Security/CryptoEngineering/Platform Use of NSS: Difference between revisions

Security/CryptoEngineering/Platform Use of NSS (view source)

Revision as of 23:46, 23 January 2017

3,883 bytes added , 23 January 2017

→‎Loading New PKCS#11 Modules: add code snippet for how to implement this

Dkeeler

Confirmed users

299

edits

@@ Line 16: / Line 16: @@
 PK11SDR_Encrypt and PK11SDR_Decrypt have no equivalent functions that take a caller-provided slot. Either new functions will have to be added to NSS (e.g. as PK11SDR_EncryptOnSlot and PK11SDR_DecryptOnSlot) or they will have to be reimplemented in PSM. Luckily, these two functions do not call internal NSS APIs and can be easily duplicated in terms of functionality. Doing so might be desirable as it would enable a step towards towards using more modern cryptography to protect the information in the user's key database.
-==== Loading New PKCS#11 Modules ====
+==== Loading PKCS#11 Modules ====
-Currently when a new PKCS#11 module is loaded, its presence is persisted in the user's module database, meaning that it will automatically be loaded the next time the platform runs. When NSS is initialized in memory-only mode, this will not work. Consequently, we must come up with some way of persisting the PKCS#11 modules the user wants the platform to load when it starts. Upon PSM initialization, the known modules can be loaded for the duration of the session.
+Currently when a new PKCS#11 module is loaded, its presence is persisted in the user's module database, meaning that it will automatically be loaded the next time the platform runs. When NSS is initialized in memory-only mode, no such database is available and this will not automatically work as before. However, NSS has the ability to load a PKCS#11 module database (and the modules referenced therein) after it has already been initialized. Thus, when the user's profile is available, we merely have to load up the module database and everything should behave as before (NB: we need to check that adding new modules will also work as expected when NSS starts in read-only mode).
+The following code snippet is an example of how this could work (given that the module database is in the directory 'other'):
+    #include <stdio.h>
+    #include "nss.h"
+    #include "pk11pub.h"
+    #include "prerror.h"
+    #include "secerr.h"
+    #include "secmod.h"
+    void printPRError(const char* message) {
+      fprintf(stderr, "%s: %s\n", message, PR_ErrorToString(PR_GetError(), 0));
+    }
+    int main(int argc, char* argv[]) {
+      if (NSS_NoDB_Init(".") != SECSuccess) {
+        printPRError("NSS_NoDB_Init failed");
+        return 1;
+      }
+      // To load the PKCS#11 modules saved in another NSS secmod.db (in the
+      // directory 'other'):
+      char* moduleSpec = "name=\"NSS Internal Module\" parameters=\"configdir='other/' certPrefix='' keyPrefix='' secmod='secmod.db' flags=readOnly,optimizeSpace updatedir='' updateCertPrefix='' updateKeyPrefix='' updateid='' updateTokenDescription='' \" NSS=\"flags=internal,moduleDB,moduleDBOnly,critical,defaultModDB,internalKeySlot\"";
+      SECMODModule* module = SECMOD_LoadModule(moduleSpec, NULL, 1);
+      if (!module) {
+        printPRError("SECMOD_LoadUserModule failed");
+        return 1;
+      }
+      SECMODModuleList* list = SECMOD_GetDefaultModuleList();
+      while (list) {
+        printf("%s\n", list->module->dllName);
+        list = list->next;
+      }
+      SECMOD_DestroyModule(module);
+      if (NSS_Shutdown() != SECSuccess) {
+        printPRError("NSS_Shutdown failed");
+        return 1;
+      }
+      return 0;
+    }
 ==== PKCS#11 XPCOM APIs ====

Security/CryptoEngineering/Platform Use of NSS: Difference between revisions

Security/CryptoEngineering/Platform Use of NSS (view source)

Revision as of 23:46, 23 January 2017

Navigation menu

Search