Confirmed users
299
edits
Security/CryptoEngineering/Platform Use of NSS: Difference between revisions
Security/CryptoEngineering/Platform Use of NSS (view source)
Revision as of 18:05, 2 December 2016
, 2 December 2016→The NSS Certificate Nickname API: update to note that this has been resolved
(add FIPS section) |
(→The NSS Certificate Nickname API: update to note that this has been resolved) |
||
| Line 16: | Line 16: | ||
PK11SDR_Encrypt and PK11SDR_Decrypt have no equivalent functions that take a caller-provided slot. Either new functions will have to be added to NSS (e.g. as PK11SDR_EncryptOnSlot and PK11SDR_DecryptOnSlot) or they will have to be reimplemented in PSM. Luckily, these two functions do not call internal NSS APIs and can be easily duplicated in terms of functionality. Doing so might be desirable as it would enable a step towards towards using more modern cryptography to protect the information in the user's key database. | PK11SDR_Encrypt and PK11SDR_Decrypt have no equivalent functions that take a caller-provided slot. Either new functions will have to be added to NSS (e.g. as PK11SDR_EncryptOnSlot and PK11SDR_DecryptOnSlot) or they will have to be reimplemented in PSM. Luckily, these two functions do not call internal NSS APIs and can be easily duplicated in terms of functionality. Doing so might be desirable as it would enable a step towards towards using more modern cryptography to protect the information in the user's key database. | ||
==== The NSS Certificate Nickname API ==== | ==== The NSS Certificate Nickname API (Resolved) ==== | ||
NSS exposes APIs whereby certificates can be referred to by nickname. Certificates on tokens other than that returned by PK11_GetInternalKeySlot prefix their nickname with the name of the token. Because platform code now must operate on a token that isn't the internal one, this behavior must be worked around by special-casing unprefixed nicknames when using these and related APIs. | NSS exposes APIs whereby certificates can be referred to by nickname. Certificates on tokens other than that returned by PK11_GetInternalKeySlot prefix their nickname with the name of the token. Because platform code now must operate on a token that isn't the internal one, this behavior must be worked around by special-casing unprefixed nicknames when using these and related APIs. | ||
Alternatively, we could remove and/or rework XPCOM interfaces that expose the NSS nickname API and replace them with an equivalent mechanism that doesn't have this and other drawbacks (see the discussion in [https://bugzilla.mozilla.org/show_bug.cgi?id=857627 bug 857627]). | Alternatively, we could remove and/or rework XPCOM interfaces that expose the NSS nickname API and replace them with an equivalent mechanism that doesn't have this and other drawbacks (see the discussion in [https://bugzilla.mozilla.org/show_bug.cgi?id=857627 bug 857627]). | ||
Update: As of the landing of bug 857627, this shouldn't be an issue any longer. | |||
==== Loading New PKCS#11 Modules ==== | ==== Loading New PKCS#11 Modules ==== | ||