cURL / Mailing Lists / curl-library / Single Mail

curl-library

Re: issues with pre-login to pkcs11 slots when using NSS

From: Rob Crittenden <rcritten_at_redhat.com>
Date: Fri, 12 Jun 2009 10:08:24 -0400

Claes Jakobsson wrote:
> Hi,
>
> On Jun 12, 2009, at 3:37 PM, Rob Crittenden wrote:
>> Hmm, interesting. We probably don't need to authenticate to every
>> token. We already do some work to determine whether this is a
>> file-based token (for the PEM PKCS#11 module) or an NSS token, so I
>> guess we already know which one to authenticate.
>>
>> Since we know when we have an NSS token (becuase it isn't a file name)
>> we can look at the nickname to see if it refers to a hardware token.
>> We can do something like this if there was no key file (in cert_stuff):
>
> I don't think it would be necessary to pre-login to any token at all
> since that'll be done automagically via NSS and the handling PKCS#11
> module. If we just import the PEM file to a cert and keep it's name
> around we should be fine.

I do that so the failure happens sooner rather than later.

> <source chunk removed/>
>
>> I wonder if nss_Init_Tokens() can be eliminated altogether. I suspect
>> that the call to PK11_SetPasswordFunc(nss_get_password) will still be
>> required somewhere.
>
> It'll still be required since that is what is called by
> PK11_FindCertByName with the PinArg set on the socket. I might have been
> a bit unclear on that bit in my mail.

Yup

rob

Received on 2009-06-12