Re: Developing pkcs11 module for Firefox
On 2012-01-05 02:45, Robert Relyea wrote: I am curious as to how smartcard management is supposed to work for Linux. It seems to me that it would be ideal for Firefox to support the shared DB on Linux. Are there OS-level tools for managing the shared DB. For example, is there an OS-level UI for adding/removing PKCS#11 modules in Fedora/RHEL that would make Firefox's UI for this redundant? System level PKCS #11 modules (installed by the administrater) are stored in /etc/pki/nssdb, user level pkcs #11 modules (installed by the user) are stored in ~/.pki/nssdb . User level application load both the system modules and the user modules. Now this works under the covers is described here: https://wiki.mozilla.org/NSS_Shared_DB_And_LINUX Doesn't Gnome Keyring essentially shoot for the same target? -- Anders -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: Developing pkcs11 module for Firefox
On 2012-01-03 23:44, Robert Relyea wrote: On 12/30/2011 06:53 AM, Anders Rundgren wrote: On 2011-12-29 23:08, Brian Smith wrote: Matej Kurpel wrote: On 22. 12. 2011 10:36, Imen Ibn Hotab wrote: I`m developing pkcs#11 module for Firefox. I was developing a PKCS#11 module as well. Just out of curiosity, what do your PKCS#11 modules do? Would it make things easier for either of you if Firefox and Thunderbird supported CAPI CSPs in addition or instead of pkcs#11 modules for client certificates on Windows? Yes! I think Firefox would gain by in addition to PKCS #11, also support the native OS crypto system (if there is one). Cheers, Anders There is a capi module in the NSS source tree, but it purposefully does not surface removable CAPI modules under the assumption that such devices already have PKCS #11 modules. I'm not sure what you mean with removable CAPI modules but the assumption that PKCS #11 is standard on Windows is not entirely correct since PIV cards (for example) can be as is in W7 and forward without any middleware installation. Other cards may need an install via Windows Update but this (AFAIK) does usually not include PKCS #11. Chrome uses CAPI by default. OTOH, the situation is the same for Java. The Oracle JRE contains built-in support for CAPI not needing any setup or configuration. Well, there is support for PKCS #11 but it requires much more work to be used. BTW, integration of crypto seems to have taken a giant leap forward: http://channel9.msdn.com/Events/BUILD/BUILD2011/HW-462T http://www.google.com/wallet I think this step was inevitable; supporting third-party drivers and custom enrollment schemes have simply proved to be too hard if you are targeting consumers. That the inside of the schemes above currently are kept under wraps is an indication of that this field is slowly but surely heating up :-) If the unverified rumor that Google's Wallet is based on GP (GlobalPlatform) actually is true, it looks like E2ES (end-to- end-secured) provisioning will be the next big thing in crypto middleware. It will be quite interesting to see how this is going to be dealt with by Mozilla as well as by the *NIX community. My take on this (as you have heard about a gazillion times before), is defining a unified E2ES-enabled crypto container (SKS) so that you in the majority of cases would never have to bother about middleware in a contemporary platform. SKS differs from GP in many respects, most notably in the trust model where GP assumes that the container trusts the issuer which mainly is a smart card business model issue rather than a security requirement. In SKS it is the user who grants an issuer the right creating a key based on the existing (semi-functional) Internet trust model. Since a fake key doesn't open any genuine doors, this should work just fine. Anders bob Cheers, Brian -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: Developing pkcs11 module for Firefox
On 01/04/2012 09:04 AM, Anders Rundgren wrote: On 2012-01-03 23:44, Robert Relyea wrote: On 12/30/2011 06:53 AM, Anders Rundgren wrote: On 2011-12-29 23:08, Brian Smith wrote: Matej Kurpel wrote: On 22. 12. 2011 10:36, Imen Ibn Hotab wrote: I`m developing pkcs#11 module for Firefox. I was developing a PKCS#11 module as well. Just out of curiosity, what do your PKCS#11 modules do? Would it make things easier for either of you if Firefox and Thunderbird supported CAPI CSPs in addition or instead of pkcs#11 modules for client certificates on Windows? Yes! I think Firefox would gain by in addition to PKCS #11, also support the native OS crypto system (if there is one). Cheers, Anders There is a capi module in the NSS source tree, but it purposefully does not surface removable CAPI modules under the assumption that such devices already have PKCS #11 modules. I'm not sure what you mean with removable CAPI modules but the assumption that PKCS #11 is standard on Windows is not entirely correct since PIV cards (for example) can be as is in W7 and forward without any middleware installation. Other cards may need an install via Windows Update but this (AFAIK) does usually not include PKCS #11. I'm just explaining what is there, so if you don't like the default you could change it;). I was primarily trying to avoid a loop. The CAPI drivers we use are CAPI to PKCS #11. The configurations I was running with had the PKCS #11 module installed in NSS and the CAPI to PKCS #11 module installed in capi. bob -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: Developing pkcs11 module for Firefox
Robert Relyea wrote: On 01/04/2012 09:04 AM, Anders Rundgren wrote: There is a capi module in the NSS source tree, but it purposefully does not surface removable CAPI modules under the assumption that such devices already have PKCS #11 modules. While it may be true that they have PKCS#11 modules, the user probably does not have the PKCS#11 module installed, but they probably have the CAPI module installed. The idea motivating the consideration of supporting CAPI is to have a zero configuration experience for switching from other browsers (especially IE) to Firefox. The possibility of plug-and-play smartcards in Windows 7 pushes us more towards CAPI support on Windows. I now have five smartcard tokens (for accessing my new Chinese bank accounts) and they all have CAPI modules installed but only one has a PKCS#11 module even available for me to install into Firefox. I was primarily trying to avoid a loop. The CAPI drivers we use are CAPI to PKCS #11. The configurations I was running with had the PKCS #11 module installed in NSS and the CAPI to PKCS #11 module installed in capi. Interesting. I did not know that. Unfortunately, I doubt there would be an easy way to automatically locate the PKCS#11 module given the CAPI module. I am curious as to how smartcard management is supposed to work for Linux. It seems to me that it would be ideal for Firefox to support the shared DB on Linux. Are there OS-level tools for managing the shared DB. For example, is there an OS-level UI for adding/removing PKCS#11 modules in Fedora/RHEL that would make Firefox's UI for this redundant? - Brian -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: Developing pkcs11 module for Firefox
On 01/04/2012 05:17 PM, Brian Smith wrote: Robert Relyea wrote: On 01/04/2012 09:04 AM, Anders Rundgren wrote: There is a capi module in the NSS source tree, but it purposefully does not surface removable CAPI modules under the assumption that such devices already have PKCS #11 modules. While it may be true that they have PKCS#11 modules, the user probably does not have the PKCS#11 module installed, but they probably have the CAPI module installed. The idea motivating the consideration of supporting CAPI is to have a zero configuration experience for switching from other browsers (especially IE) to Firefox. The possibility of plug-and-play smartcards in Windows 7 pushes us more towards CAPI support on Window I now have five smartcard tokens (for accessing my new Chinese bank accounts) and they all have CAPI modules installed but only one has a PKCS#11 module even available for me to install into Firefox. That is why I mentioned the way the PKCS #11 is currently coded. I'm not saying it has to *stay* that way I was primarily trying to avoid a loop. The CAPI drivers we use are CAPI to PKCS #11. The configurations I was running with had the PKCS #11 module installed in NSS and the CAPI to PKCS #11 module installed in capi. Interesting. I did not know that. Unfortunately, I doubt there would be an easy way to automatically locate the PKCS#11 module given the CAPI module. There may be a way to identify the CAPI to PKCS #11 module (possibly with changes to the CAPI to PKCS #11 module), and maybe even have the CAPI to PKCS #11 module tell where it's PKCS #11 module is. We could then decide to 1) not surface that module, 2) not surface that module, but provide NSS with the native PKCS #11 module to load, or 3) not load the PKCS #11 module that matches. 3 would require some changes to NSS itself. I am curious as to how smartcard management is supposed to work for Linux. It seems to me that it would be ideal for Firefox to support the shared DB on Linux. Are there OS-level tools for managing the shared DB. For example, is there an OS-level UI for adding/removing PKCS#11 modules in Fedora/RHEL that would make Firefox's UI for this redundant? System level PKCS #11 modules (installed by the administrater) are stored in /etc/pki/nssdb, user level pkcs #11 modules (installed by the user) are stored in ~/.pki/nssdb . User level application load both the system modules and the user modules. Now this works under the covers is described here: https://wiki.mozilla.org/NSS_Shared_DB_And_LINUX bob - Brian -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: Developing pkcs11 module for Firefox
I am curious as to how smartcard management is supposed to work for Linux. It seems to me that it would be ideal for Firefox to support the shared DB on Linux. Are there OS-level tools for managing the shared DB. For example, is there an OS-level UI for adding/removing PKCS#11 modules in Fedora/RHEL that would make Firefox's UI for this redundant? System level PKCS #11 modules (installed by the administrater) are stored in /etc/pki/nssdb, user level pkcs #11 modules (installed by the user) are stored in ~/.pki/nssdb . User level application load both the system modules and the user modules. Now this works under the covers is described here: https://wiki.mozilla.org/NSS_Shared_DB_And_LINUX OK, it would be helpful if I actually answered the question which was asked.;). Currently there is no UI at the OS level for adding and removing PKCS #11, just some command line apps. The FF/TB UI (if you they were using the system DB) would add and subract PKCS #11 modules from the user db (not the system one). Part of the reason for having the userdb to to allow such UI's to continue to operation. bob -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: Developing pkcs11 module for Firefox
On 12/30/2011 06:53 AM, Anders Rundgren wrote: On 2011-12-29 23:08, Brian Smith wrote: Matej Kurpel wrote: On 22. 12. 2011 10:36, Imen Ibn Hotab wrote: I`m developing pkcs#11 module for Firefox. I was developing a PKCS#11 module as well. Just out of curiosity, what do your PKCS#11 modules do? Would it make things easier for either of you if Firefox and Thunderbird supported CAPI CSPs in addition or instead of pkcs#11 modules for client certificates on Windows? Yes! I think Firefox would gain by in addition to PKCS #11, also support the native OS crypto system (if there is one). Cheers, Anders There is a capi module in the NSS source tree, but it purposefully does not surface removable CAPI modules under the assumption that such devices already have PKCS #11 modules. bob Cheers, Brian -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: Developing pkcs11 module for Firefox
On 2011-12-29 23:08, Brian Smith wrote: Matej Kurpel wrote: On 22. 12. 2011 10:36, Imen Ibn Hotab wrote: I`m developing pkcs#11 module for Firefox. I was developing a PKCS#11 module as well. Just out of curiosity, what do your PKCS#11 modules do? Would it make things easier for either of you if Firefox and Thunderbird supported CAPI CSPs in addition or instead of pkcs#11 modules for client certificates on Windows? Yes! I think Firefox would gain by in addition to PKCS #11, also support the native OS crypto system (if there is one). Cheers, Anders Cheers, Brian -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: Developing pkcs11 module for Firefox
Matej Kurpel wrote: On 22. 12. 2011 10:36, Imen Ibn Hotab wrote: I`m developing pkcs#11 module for Firefox. I was developing a PKCS#11 module as well. Just out of curiosity, what do your PKCS#11 modules do? Would it make things easier for either of you if Firefox and Thunderbird supported CAPI CSPs in addition or instead of pkcs#11 modules for client certificates on Windows? Cheers, Brian -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: Developing pkcs11 module for Firefox
On 29. 12. 2011 23:08, Brian Smith wrote: Matej Kurpel wrote: On 22. 12. 2011 10:36, Imen Ibn Hotab wrote: I`m developing pkcs#11 module for Firefox. I was developing a PKCS#11 module as well. Just out of curiosity, what do your PKCS#11 modules do? Would it make things easier for either of you if Firefox and Thunderbird supported CAPI CSPs in addition or instead of pkcs#11 modules for client certificates on Windows? Cheers, Brian It made a cryptographic device out of any Windows Mobile-powered phone (and capable of running .NET framework programs). It was my diploma thesis which I defended successfully :) I would not even think of using CAPI for this purpose just because it is Windows-only and more programs are PKCS#11-friendly than CAPI-friendly (afaik, at least). M. Kurpel -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: Developing pkcs11 module for Firefox
On 22. 12. 2011 10:36, Imen Ibn Hotab wrote: Hi all! I`m developing pkcs#11 module for Firefox. Now I`m testing on my windows XP machine. When I try to load my module using graphic interface in Mozilla Firefox 8.0.1 I have unable to load module message. I try to load my module in Firefox 6.0 but have same message. When I use Mozilla/5.0 Firefox/3.6.9 module loaded successful. Have anyone such problem? Hello, I was developing a PKCS#11 module as well. To debug PKCS#11 calls from Firefox to your module, I recommend using pkcs11-spy.dll from the OpenSC package. It allows you to write all data to a file so you can review what went wrong. Hope this helps M. Kurpel -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto