Access Mozilla NSS (shared) Database / PKCS#11 Modules via OpenSSL?

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Access Mozilla NSS (shared) Database / PKCS#11 Modules via OpenSSL?

Matthias Ballreich

Hi there,

 

how can i access the Mozilla NSS (shared) Database (cert8 or cert9d.db) / PKCS#11-Modules via OpenSSL?

I need read & write access to the NSS User Cert Database (softokn3) and to the Built-In Cert Database (nssckbi) under Windows.

 

I tried it with Libp11 this way:

 

int rc = 0;
        PKCS11_CTX *pkcs11_ctx;
        pkcs11_ctx = PKCS11_CTX_new();
        PKCS11_CTX_init_args(pkcs11_ctx,
                             "configdir=''C:/Users/Username/AppData/Roaming/Mozilla/Firefox/Profiles/5wzkdcjx.default' certPrefix='' keyPrefix='' secmod='secmod.db'");
        rc = PKCS11_CTX_load(pkcs11_ctx, " C:/Program Files (x86)/Mozilla/Firefox/softokn3.dll ");
        printf("Desc: %s\n", pkcs11_ctx->description);
        if (rc)
                printf("Error loading Module");

But it return every time “-1” which tells me that the loading fails. So is this the right way? Or should I use another library? Or is my code not right?

And can I edit the Trust Settings with that or another library like with NSS directly? Because I can’t delete the built-in certs of nssckbi because this is read-only I can edit the Trust-Settings for that certificate. Can I do that with OpenSSL in combination with a library, too? Or should I better use NSS instead of OpenSSL?

 

Thanks.



--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: Access Mozilla NSS (shared) Database / PKCS#11 Modules via OpenSSL?

Jan Just Keijser-2
Hi,

On 08/11/16 17:33, Matthias Ballreich wrote:

Hi there,

 

how can i access the Mozilla NSS (shared) Database (cert8 or cert9d.db) / PKCS#11-Modules via OpenSSL?

I need read & write access to the NSS User Cert Database (softokn3) and to the Built-In Cert Database (nssckbi) under Windows.

 

I tried it with Libp11 this way:

 

int rc = 0;
        PKCS11_CTX *pkcs11_ctx;
        pkcs11_ctx = PKCS11_CTX_new();
        PKCS11_CTX_init_args(pkcs11_ctx,
                             "configdir=''C:/Users/Username/AppData/Roaming/Mozilla/Firefox/Profiles/5wzkdcjx.default' certPrefix='' keyPrefix='' secmod='secmod.db'");
        rc = PKCS11_CTX_load(pkcs11_ctx, " C:/Program Files (x86)/Mozilla/Firefox/softokn3.dll ");
        printf("Desc: %s\n", pkcs11_ctx->description);
        if (rc)
                printf("Error loading Module");

But it return every time “-1” which tells me that the loading fails. So is this the right way? Or should I use another library? Or is my code not right?

And can I edit the Trust Settings with that or another library like with NSS directly? Because I can’t delete the built-in certs of nssckbi because this is read-only I can edit the Trust-Settings for that certificate. Can I do that with OpenSSL in combination with a library, too? Or should I better use NSS instead of OpenSSL?


this is slightly off-topic for this mailinglist, but I'd try using p11-kit to access the NSS device; the problem with the softokn3 pseudo-pkcs11 device is/was that it did not follow the PKCS11 standard completely - this made the softokn3 device unusable for tools like libp11 and opensc ; however, there are links on the web stating that p11-kit does not how to read a nssdb file, e.g.
  https://wiki.gnome.org/Projects/CryptoGlue/Integration#NSS_libsoftokn3

and p11-kit has been ported to both mingw and cygwin.

HTH,

JJK


--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users