MozillaWiki

NSS: Difference between revisions

Page Discussion

NSS (view source)

Revision as of 22:42, 2 August 2005

2,834 bytes added ,  2 August 2005
→‎PKCS #11 Module Specs
Line 12: Line 12:
The following is a proposal to the PKCS #11 working group made in August 2001 for configuring PKCS #11 modules. NSS currently implements this proposal internally.
The following is a proposal to the PKCS #11 working group made in August 2001 for configuring PKCS #11 modules. NSS currently implements this proposal internally.


The file format consists of name/value pairs of the form =.  
The file format consists of name/value pairs of the form ''name''=''value''.  
Each name/value pair is separated by a blank value. A single line,  
Each name/value pair is separated by a blank value. A single line,  
terminated by a '\n', '\r\n', or '\r' represents a single pkcs #11 library.
terminated by a '\n', '\r\n', or '\r' represents a single pkcs #11 library.
Line 28: Line 28:
that case must be preserved in the values.
that case must be preserved in the values.


Recognized Names:
=== Recognized Names: ===


All applications/libraries must be able recognize the following name values:
All applications/libraries must be able recognize the following name values:


library - This specifies the path to the pkcs #11 library.
'''library''' - This specifies the path to the pkcs #11 library.
name - This specifies the name of the pkcs #11 library.
'''name''' - This specifies the name of the pkcs #11 library.
parameter - This specifies a pkcs #11 library parameter with the  
'''parameter''' - This specifies a pkcs #11 library parameter with the application must pass to the pkcs #11 library at C_Initialize() time (see below).
application must pass to the pkcs #11 library at C_Initialize() time  
(see below).


In additions applications/libraries should be able to ignore additional  
In additions applications/libraries should be able to ignore additional  
name value pairs which specify application specific parameters. Of  
name value pairs which are used to specify configuration for other applications.
course these application/libraries should be able to parse their own  
Of course these application/libraries should be able to parse their own  
name/value pairs.
name/value pairs.


Line 50: Line 48:


If the name is not specified, the application can use the library path  
If the name is not specified, the application can use the library path  
to describe the pkcs #11 library in any UI it may have.
to describe the PKCS #11 library in any UI it may have.


If the parameter is not specified, no parameters are passed to the PKCS  
If the parameter is not specified, no parameters are passed to the PKCS #11 module.
#11 module.


If the application/library does not find its application/library  
If the application/library does not find its application/library  
specific data, it should use it's defaults for this pkcs #11 library.
specific data, it should use it's defaults for this pkcs #11 library.


Parameter Passing:
=== Parameter Passing: ===


If the parameter is specified, the application/library will strip the  
If the parameter is specified, the application/library will strip the  
Line 66: Line 63:
A new CK_C_INITIALIZE_ARGS structure is defined as
A new CK_C_INITIALIZE_ARGS structure is defined as


<pre>
typedef struct CK_C_INITIALIZE_ARGS {
typedef struct CK_C_INITIALIZE_ARGS {
   CK_CREATEMUTEX CreateMutex;
   CK_CREATEMUTEX CreateMutex;
Line 75: Line 73:
   CK_VOID_PTR pReserved;
   CK_VOID_PTR pReserved;
} CK_C_INITIALIZE_ARGS;
} CK_C_INITIALIZE_ARGS;
</pre>


Applications/libraries must set LibraryParameters to NULL if no  
Applications/libraries must set LibraryParameters to NULL if no  
Line 81: Line 80:
LibraryParameters field is not NULL.
LibraryParameters field is not NULL.


----------------------------------------------------------------------------------
== NSS Specific Parameters in Module Specs ==


Here are the NSS Application specific parameters which I intend to use.  
Here are the NSS Application specific parameters in use.  
This is data that I currently store in secmod.db, or intend to store
This data is currently store in secmod.db. This isn't part of the  
there in the near future. This isn't part of the generic spec, but I
generic spec (that is other applications need not parse it, nor pkcs #11
include it to see if anyone thinks some of these valuse should be
modules need supply them.
promoted to the next level up. The only ones that seem to me to be
candidates would be cipherOrder, trustOrder, and perhaps some of the
slotParams


NSS="nss_params"
'''NSS'''="''nss_params''"
nss_params are themselves name/value pairs, parsed with the same rules  
''nss_params'' are themselves name/value pairs, parsed with the same rules described above. Valid names inside nss_params are:
described above. Valid names inside nss_params are:
'''flags''' - comma separated list of flag values, parsed case-insensitive.  
flags - comma separated list of flag values, parsed case-insensitive.  
Valid flag values are:
Valid flag values are:
     '''internal''' - this library is actually the Netscape internal library
     internal - this library is actually the Netscape internal library
     '''fips''' - this library is the Netscape internal fips library.
     fips - this library is the Netscape internal fips library.
     '''critical''' - if this library cannot be loaded, completely fail initialization
     moduleListSource - this library can be queried for lists of more
    '''moduleDB''' - this library includes NSS specific functions to supply additional module specs for loading.
PKCS #11 modules to load.
    '''moduleDBOnly''' - this library has no PKCS #11 functions and is only used for loading additional modules.
trustOrder - integer value specifying the order in which the trust  
'''trustOrder''' - integer value specifying the order in which the trust information for certificates specified by tokens on this pkcs #11 library should be rolled up. '0' means that tokens on this library should not supply trust information (default). The relative order of two pkcs#11 libraries which have the same trustOrder value is undefined.
information for certificates specified by tokens on this pkcs #11  
'''cipherOrder''' - integer value specifiying the order in which tokens are searched when looking for a token to do a generic operation (DES/Hashing, etc).
library should be rolled up (this option will make more sense once I
'''ciphers''' - comma separated list of ciphers this token will enable that isn't already enabled by the library (currently only '''FORTEZZA''' is defined) (case-insensitive)..
publish the other proposal I have promised). '0' means that tokens on  
'''slotParams''' - space separated list of name/value pairs where the name is a slotID and the value is a space sparated list of parameters related to that slotID.
this library should not supply trust information (default). The relative  
Valid slotParams values are:
order of two pkcs#11 libraries which have the same trustOrder value is  
    '''slotFlags''' - comma separated list of cipher groups which this slot is expected to be the default implementation for (case-insensitive).
undefined.
    Valid flags are:
cipherOrder - integer value specifiying the order in which tokens are  
        '''RSA''' - This token should be used for all RSA operations (other than Private key operations where the key lives in another token).
searched when looking for a token to do a generic operation  
        '''DSA''' - This token should be used for all DSA operations (other than Private key operations where the key lives in another token).
(DES/Hashing, etc).
        '''RC4''' - This token  should be used for all RC4 operations which are not constrained by an existing key in another token.
ciphers - comma separated list of ciphers this token will enable that  
        '''RC2''' - This token  should be used for all RC2 operations which are not constrained by an existing key in another token.
isn't already enabled by the library (currently only FORTEZZA is  
        '''DES''' - This token  should be used for all DES, DES2, and DES3 operations which are not constrained by an existing key in another token.
defined) (case-insensitive)..
        '''DH''' - This token should be used for all DH operations (other than Private key operations where the key lives in another token).
slotParams - space separated list of name/value pairs where the name is  
        '''FORTEZZA'''- This token should be used for all KEA operations (other than Private key operations where the key lives in another token), as well as SKIPJACK operations which are not constrained by an existing key in another token.
a slotID and the value is a space sparated list of parameters related to  
        '''RC5''' - This token  should be used for all RC5 operations which are not constrained by an existing key in another token.
that slotID.
        '''SHA1''' - - This token should be used for all basic SHA1 hashing.
        '''MD5''' - This token should be used for all basic MD5 hashing.
        '''MD2''' - This token should be used for all basic MD2 hashing.
        '''SSL''' - This token should be used for SSL key derivation which are not constrained by an existing key in another token.
        '''TLS''' - This token should be used for TLS key derivation which are not constrained by an existing key in another token.
        '''AES''' - This token  should be used for all AES operations which are not constrained by an existing key in another token.
        '''RANDOM''' - This token should be used to generate random numbers when the application call 'PK11_GenerateRandom'.
        '''PublicCerts''' - The certificates on this token can be read without authenticating to this token, and any user certs on this token have a patching public key which is also readable without authenticating.
     
    '''rootFlags''' - comma separated of flags describing any root certs that may be stored (case-insensitive).
    Valid flags are:
        '''hasRootCerts'''
        '''hasRootTrust'''
    '''timeout ''' - time in minutes before the current authentication should be rechecked.
    '''askpwd  ''' - case-insensitive flag describing how password prompts should be manages:
        every
    r




Sample file:
Sample file:
 
<pre>
library= name="Netscape Internal Crypto Module" parameters="configdir=/u/relyea/.netscape certprefix=secmod=secmod.db" NSS="Flags=internal,pkcs11module TrustOrder=1 CipherOrder=-1 ciphers= slotParams={0x1=[slotFlags='RSA,DSA,DH,RC4,RC2,DES,MD2,MD5,SHA1,SSL,TLS,PublicCerts,Random'] 0x2=[slotFlags='RSA' timeout=50 askpw=only]}"
library= name="Netscape Internal Crypto Module"   parameters="configdir=/u/relyea/.netscape certprefix= secmod=secmod.db" NSS="Flags=internal,pkcs11module TrustOrder=1 CipherOrder=-1 ciphers= slotParams={0x1=[slotFlags='RSA,DSA,DH,RC4,RC2,DES,MD2,MD5,SHA1,SSL,TLS,PublicCerts,Random'] 0x2=[slotFlags='RSA' timeout=50 askpw=only]}"
library=dkck32.dll name="DataKey SignaSURE 3600" NSS="TrustOrder=50 ciphers= "  
library=dkck32.dll name="DataKey SignaSURE 3600" NSS="TrustOrder=50 ciphers= "  
library=swft32.dll name="Netscape Software Fortezza" parameters="keyfile=/u/relyea/keyfile" NSS="TrustOrder=50 ciphers=FORTEZZA slotParams=0x1=[slotFlags='FORTEZZA']"
library=swft32.dll name="Netscape Software Fortezza" parameters="keyfile=/u/relyea/keyfile" NSS="TrustOrder=50 ciphers=FORTEZZA slotParams=0x1=[slotFlags='FORTEZZA']"
library=core32.dll name="Litronic Netsign"
library=core32.dll name="Litronic Netsign"
</pre>




Relyea
439

edits

Retrieved from "https://wiki.allizom.org/Special:MobileDiff/10739"