IAIK PKCS#11 Wrapper with NSS

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

IAIK PKCS#11 Wrapper with NSS

cryptonewbie
Hello,

Since I'm newbie to cryptography, please do pardon my ignorance here.

I have been desperately trying to find answer to the issue we are facing.

Setup:

We have 2 Java processes each using IAIK PKCS#11 Wrapper (iaik.pkcs.pkcs11) to talk to a shared single token NSS (softokn3.dll) .

Each of these Java processes are Http Jetty servers which create the iaik.pkcs.pkcs11.Session and logs in ( at the time jetty server starts ) :

session = token.openSession(Token.SessionType.SERIAL_SESSION,
                    Token.SessionReadWriteBehavior.RW_SESSION, null, null);
session.login(Session.UserType.USER, XXXX);

When Jetty servers are shutdown, respective iaik.pkcs.pkcs11.Session are closed.

Problem :

We were expecting that when a Java process (jetty server) updates the token objects

Example: Java process 1 adds Secret key ->

AESSecretKey aesKeyTemplate = new AESSecretKey();
aesKeyTemplate.getToken().setBooleanValue(true);
AESSecretKey aesKeyNew = (AESSecretKey) session.generateKey(keyGenerationMechanism, aesKeyTemplate)


The other java/Jetty server process 2 would be able to find and retrieve newly added key that was added by Java Process 1 through it's session

Example:

KeyHandle keyHandle = null;
keyTemplate.getToken().setBooleanValue(true);
session.findObjectsInit(keyTemplate);


Unfortunately, that doesn't seem to be the case. I had to restart the 2nd Jetty server and then it was able to see the find the key that was added by 1st Java jetty process.

Wasn't underlying token/device getting modified by the 1st java/Jetty process ? if so, wouldn't those created token objects be visible throughout all sessions from all others processes/applications.

We tried this scenario on SafeNet HSM instead of NSS and as expected, sessions of respective Java process does get updated. In our opinion, seems like there's something in NSS that we probably need to work with to get this to work.

Please do correct me if I'm thinking wrong. Would truly appreciate help.

Thanks..
Usha

_______________________________________________
dev-security mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-security