell 10:59, kirjutas Robert Relyea: > You'll find https://developer.mozilla.org/en/PKCS11_Implement helpful > in dealing with PKCS #11 and NSS. It's a bit dated, but it provides a > minimum set (something that will work with even ancient versions of > the browser).
Thank You Robert for Your reply. I'll comment on a few issues below. > > PKCS#11 implementation in Mozilla is broken in many ways: > > 1. It doesn't like when slots disappear > > > When the code was implemented. Slots were only allowed to grow, not > disappear. I suspect a simple change to UpdateSlotList may fix this, > as long as you are prepared to deal with old slot numbers sent to you > without crashing (returning an error is fine). As dave pointed out > writing bugs upstream would be a good way to get these fixed. I'm not sure there is a bug filed in upstream. The issue came to my attention a while ago when Martin Paljak tried to fix the hotplug issue in opensc about a year ago or so. I'm not sure he reported it back then. > > 2. It breaks when module initially exposes zero slots > > > I would be happy to review any patches you may have that fixes this > issue the source is in mozilla/security/nss/pk11wrap. My guess is you > may only need to have SECMOD_HasRemovableSlots() return true if the > mod->slotCount == 0 (pk11util.c). I think You are right. We discovered that Firefox stops polling for slot updates when module initially has no slots. I'll look into it. We didn't file a bug report, because I wasn't sure if this is actually a correct behaviour on NSS part. > > 3. It doesn't set it's slot flags (eg. friendly) for all slots, > > but only for those that were visible when the security module was > > loaded from JavaScript. New slots get default flags, which can be > > wrong. > > > That's on purpose. Most tokens out of the box do not meet the > requirements of 'Publicly readable certs'. The rules for this can be > found buried the the strings document (I thought it was in the PKCS > #11 faq, but I didn't see it there): Now that claim I must contest. There are actually a few bugs filed about this: https://bugzilla.mozilla.org/show_bug.cgi?id=322145 https://bugzilla.mozilla.org/show_bug.cgi?id=511652 What is beyond me is that: 1. PKCS11_PUB_READABLE_CERT_FLAG is a slot specific flag! Why? OpenSC is one of the rare PKCS#11 modules that supports multiple tokens that may in theory have a different behaviour. But in practice how can an NSS application make a difference which slots DO need this flag and which do not? 2. At least in Firefox it's specified at MODULE load time and is applied to all slots at once https://developer.mozilla.org/en/PKCS11_Module_Installation http://mxr.mozilla.org/mozilla-central/source/security/manager/ssl/public/nsIPKCS11.idl 3. When new slots appear in the MODULE that had the flags set at it's load time, those new slots lose the flags and use default ones. You mean its' not a bug? How come? > This is certainly safer for many implementations. Not all NSS apps > bother to call UpdateSlotList(), so even if you make the above > changes, NSS will never see the new slots. Well I think You are dead-on about this. I hate to admit it, but the changeset r3935 seems like an ugly hack to me: Quoting from a commit message: ! implement a "virtual hotplug slot" with a floating slot id to keep NSS ! working with C_WaitForSlotEvent with a new reader. NSS does not call ! C_GetSlotList(NULL) to re-fetch the list of available slots if ! C_WaitForSlotEvent returns an event in an already known slot ID. By ! changing the ID of a slot whenever a reader attached NSS/Firefox can ! be tricked into recognizing new readers when waiting for events with ! C_WaitForSlotEvent. Do we really need a hack like this? Maybe just allocate a number of slots and stop messing around with the slot count unless the pre-allocated list has been exhausted. Maybe even make it configurable from opensc.conf so users with broken NSS apps can mitigate the damage by increasing it. Martin, what's Your opinion about this? > Patches for review are welcome, but you should at least writes some > bugs about this first.;). Thank You, I might even produce some patches if I know what to patch in the first place :P PS! Do You happen to know why Firefox stopped looking for certificate flags? I mean why it still presents the certificate for SSL authentication/encryption even if the keyUsage flag is set and it does not include neither digital signature nor data encryption in allowable usages? That's why we have this onepin-pkcs11 hack around to hide some eID certificates from Firefox. -- Antti Andreimann - Security Expert Using Linux since 1993 Member of ELUG since 29.01.2000 _______________________________________________ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
