IAIK PKCS#11 Wrapper with NSS

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

IAIK PKCS#11 Wrapper with NSS

cryptonewbie
Hello

Since, I'm newbie to cryptography, please do pardon my ignorance here.

I have been desperately trying to find answer to the issue we are facing.

Setup:

We have 2 Java processes each using IAIK PKCS#11 Wrapper (iaik.pkcs.pkcs11)
to talk to a shared single token NSS (softokn3.dll) .

Each of these Java processes are Http Jetty servers which create the
iaik.pkcs.pkcs11.Session and logs in ( at the time jetty server starts ) :

session = token.openSession(Token.SessionType.SERIAL_SESSION,
                    Token.SessionReadWriteBehavior.RW_SESSION, null, null);
session.login(Session.UserType.USER, XXXX);

When Jetty servers are shutdown, respective iaik.pkcs.pkcs11.Session are
closed.

Problem :

We were expecting that when a Java process (jetty server) updates the token
objects

Example: Java process 1 adds Secret key ->

AESSecretKey aesKeyTemplate = new AESSecretKey();
aesKeyTemplate.getToken().setBooleanValue(true);
AESSecretKey aesKeyNew = (AESSecretKey)
session.generateKey(keyGenerationMechanism, aesKeyTemplate)


The other java/Jetty server process 2 would be able to find and retrieve
newly added key that was added by Java Process 1 through it's session

Example:

KeyHandle keyHandle = null;
keyTemplate.getToken().setBooleanValue(true);
session.findObjectsInit(keyTemplate);


Unfortunately, that doesn't seem to be the case. I had to restart the 2nd
Jetty server and then it was able to see the find the key that was added by
1st Java jetty process.

Shouldn't underlying token/device getting modified by the 1st java/Jetty
process? if so, wouldn't those created token objects be visible throughout
all sessions from all others processes/applications.

We tried this scenario on SafeNet HSM instead of NSS and as expected,
sessions of respective Java process do get updated. In our opinion, seems
like there's something in NSS that we probably need to work with to get
this to work.


Please do correct me if I'm thinking wrong. Would truly appreciate the help.

Thanks..

Usha
_______________________________________________
dev-security mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-security