EldoS | Feel safer!

Software components for data protection, secure storage and transfer

Mozilla Certificates through PKCS#11

Posted: 08/31/2009 15:14:51
by Santiago CastaƱo (Standard support level)
Joined: 04/16/2006
Posts: 155


Before saying anything, this post is related to:

I always wanted to get access to Thunderbird or Firefox (Mozilla NSS) certificates, but as most of the customers feel confortable with CryptoAPI + PKCS#11 + PKCS#12 I'm not in a hurry.

But i've got some code from a Java Applet that can access NSS certificates. They're stored in softokn3.dll library that is in the directory where the executable of Thunderbird or Firefox is located.

Here's the code:
ByteArrayInputStream bais= new ByteArrayInputStream(("name = NSS\n" +
               "library = " + _pkcs11file + "\n" +
               "attributes= compatibility" + "\n" +
               "slot=2\n" +
               "nssArgs=\"" +
               "configdir='" + _currentprofile + "' " +
               "certPrefix='' " +
               "keyPrefix='' " +
               "secmod=' secmod.db' " +
      _pk11provider = new sun.security.pkcs11.SunPKCS11(bais);

I don't know much of java security, only basic things, but it's opening a PKCS#11 with arguments as compatibility mode, or readonly.

I've tried of course to load softokn3.dll into PKCS#11 example and it throws error j=7=CKR_ARGUMENTS_BAD in:
    j := TPKCS11InitializeFunc(aModule.FuncArray[PKCS11_Initialize])(@aModule.FInitArgs) and $FFFF;

I think that the only thing missing then should be to change this line:

aModule.FInitArgs.pReserved := nil;

To maybe a pointer to a memorystream that holds similar information as Java does? but of course i'm not sure of anything, but i see SBB is near to accessing NSS certificates trough PKCS#11 and maybe it can light up some ideas.

I don't need it personally in a short future, but it maybe valuable information when the to-do of SBB is less full? as i say, only a post to see what you think...

Posted: 08/31/2009 15:57:48
by Ken Ivanov (Team)

Yes, the library (softokn3.dll) seems to be a valid PKCS11 DLL, however, it rejects the standard-compliant initialization call (as you can see, SBB tries to initialize the library in three different ways, but none of them succeeds). The PKCS11 specification does not declare any value for the pReserved parameter, requiring it to be set to NULL.

We will take a deeper look at this driver and get back to you once we dig something out.
Posted: 10/30/2009 02:35:57
by Wolfgang Denz (Standard support level)
Joined: 09/24/2008
Posts: 19

Did you find something out yet?
I would need the possibility to access (import/export) certificates in the database of mozilla as well, to free the user of the quite complicated process of importing certificates manually.

Posted: 10/30/2009 02:47:54
by Eugene Mayevski (Team)

No, we didn't, but I've added a task to ToDo list.

Sincerely yours
Eugene Mayevski
Posted: 06/09/2013 08:14:02
by Roland Kossow (Standard support level)
Joined: 05/16/2013
Posts: 29

I have also a BadArgument exception when trying to use SecureBlackbox VCL with another PKCS11 dll ( aloaha_pkcs11.dll version ).
The manager is unable to refresh objects becua TPKCS11FindObjectsInitFunc returns 7 .
Loading of the dll works however.
What possibility to solve the issue do I have?

Best regards

Posted: 06/09/2013 08:16:42
by Eugene Mayevski (Team)

Roland, your question is not related to Mozilla storages. I'll move it to helpdesk now and you are welcome to post your DLL to HelpDesk for checking.

Sincerely yours
Eugene Mayevski



Topic viewed 2466 times

Number of guests: 1, registered members: 0, in total hidden: 0


Back to top

As of July 15, 2016 EldoS business operates as a division of /n software, inc. For more information, please read the announcement.

Got it!