cURL / Mailing Lists / curl-library / Single Mail

curl-library

issues with pre-login to pkcs11 slots when using NSS

From: Claes Jakobsson <claes_at_versed.se>
Date: Thu, 11 Jun 2009 23:20:04 +0200

Hi,

I spent some time trying to figure out why my client cert wasn't
working with curl using NSS while it worked for other stuff using NSS.

The issue boiled down to that curl tries to login to all pkcs11 slots
before actually setting up the connection. Normally PK11_Authenticate
just returns SECSuccess using NSS built in modules for certs but in
this case another certificate slot in the PKCS11 module I use returned
SECFailure and thus aborted the whole initialization and thus my
connection.

The code in question from lib/nss.c is
     ret = PK11_Authenticate(slot, PR_TRUE,
                             conn->data->set.str[STRING_KEY_PASSWD]);
     if(SECSuccess != ret) {
       if(PR_GetError() == SEC_ERROR_BAD_PASSWORD)
         infof(conn->data, "The password for token '%s' is incorrect\n",
               PK11_GetTokenName(slot));
       status = SECFailure;
       break;
     }
However just ignoring return code might not be what we want. Is there
a reason why a login to all slots is performed upfront instead of
relying on the pin arg that we pass to PK11_FindCertFromNickname but
never set using SSL_SetPKCS11PinArg so that PK11_FindCertFromNickname
can do the login to the token?
Cheers,
Claes
Received on 2009-06-11