cURL / Mailing Lists / curl-library / Single Mail

curl-library

Re: issues with pre-login to pkcs11 slots when using NSS

From: Claes Jakobsson <claes_at_versed.se>
Date: Fri, 12 Jun 2009 15:49:37 +0200

Hi,

On Jun 12, 2009, at 3:37 PM, Rob Crittenden wrote:
> Hmm, interesting. We probably don't need to authenticate to every
> token. We already do some work to determine whether this is a file-
> based token (for the PEM PKCS#11 module) or an NSS token, so I guess
> we already know which one to authenticate.
>
> Since we know when we have an NSS token (becuase it isn't a file
> name) we can look at the nickname to see if it refers to a hardware
> token. We can do something like this if there was no key file (in
> cert_stuff):

I don't think it would be necessary to pre-login to any token at all
since that'll be done automagically via NSS and the handling PKCS#11
module. If we just import the PEM file to a cert and keep it's name
around we should be fine.

<source chunk removed/>

> I wonder if nss_Init_Tokens() can be eliminated altogether. I
> suspect that the call to PK11_SetPasswordFunc(nss_get_password) will
> still be required somewhere.

It'll still be required since that is what is called by
PK11_FindCertByName with the PinArg set on the socket. I might have
been a bit unclear on that bit in my mail.

/Claes
Received on 2009-06-12