debug PKCS11

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

debug PKCS11

Alexei Mayanov
Hello! I'm developing PKCS11 library for my device. It work good with
different apps but with Firefox I can't login with client certificate on to
the test site. Firefox doesn't present me list of certificates on the
device. I made of calls of PKCS11 API functions from my library and can't
determine the reason of problem. Is it possible to enable some debug info
in NSS library that Firefox uses?

Best regards,
Alex
--
dev-tech-crypto mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-tech-crypto
Reply | Threaded
Open this post in threaded view
|

Fwd: debug PKCS11

Alexei Mayanov
Hello! I'm developing PKCS11 library for my device. This library is based
on pkcs11-proxy (https://github.com/SUNET/pkcs11-proxy). It work good with
different apps but with Firefox I can't login with client certificate on to
the test site. Firefox doesn't present me the list of certificates on the
device. I made log of calls of PKCS11 API functions from my library and
can't determine the reason of problem. And I don't know what is happening
inside NSS that cause the problems. Is it possible to enable some debug
info in NSS library that Firefox uses? Thanks in advance!

Best regards,
Alex
--
dev-tech-crypto mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-tech-crypto
Reply | Threaded
Open this post in threaded view
|

Re: Fwd: debug PKCS11

Robert Relyea
On 11/18/2016 12:49 AM, Alexei Mayanov wrote:
> Hello! I'm developing PKCS11 library for my device. This library is based
> on pkcs11-proxy (https://github.com/SUNET/pkcs11-proxy). It work good with
> different apps but with Firefox I can't login with client certificate on to
> the test site. Firefox doesn't present me the list of certificates on the
> device. I made log of calls of PKCS11 API functions from my library and
> can't determine the reason of problem. And I don't know what is happening
> inside NSS that cause the problems. Is it possible to enable some debug
> info in NSS library that Firefox uses? Thanks in advance!
Hmm,
Have you installed the PKCS #11 module in firefox?

      if not, go to the advanced preferences
    (about:preferences#advanced) and click the 'security devices'
    button, then click the 'Load' button.

If so, Does it show up in the security devices dialog
(about:preferences#advanced)?

    if not, it means NSS couldn't load your pkcs #11 module, Usually the
    dlopen failed for some reason, though it could be NSS opened the
    module but had some issues initializing it. If you are getting into
    your C_GetFunctionList() function, then the dlopen worked fine. NSS
    will then call C_Initialize(), and then the normal C_GetSlots, etc.

If so, Does it show that the device is present?

    If your module is loaded, it should show the slots in the security
    devices dialog (If not you module did not give NSS any slots). You
    can click on the slots to see the status of each slot. If there is a
    card plugged in, the status should be present. If not the status
    should be not present. If NSS had an error initializing the slot,,
    it should show a status of disabled. The latter means that NSS
    couldn't get everything it needs for the slot to be useful (like
    being able to create a session). Errors here are usually problems
    with session management in the token.

If so Do you get a password prompt for your device if you bring up the
cert dialog?

    If not (and your token is present), it means that you probably
    didn't make your token as requiring a password properly, or you told
    NSS you were already logged in (again session management). NOTE:
    this may be OK if you don't require a password to find the keys on
    your token. For most tokens, though, this will cause a problem.

If password handling is OK, do you see any certs from your token in the
cert dialog?

    Be sure to check all the tabs (particularly 'Your Certificates' and
    'Others'). If no certificates are showing up, then there is probably
    something wrong with your C_FindObject* functions. If the
    certificates are showing up under 'Others' and not 'Your
    Certificates', then there is probably something wrong with your link
    of certificates to keys, or your ability to match private keys.
    certificates which have keys associated with them should have a
    CKA_ID attribute with is matches the CKA_ID of the private key
    associated with the certificate. NSS will lookup the CKA_ID from the
    cert and then search for a private key with that same CKA_ID. If it
    finds that key, it will mark it as a 'user' certificate. Only 'user'
    certificates show up in 'Your Certificates' and only 'Your
    Certifcates' are used in ssl client auth operations.


If all this is working, you probably aren't dealing with an issue of
your module, but a configuration issue with the server and firefox.
>
> Best regards,
> Alex


--
dev-tech-crypto mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-tech-crypto