Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

RFE: tools add --module-init arg for non-standard NSS softokn configDir #3049

Closed
space88man opened this issue Feb 26, 2024 · 5 comments
Closed

RFE: tools add --module-init arg for non-standard NSS softokn configDir #3049

space88man opened this issue Feb 26, 2024 · 5 comments

Comments

@space88man
Copy link

space88man commented Feb 26, 2024
edited
Loading

Problem Description

NSS softokn requires a non-standard argument : in C_Initialize CK_C_INITIALIZE_ARGS it wants
the pReserved field to point to a configuration string like "configDir=<token_dir> ..."

https://github.com/servo/nss/blob/master/lib/softoken/sftkpars.c#L48

pkcs11-tool is using NULL for the pReserved field

Proposed Resolution

pkcs11-tool: add a command line arg --module-init <string> that will be used in C_Initialize

Steps to reproduce

pkcs11-tool --module /usr/lib64/libsoftokn3.so -T  # ooops no way to pass configDir=

Additional Notes

pkcs11-provider https://github.com/latchset/pkcs11-provider uses NSS softokn in integration tests, in order to do so it had to add the capability to pass configDir= ... to C_Initialize.

https://github.com/latchset/pkcs11-provider/blob/main/docs/provider-pkcs11.7.md

Non-standard initialization arguments some pkcs11 driver may need. Generally not used, but some software tokens like NSS's softokn require this.

https://github.com/latchset/pkcs11-provider/blob/main/src/interface.c#L309:

    CK_C_INITIALIZE_ARGS args = { 0 };
    CK_RV ret;
...

    args.flags = CKF_OS_LOCKING_OK;
    args.pReserved = (void *)mctx->init_args;
...
@frankmorgner
Copy link
Member

This would not be standard compliant with 3.0, which means it would be an exception purely for the NSS module:

pReserved reserved for future use. Should be NULL_PTR for this version of Cryptoki

@Jakuje
Copy link
Member

Jakuje commented Feb 27, 2024

Recent NSS softokn fortunately supports also the environment variable NSS_LIB_PARAMS that can be used instead of the C_Initialize arguments:

nss-dev/nss@c0bbdc4

Unfortunately, this is not much documented otherwise than in the code, but if you will need some help setting this up, please let me know:

https://github.com/nss-dev/nss/blob/master/lib/softoken/pkcs11.c#L3344

I think it should be in version since NSS 3.95.

@space88man
Copy link
Author

https://github.com/nss-dev/nss/blob/master/lib/softoken/pkcs11.c#L3344

I think it should be in version since NSS 3.95.

Thank you! That works for me on Fedora 39.

@Jakuje
Copy link
Member

Jakuje commented Feb 27, 2024

Would be great to document it somewhere. Every time I have to search for the code when somebody asks. If you have some code or test scripts you can share, or use in OpenSC tests or elsewhere, it would be great to have it at least as code example ...

@space88man
Copy link
Author

space88man commented Mar 3, 2024
edited
Loading

Would be great to document it somewhere. Every time I have to search for the code when somebody asks. If you have some code or test scripts you can share, or use in OpenSC tests or elsewhere, it would be great to have it at least as code example ...

Works via p11-kit: pkcs11-tool -> p11-kit -> nss-softokn as p11-kit supports

module: /usr/lib64/libsoftokn3.so

x-init-reserved: configDir='some/path/to/tokens'

The x-init-reserved is mentioned as support for softoken.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@frankmorgner @Jakuje @space88man