Re: How to use Firefox' PKCS#11 interface
On 06/12/13 13:07, firef...@gmail.com wrote: Hi, I have a couple of questions concerning certificate handling in Firefox and PKCS#11. When Firefox receives a X.509 cert during HTTPS establishment, the certificate (chain) is validated by NSS, right?! Is this done via PKCS#11 or are Firefox and NSS communicating via an other interface? I can't find an appropriate PKCS#11 function, accepting a certificate chain. PKCS#11 doesn't work at that level. PKCS#11 tokens can store certificates, but the PKCS#11 API doesn't interpret them in any way. Operations like extracting a public key from a certificate, or validation, are done outside PKCS#11 apart from signature verification. (You could, perhaps, build a PKCS#11 module that recognized when the data passed to a C_Verify call happened to be a certificate and do something other than just verify the signature, but that would be truly horrible.) -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
How to use Firefox' PKCS#11 interface
Hi, I have a couple of questions concerning certificate handling in Firefox and PKCS#11. When Firefox receives a X.509 cert during HTTPS establishment, the certificate (chain) is validated by NSS, right?! Is this done via PKCS#11 or are Firefox and NSS communicating via an other interface? I can't find an appropriate PKCS#11 function, accepting a certificate chain. The reason I ask is the following: We are out to implement an alternative trust model, consisting of an external (but local) Java application, managing the trust validation etc., and a Firefox extension acting as an interface between the user, the browser and the Java application. One possibility could be to develop a PKCS#11 module, which is registered in Firefox, takes the certificate chain and communicates with the Java application to receive a valid/invalid answer. But we are not sure if this is possible. Any thoughts about it? Alternatively, a simpler approach would be to omit the PKCS#11 module and let the extension directly communicate with the Java application via a local web server. -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto