cURL / Mailing Lists / curl-library / Single Mail

curl-library

Re: issues with pre-login to pkcs11 slots when using NSS

From: Kamil Dudka <kdudka_at_redhat.com>
Date: Fri, 10 Jul 2009 22:10:55 +0200

On Friday 10 of July 2009 20:48:58 Claes Jakobsson wrote:
> No, this should be a runtime option. The scenarios I've thought of are
> these
>
> 1) using CURLOPT_SSLCERT (+ optional CURLOPT_KEYPASSWD)
>
> Use SelectClientCert to do the stuff we do today except
> nss_Init_Tokens and pass along the password from CURLOPT_KEYPASSWD as
> PKCS11PinArg on the socket. If the cert by the given name can't be
> found or the password is wrong this will result in an error as it does
> today. This is what most users will use.
>
> 2) using CURLOPT_USE_NSS_CLIENTCERT_HOOK (+ optional CURLOPT_KEYPASSWD)
>
> Use NSS_GetClientAuthData and pass NULL as the argument to the hook
> which will result in NSS_GetClientAuthData to try to find the best
> matching cert. Pass along the password if it's set as the PKCS11PinArg
>
> 3) use CURLOPT_USE_NSS_CLIENTCERT_HOOK + CURLOPT_SSLCERT (+ optional
> CURLOPT_KEYPASSWD)
>
> Use NSS_GetClientAuthData but pass the cert name as argument to the
> hook so it basicly just does a PK11_FindCertByName as SelectClientCert
> but the user will automaticly get any NSS fixes if they update how
> things work. Also sets PKCS11PinArg if CURLOPT_KEYPASSWD is specified.
>
> This way we leave SelectClientCert hook untouched and it'll work like
> normal and we'll have a the possibility to use client certs where we
> don't know the name of the specific certificate as this is sometimes
> the case when using hardware tokens.
>
> HAVE_PK11_CREATEGENERICOBJECT would not be affected by this and would
> stay in as it does now.

Claes, could you please have a look at the attachment? It's a proposal only.
It'll definitely need a review (as Friday evening), but it works for me in all
three cases. Note that your original patch is included.

In the most common case (meaning PEM module not available) is always used
the NSS_GetClientAuthData() function. If you don't specify any nickname, NSS
tries to find the cert automagically. Any possible problems here?

If you have the PEM module loaded, you have all three choices. You can specify
either nickname, or a file name, or even nothing. In the last case the
certificate is found automagically as well.

It runs properly with my test suite. Could you try it with the HW token, etc.
and summarize what is missing/not working? Thanks in advance!

Kamil

Received on 2009-07-10