cURL / Mailing Lists / curl-library / Single Mail

curl-library

Re: Fwd: issues with pre-login to pkcs11 slots when using NSS

From: Rob Crittenden <rcritten_at_redhat.com>
Date: Fri, 12 Jun 2009 09:37:50 -0400

Kamil Dudka wrote:
> Hi Rob,
>
> could you please have a look at this issue? Do we need login to all pkcs11
> slots before setting up the connection at all? Thanks in advance!

Hmm, interesting. We probably don't need to authenticate to every token.
We already do some work to determine whether this is a file-based token
(for the PEM PKCS#11 module) or an NSS token, so I guess we already know
which one to authenticate.

Since we know when we have an NSS token (becuase it isn't a file name)
we can look at the nickname to see if it refers to a hardware token. We
can do something like this if there was no key file (in cert_stuff):

char* token = strdup(servercertnickname.data());
char* colon = strchr(token, ':');
if(colon){
   *colon = 0;
   slot = PK11_FindSlotByName(token);
   if (!slot){
     free(token);
     /* Ack, blow up */
   }
   free(token);
} else {
   slot = PK11_GetInternalKeySlot();
}
if(PK11_Authenticate(slot, PR_TRUE,...
PK11_FreeSlot(slot);

I wonder if nss_Init_Tokens() can be eliminated altogether. I suspect
that the call to PK11_SetPasswordFunc(nss_get_password) will still be
required somewhere.

rob

>
> Kamil
>
> ---------- Forwarded Message ----------
>
> Subject: issues with pre-login to pkcs11 slots when using NSS
> Date: Thursday 11 of June 2009
> From: Claes Jakobsson <claes_at_versed.se>
> To: curl-library_at_cool.haxx.se
>
> Hi,
>
> I spent some time trying to figure out why my client cert wasn't
> working with curl using NSS while it worked for other stuff using NSS.
>
> The issue boiled down to that curl tries to login to all pkcs11 slots
> before actually setting up the connection. Normally PK11_Authenticate
> just returns SECSuccess using NSS built in modules for certs but in
> this case another certificate slot in the PKCS11 module I use returned
> SECFailure and thus aborted the whole initialization and thus my
> connection.
>
> The code in question from lib/nss.c is
> ret = PK11_Authenticate(slot, PR_TRUE,
> conn->data->set.str[STRING_KEY_PASSWD]);
> if(SECSuccess != ret) {
> if(PR_GetError() == SEC_ERROR_BAD_PASSWORD)
> infof(conn->data, "The password for token '%s' is incorrect\n",
> PK11_GetTokenName(slot));
> status = SECFailure;
> break;
> }
> However just ignoring return code might not be what we want. Is there
> a reason why a login to all slots is performed upfront instead of
> relying on the pin arg that we pass to PK11_FindCertFromNickname but
> never set using SSL_SetPKCS11PinArg so that PK11_FindCertFromNickname
> can do the login to the token?
> Cheers,
> Claes
>
>
> -------------------------------------------------------

Received on 2009-06-12