On Wed, 2010-11-10 at 13:03 -0600, Douglas E. Engert wrote: > > On 11/10/2010 11:37 AM, Andre Zepezauer wrote: > > Hello Douglas, > > > > you should check if NSS does support ECDSA. If it does, then it should > > verify the users certificate on its own. Calling a PKCS#11 provider for > > doing it, is some kind of abuse. (See quotation below) > > I agree, but that is not what I am seeing. > > > > > But if NSS tries to offload the verification to OpenSC, because it > > doesn't has support for ECDSA, then you are in trouble. > > Yes it has some support, as it knows how to list the algorithm and its > parameters, as well as tell PKCS#11 to create the public key passing it > the CKA_EC_POINT. > > > This is because > > the recipient of your signed e-mail also would need OpenSC for > > verification. Not practical I think. > > Well I hope to find out in the next few days is it will try and use > PKCS#11 for verification of signatures too, or find out of any of the > Microsoft products can handle the e-mail too.
Some hints: http://stackoverflow.com/questions/2228860/encrypting-a-message-using-ecdsa-in-openssl http://mxr.mozilla.org/security/source/security/nss/lib/freebl/ec.c > I also need to look at the PKCS#11 session to see if OpenSC somehow > indicated to NSS that it could do verification. > > > > > PKCS#11 Section "6.2 Design goals": > > "Cryptoki was intended from the beginning to be an interface between > > applications and all kinds of portable cryptographic devices [...] It is > > not the goal of Cryptoki to be a generic interface to cryptographic > > operations or security services [...]" > > Interesting, as Solaris 10 passes all its crypto through "Solaris > Cryptographic > Framework" based on PKCS#11, so as to take advantage of any crypto hardware > if available. > > http://docs.sun.com/app/docs/doc/816-4557/scf-1?l=en&a=view > > > > > Regards > > Andre > > > > On Wed, 2010-11-10 at 10:56 -0600, Douglas E. Engert wrote: > >> Does OpenSC PKCS#11 support the creation of session objects? > >> Has anyone looked at doing this? > >> > >> I bring this up as I am testing EC mods to OpenSC using > >> Thunderbird to sign e-mail as a test. In my case, the user certificate > >> is using ECDSA with a named curve, and the test CA is also using > >> ECDSA to sign the user's certificate. > >> > >> Thunderbird 3.1.4 with NSS-3.12.x (x is at least 3) on Solaris 10 > >> tries to create a session public key, where the key is the public > >> key of the CA. I think NSS is going to use this public key to verify > >> the signature of the user's certificate asking the OpenSC PKCS#11 > >> ECDSA to do the verify. Depending on the card, this may have to be > >> done in software. > >> > >> See the attached edited PKCS11-SPY output, showing mechanisms, > >> open session, session info, and failed create object. Not shown > >> are pin/login, and retrieval of the user certificate. > >> > >> PKCS#11 2.20 says : Table 4 "R/O Public Session" > >> "The application has opened a read-only session. The application > >> has read-only access to public token objects and read/write access > >> to public session objects." > >> > >> I don't think NSS does this if the CA is using RSA to sign > >> the certificates, and I will try that next. (But eventually > >> some CA will start using ECDSA to sign certificates.) > >> > >> Even if the ECDSA verify was to be added to OpenSC PKCS11, > >> to be done in software, I would expect it might have to use > >> OpenSSL to do the verification. > >> > >> _______________________________________________ > >> opensc-devel mailing list > >> opensc-devel@lists.opensc-project.org > >> http://www.opensc-project.org/mailman/listinfo/opensc-devel > > > > > _______________________________________________ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
