Half OT: PKCS#11+Mozilla

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

Half OT: PKCS#11+Mozilla

helpcrypto helpcrypto
Sorry for the little OT.

I would like to know if OpenSC PKCS#11 module added on
Firefox/Thunderbird has the same "problem" im having on my PKCS#11
library.

Seems that Mozilla its invoking C_FindObjectsInit asking for objects
with CK_OBJECT_CLASS = 0xCE534351 or 0xCE534352 or 0xCE534353 or
0xCE534354 around 171 times.
This type is a mask for VENDOR_DEFINED ones, and seems to be related to NSS.

As far as i know, returning CKR_OK and 0 objects, or even better
CKR_ATTRIBUTE_TYPE_INVALID should tell Mozilla "I DONT HAVE ANY OF
THIS", and Mozilla "should" stop asking.
Instead of this, it asks again...again...and again until boredom
(maybe its because i have 171 CAs on my keystore? No clue.

Mozilla/NSS people doesnt seem to know anything about this (or they
look to other side).
As im not an OpenSC user, and have no idea of how to trace/log this
stuff, i ask for the guys that would have been fighting against this.
Is this also happening to you? Do you implement that VENDOR_DEFINED
(undocumented?) types? Could you give me a hand?

Thanx a lot anyway.
_______________________________________________
opensc-devel mailing list
[hidden email]
http://www.opensc-project.org/mailman/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: Half OT: PKCS#11+Mozilla

Douglas E. Engert


On 8/25/2011 7:58 AM, helpcrypto helpcrypto wrote:

> Sorry for the little OT.
>
> I would like to know if OpenSC PKCS#11 module added on
> Firefox/Thunderbird has the same "problem" im having on my PKCS#11
> library.
>
> Seems that Mozilla its invoking C_FindObjectsInit asking for objects
> with CK_OBJECT_CLASS = 0xCE534351 or 0xCE534352 or 0xCE534353 or
> 0xCE534354 around 171 times.
> This type is a mask for VENDOR_DEFINED ones, and seems to be related to NSS.

The OpenSC pkcs11/pkcs11-display.c has definitions for all these.
  #define CKO_NETSCAPE 0xCE534350

  #define CKO_NETSCAPE_CRL                (CKO_NETSCAPE + 1)
  #define CKO_NETSCAPE_SMIME              (CKO_NETSCAPE + 2)
  #define CKO_NETSCAPE_TRUST              (CKO_NETSCAPE + 3)
  #define CKO_NETSCAPE_BUILTIN_ROOT_LIST  (CKO_NETSCAPE + 4)

There are vendor attributes too.

> As far as i know, returning CKR_OK and 0 objects, or even better
> CKR_ATTRIBUTE_TYPE_INVALID should tell Mozilla "I DONT HAVE ANY OF
> THIS", and Mozilla "should" stop asking.
> Instead of this, it asks again...again...and again until boredom
> (maybe its because i have 171 CAs on my keystore? No clue.

Looks like looking for a CRL.

When OpenSC PKCS#11 sees these, it returns 0 objects and CKR_OK

Add to the environment something like this:

PKCS11SPY=/opt/smartcard/lib/your-pkcs11.so
PKCS11SPY_OUTPUT=/tmp/tb.spy.txt


>
> Mozilla/NSS people doesnt seem to know anything about this (or they
> look to other side).
> As im not an OpenSC user, and have no idea of how to trace/log this
> stuff, i ask for the guys that would have been fighting against this.

You can use the OpenSC pkcs11-spy.so with TB and your own PKCS#11 module.
make the pkcs11-spy.so or pkcs11-spy.dll the security device.


> Is this also happening to you? Do you implement that VENDOR_DEFINED
> (undocumented?) types? Could you give me a hand?

When OpenSC PKCS#11 sees these, it returns 0 objects and CKR_OK

>
> Thanx a lot anyway.
> _______________________________________________
> opensc-devel mailing list
> [hidden email]
> http://www.opensc-project.org/mailman/listinfo/opensc-devel
>
>

--

  Douglas E. Engert  <[hidden email]>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444
_______________________________________________
opensc-devel mailing list
[hidden email]
http://www.opensc-project.org/mailman/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: Half OT: PKCS#11+Mozilla

helpcrypto helpcrypto
2011/8/25 Douglas E. Engert <[hidden email]>:

>
> The OpenSC pkcs11/pkcs11-display.c has definitions for all these.
>  #define CKO_NETSCAPE 0xCE534350
>
>  #define CKO_NETSCAPE_CRL                (CKO_NETSCAPE + 1)
>  #define CKO_NETSCAPE_SMIME              (CKO_NETSCAPE + 2)
>  #define CKO_NETSCAPE_TRUST              (CKO_NETSCAPE + 3)
>  #define CKO_NETSCAPE_BUILTIN_ROOT_LIST  (CKO_NETSCAPE + 4)
>
> There are vendor attributes too.

These are the values im talking about...i guess somewhere must be
documented what they are for.

>
> Looks like looking for a CRL.
>
> When OpenSC PKCS#11 sees these, it returns 0 objects and CKR_OK

I dont know in OpenSC, but doenst matter if i return 0+CKR_OK or not.
It still ask many times.

>
> Add to the environment something like this:
>
> PKCS11SPY=/opt/smartcard/lib/your-pkcs11.so
> PKCS11SPY_OUTPUT=/tmp/tb.spy.txt
>
>
> You can use the OpenSC pkcs11-spy.so with TB and your own PKCS#11 module.
> make the pkcs11-spy.so or pkcs11-spy.dll the security device.
>
>
>
> When OpenSC PKCS#11 sees these, it returns 0 objects and CKR_OK
>

Thanks a lot for your help.
_______________________________________________
opensc-devel mailing list
[hidden email]
http://www.opensc-project.org/mailman/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: Half OT: PKCS#11+Mozilla

Douglas E. Engert


On 8/26/2011 2:46 AM, helpcrypto helpcrypto wrote:

> 2011/8/25 Douglas E. Engert<[hidden email]>:
>>
>> The OpenSC pkcs11/pkcs11-display.c has definitions for all these.
>>   #define CKO_NETSCAPE 0xCE534350
>>
>>   #define CKO_NETSCAPE_CRL                (CKO_NETSCAPE + 1)
>>   #define CKO_NETSCAPE_SMIME              (CKO_NETSCAPE + 2)
>>   #define CKO_NETSCAPE_TRUST              (CKO_NETSCAPE + 3)
>>   #define CKO_NETSCAPE_BUILTIN_ROOT_LIST  (CKO_NETSCAPE + 4)
>>
>> There are vendor attributes too.
>
> These are the values im talking about...i guess somewhere must be
> documented what they are for.

PKCS#11 allows for vendor defined objects and attributes and NSS implements
some soft tokens that can support storing of CA certs, with TRUST, and CRLs
and other objects or attributes needed by NSS.

You can find the documentations and source for NSS here:

http://www.mozilla.org/projects/security/pki/nss/

In Release 3.12 the names are changed from CKO_NETSCAPE_ to CKO_NSS_
with the same values:

http://www.mozilla.org/projects/security/pki/nss/nss-3.12/nss-3.12-release-notes.html

In the NSS CVS source these are defined in
  ./mozilla/security/nss/lib/util/pkcs11n.h


>
>>
>> Looks like looking for a CRL.
>>
>> When OpenSC PKCS#11 sees these, it returns 0 objects and CKR_OK
>
> I dont know in OpenSC, but doenst matter if i return 0+CKR_OK or not.
> It still ask many times.

See this thread:
http://www.mail-archive.com/dev-tech-crypto@.../msg08609.html

One of the NSS developers, says you can return CKR_INVALID_ATTRIBUTE
and it might stop asking.


>
>>
>> Add to the environment something like this:
>>
>> PKCS11SPY=/opt/smartcard/lib/your-pkcs11.so
>> PKCS11SPY_OUTPUT=/tmp/tb.spy.txt
>>
>>
>> You can use the OpenSC pkcs11-spy.so with TB and your own PKCS#11 module.
>> make the pkcs11-spy.so or pkcs11-spy.dll the security device.
>>
>>
>>
>> When OpenSC PKCS#11 sees these, it returns 0 objects and CKR_OK
>>
>
> Thanks a lot for your help.
> _______________________________________________
> opensc-devel mailing list
> [hidden email]
> http://www.opensc-project.org/mailman/listinfo/opensc-devel

--

  Douglas E. Engert  <[hidden email]>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444
_______________________________________________
opensc-devel mailing list
[hidden email]
http://www.opensc-project.org/mailman/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: Half OT: PKCS#11+Mozilla

helpcrypto helpcrypto
I alreay see that links and, as i told you earlier, must be a
Mozilla/NSS bad implementation, cause it asks again and again, no
matter if CKR_OK or CKR_INVALID_ATTRIBUTE.
anyway, ill argue this things with the mozilla people. Thanks a lot
for your time and help. Much appreciatted.

2011/8/26 Douglas E. Engert <[hidden email]>:

>
>
> On 8/26/2011 2:46 AM, helpcrypto helpcrypto wrote:
>> 2011/8/25 Douglas E. Engert<[hidden email]>:
>>>
>>> The OpenSC pkcs11/pkcs11-display.c has definitions for all these.
>>>   #define CKO_NETSCAPE 0xCE534350
>>>
>>>   #define CKO_NETSCAPE_CRL                (CKO_NETSCAPE + 1)
>>>   #define CKO_NETSCAPE_SMIME              (CKO_NETSCAPE + 2)
>>>   #define CKO_NETSCAPE_TRUST              (CKO_NETSCAPE + 3)
>>>   #define CKO_NETSCAPE_BUILTIN_ROOT_LIST  (CKO_NETSCAPE + 4)
>>>
>>> There are vendor attributes too.
>>
>> These are the values im talking about...i guess somewhere must be
>> documented what they are for.
>
> PKCS#11 allows for vendor defined objects and attributes and NSS implements
> some soft tokens that can support storing of CA certs, with TRUST, and CRLs
> and other objects or attributes needed by NSS.
>
> You can find the documentations and source for NSS here:
>
> http://www.mozilla.org/projects/security/pki/nss/
>
> In Release 3.12 the names are changed from CKO_NETSCAPE_ to CKO_NSS_
> with the same values:
>
> http://www.mozilla.org/projects/security/pki/nss/nss-3.12/nss-3.12-release-notes.html
>
> In the NSS CVS source these are defined in
>  ./mozilla/security/nss/lib/util/pkcs11n.h
>
>
>>
>>>
>>> Looks like looking for a CRL.
>>>
>>> When OpenSC PKCS#11 sees these, it returns 0 objects and CKR_OK
>>
>> I dont know in OpenSC, but doenst matter if i return 0+CKR_OK or not.
>> It still ask many times.
>
> See this thread:
> http://www.mail-archive.com/dev-tech-crypto@.../msg08609.html
>
> One of the NSS developers, says you can return CKR_INVALID_ATTRIBUTE
> and it might stop asking.
>
>
>>
>>>
>>> Add to the environment something like this:
>>>
>>> PKCS11SPY=/opt/smartcard/lib/your-pkcs11.so
>>> PKCS11SPY_OUTPUT=/tmp/tb.spy.txt
>>>
>>>
>>> You can use the OpenSC pkcs11-spy.so with TB and your own PKCS#11 module.
>>> make the pkcs11-spy.so or pkcs11-spy.dll the security device.
>>>
>>>
>>>
>>> When OpenSC PKCS#11 sees these, it returns 0 objects and CKR_OK
>>>
>>
>> Thanks a lot for your help.
>> _______________________________________________
>> opensc-devel mailing list
>> [hidden email]
>> http://www.opensc-project.org/mailman/listinfo/opensc-devel
>
> --
>
>  Douglas E. Engert  <[hidden email]>
>  Argonne National Laboratory
>  9700 South Cass Avenue
>  Argonne, Illinois  60439
>  (630) 252-5444
> _______________________________________________
> opensc-devel mailing list
> [hidden email]
> http://www.opensc-project.org/mailman/listinfo/opensc-devel
>
_______________________________________________
opensc-devel mailing list
[hidden email]
http://www.opensc-project.org/mailman/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: Half OT: PKCS#11+Mozilla

Douglas E. Engert


On 8/29/2011 2:08 AM, helpcrypto helpcrypto wrote:
> I alreay see that links and, as i told you earlier, must be a
> Mozilla/NSS bad implementation, cause it asks again and again, no
> matter if CKR_OK or CKR_INVALID_ATTRIBUTE.

They must be not caching the result. It should not be must overhead
to return CKR_INVALID_ATTRIBUTE.

There might even be some argument, that a PKCS#11 module might
respond differently at some time in the future, and so this may not
be a bug.


> anyway, ill argue this things with the mozilla people. Thanks a lot
> for your time and help. Much appreciatted.
>
> 2011/8/26 Douglas E. Engert<[hidden email]>:
>>
>>
>> On 8/26/2011 2:46 AM, helpcrypto helpcrypto wrote:
>>> 2011/8/25 Douglas E. Engert<[hidden email]>:
>>>>
>>>> The OpenSC pkcs11/pkcs11-display.c has definitions for all these.
>>>>    #define CKO_NETSCAPE 0xCE534350
>>>>
>>>>    #define CKO_NETSCAPE_CRL                (CKO_NETSCAPE + 1)
>>>>    #define CKO_NETSCAPE_SMIME              (CKO_NETSCAPE + 2)
>>>>    #define CKO_NETSCAPE_TRUST              (CKO_NETSCAPE + 3)
>>>>    #define CKO_NETSCAPE_BUILTIN_ROOT_LIST  (CKO_NETSCAPE + 4)
>>>>
>>>> There are vendor attributes too.
>>>
>>> These are the values im talking about...i guess somewhere must be
>>> documented what they are for.
>>
>> PKCS#11 allows for vendor defined objects and attributes and NSS implements
>> some soft tokens that can support storing of CA certs, with TRUST, and CRLs
>> and other objects or attributes needed by NSS.
>>
>> You can find the documentations and source for NSS here:
>>
>> http://www.mozilla.org/projects/security/pki/nss/
>>
>> In Release 3.12 the names are changed from CKO_NETSCAPE_ to CKO_NSS_
>> with the same values:
>>
>> http://www.mozilla.org/projects/security/pki/nss/nss-3.12/nss-3.12-release-notes.html
>>
>> In the NSS CVS source these are defined in
>>   ./mozilla/security/nss/lib/util/pkcs11n.h
>>
>>
>>>
>>>>
>>>> Looks like looking for a CRL.
>>>>
>>>> When OpenSC PKCS#11 sees these, it returns 0 objects and CKR_OK
>>>
>>> I dont know in OpenSC, but doenst matter if i return 0+CKR_OK or not.
>>> It still ask many times.
>>
>> See this thread:
>> http://www.mail-archive.com/dev-tech-crypto@.../msg08609.html
>>
>> One of the NSS developers, says you can return CKR_INVALID_ATTRIBUTE
>> and it might stop asking.
>>
>>
>>>
>>>>
>>>> Add to the environment something like this:
>>>>
>>>> PKCS11SPY=/opt/smartcard/lib/your-pkcs11.so
>>>> PKCS11SPY_OUTPUT=/tmp/tb.spy.txt
>>>>
>>>>
>>>> You can use the OpenSC pkcs11-spy.so with TB and your own PKCS#11 module.
>>>> make the pkcs11-spy.so or pkcs11-spy.dll the security device.
>>>>
>>>>
>>>>
>>>> When OpenSC PKCS#11 sees these, it returns 0 objects and CKR_OK
>>>>
>>>
>>> Thanks a lot for your help.
>>> _______________________________________________
>>> opensc-devel mailing list
>>> [hidden email]
>>> http://www.opensc-project.org/mailman/listinfo/opensc-devel
>>
>> --
>>
>>   Douglas E. Engert<[hidden email]>
>>   Argonne National Laboratory
>>   9700 South Cass Avenue
>>   Argonne, Illinois  60439
>>   (630) 252-5444
>> _______________________________________________
>> opensc-devel mailing list
>> [hidden email]
>> http://www.opensc-project.org/mailman/listinfo/opensc-devel
>>
> _______________________________________________
> opensc-devel mailing list
> [hidden email]
> http://www.opensc-project.org/mailman/listinfo/opensc-devel

--

  Douglas E. Engert  <[hidden email]>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444
_______________________________________________
opensc-devel mailing list
[hidden email]
http://www.opensc-project.org/mailman/listinfo/opensc-devel