On 05/30/2014 07:47 AM, Jonathan Schulze-Hewett wrote: > To whom it may concern, > > I have a PKCS#11 device that supports ECC operations. In particular > C_GetMechanismList includes the following items: > > CKM_ECDH1_DERIVE > CKM_ECDH1_COFACTOR_DERIVE > CKM_EC_KEY_PAIR_GEN > CKM_ECDSA > > The module is added to Firefox using nsIPKCS11::addModule with 0 for both the > cryptoMechanismFlags and the cipherFlags. > > If I put Firefox into FIPS mode it uses my PKCS#11 module to perform ECC > computations during TLS negotiation where ecdhe is being preferred by the > server. In particular, it will call C_GenerateKeyPair (to generate an ECC key > pair), C_DeriveKey (to derive a shared secret), C_GetAttributeValue (to > obtain the shared secret), C_CreateObject (to add an RSA public key for some > reason), and C_WrapKey (to wrap the secret key with the recently added RSA > key). > > Fundamentally I think this should work, but Firefox tends to "hang" after > C_WrapKey returns. That's something that I'm continuing to examine. Anyway, > the crux of the problem with respect to this mailing list is that I don't > think Firefox should be using the token to perform these operations as I set > flags in addModule to 0. > > Any guidance on this issue you can provide is most welcome. > > Thanks in advance, > Jonathan > Hi Jonathan,
Fundamentally, I think you are right. There were some bugs where ECC wasn't using the prefered flags properly. Which version of Firefox? The other possible issue may be the curves. Which curves do you support , and which are you negotiating in the TLS operation? bob
smime.p7s
Description: S/MIME Cryptographic Signature
-- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
