Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
NSS modutil: Adding a PKCS#11 module with a PIN and storing PIN in nssdb
861 views
Skip to first unread message
Mike Gerow
Nov 7, 2014, 1:57:49 PM11/7/14
to mozilla-de...@lists.mozilla.org
I'm trying to add opencryptoki's PKCS#11 module to Chrome/Firefox's nssdb. I'm able to add it, and it seems to work as expected:
$ modutil -dbdir sql:$HOME/.pki/nssdb -list
Listing of PKCS #11 Modules
-----------------------------------------------------------
1. NSS Internal PKCS #11 Module
slots: 2 slots attached
status: loaded
slot: NSS Internal Cryptographic Services
token: NSS Generic Crypto Services
slot: NSS User Private Key and Certificate Services
token: NSS Certificate DB
2. TPM
library name: /usr/lib/x86_64-linux-gnu/opencryptoki/libopencryptoki.so.0
slots: 1 slot attached
status: loaded
slot: OpenCryptoki Software Backend
token: IBM OS PKCS#11
-----------------------------------------------------------
The only issue is that the first time the application tries to use the module it asks me for a PIN. I'm more interested in using a PKCS#11 token for privilege separation than anything so I have this PIN set to an easy/insecure value. Is there some way I can store the PIN in the nssdb so that I can avoid having the browser ask the user for it?
$ modutil -dbdir sql:$HOME/.pki/nssdb -list
Listing of PKCS #11 Modules
-----------------------------------------------------------
1. NSS Internal PKCS #11 Module
slots: 2 slots attached
status: loaded
slot: NSS Internal Cryptographic Services
token: NSS Generic Crypto Services
slot: NSS User Private Key and Certificate Services
token: NSS Certificate DB
2. TPM
library name: /usr/lib/x86_64-linux-gnu/opencryptoki/libopencryptoki.so.0
slots: 1 slot attached
status: loaded
slot: OpenCryptoki Software Backend
token: IBM OS PKCS#11
-----------------------------------------------------------
The only issue is that the first time the application tries to use the module it asks me for a PIN. I'm more interested in using a PKCS#11 token for privilege separation than anything so I have this PIN set to an easy/insecure value. Is there some way I can store the PIN in the nssdb so that I can avoid having the browser ask the user for it?
Anders Rundgren
Nov 12, 2014, 2:50:16 PM11/12/14
to mozilla-de...@lists.mozilla.org
-- Anders
Hubert Kario
Nov 13, 2014, 7:20:13 AM11/13/14
to dev-se...@lists.mozilla.org, mozilla-de...@lists.mozilla.org, Anders Rundgren
On Saturday 08 November 2014 22:51:49 Anders Rundgren wrote:
> On Friday, November 7, 2014 7:57:49 PM UTC+1, Mike Gerow wrote:
> On Friday, November 7, 2014 7:57:49 PM UTC+1, Mike Gerow wrote:
> Mozilla's key architecture was essentially created 1995 (by Netscape).
> Improving it would be a waste of time and resources, it must be rebuilt
> from scratch
Linux kernel was created even earlier, and yet you can run applications from
> Improving it would be a waste of time and resources, it must be rebuilt
> from scratch
that era on current kernel.
You can rewrite the software without starting from scratch.
--
Regards,
Hubert Kario
Hubert Kario
Nov 13, 2014, 7:20:16 AM11/13/14
to dev-se...@lists.mozilla.org, mozilla-de...@lists.mozilla.org, Anders Rundgren
On Saturday 08 November 2014 22:51:49 Anders Rundgren wrote:
> On Friday, November 7, 2014 7:57:49 PM UTC+1, Mike Gerow wrote:
> On Friday, November 7, 2014 7:57:49 PM UTC+1, Mike Gerow wrote:
ianG
Nov 13, 2014, 7:49:03 AM11/13/14
to dev-se...@lists.mozilla.org
On 13/11/2014 12:19 pm, Hubert Kario wrote:
> On Saturday 08 November 2014 22:51:49 Anders Rundgren wrote:
>> On Friday, November 7, 2014 7:57:49 PM UTC+1, Mike Gerow wrote:
>>> The only issue is that ...
> On Saturday 08 November 2014 22:51:49 Anders Rundgren wrote:
>> On Friday, November 7, 2014 7:57:49 PM UTC+1, Mike Gerow wrote:
>> Mozilla's key architecture was essentially created 1995 (by Netscape).
>> Improving it would be a waste of time and resources, it must be rebuilt
>> from scratch
>
> Linux kernel was created even earlier, and yet you can run applications from
> that era on current kernel.
Indeed. That's because the Linux kernel was a copy of another system
>> Improving it would be a waste of time and resources, it must be rebuilt
>> from scratch
>
> Linux kernel was created even earlier, and yet you can run applications from
> that era on current kernel.
called (variously) Unix that had to that point about 20 years track
record in establishing a good pattern and establishing a demand industry
of people who actually wanted to use it to solve their problems.
No such with this key architecture. It was written in those times
according to a commercially inspired (i.e. property rights driven) model
that had zero track record in the wild.
And, the model turned out to be wrong. Yes you could build it, but it
solved the wrong problems in the wrong ways. By the time you strip away
the disproven assumptions, you're left with an empty shell full of
invested parties who keep saying, next year will be the year of the
thingummybob, whatever it is labelled today. TEE? Echo is a serious
issue in the secure token field.
> You can rewrite the software without starting from scratch.
is. OP's question was "how to store the PIN in the device" which is
reasonable from an app developers pov, but is totally /verboten/ from
the security model's pov. Change that and the dam breaks.
Sadly, at some stage, the dam will crack of its own accord and Mozilla
will have to figure out how to rebuild it.
iang
Anders Rundgren
Nov 13, 2014, 10:11:49 AM11/13/14
to mozilla-de...@lists.mozilla.org
http://webpki.org/papers/key-access.pdf
This is BTW outside of PKCS #11 as well. PKCS #11 was designed in another time and for another purpose.
I'm mainly thinking about Firefox OS; the PC seems to be a thing for Microsoft.
Anders
0 new messages