GSoC Report#1 – Mini PKCS#11 module

A week has passed since coding period started, so what have been done? Actually I started coding earlier, as I’ll be attending to classes until end of June.

Dummy module

First thing to do was to build a mininal do-nothing PKCS#11 module loadable by NSS.

That was pretty much easy, got the headers defining the API from RSA Labs version v2.20 as it’s the current, implemented a lot of dummy functions and a few functions regarding information about the module, available slots and tokens. PKCS#11 standard requires you to implement every function, even if it is not going to be implemented by your module. So you’ll see functions like this:

CK_RV C_SeedRandom (CK_SESSION_HANDLE hSession,
	CK_ULONG ulSeedLen)

All you have to do is return CKR_FUNCTION_NOT_SUPPORTED.

The one and only certificate

Next, effort was around embedding a hard coded certificate into this minimal module and make NSS list it.
The intent of this was to get to know how applications requests for certificates. The module still is very simple, implementing functions to search objects and getting attribute were enough.

During module initialization I instantiate my certificate. When a search query comes, and searched attributes matches my certificate’s attributes, a handle to the certificate object  is returned. (It may be worth to post about PKCS#11 related stuff, like how these objects, attributes and handles work)

Also, NSS requests for a list of mechanisms implemented by the module. The proposed module does not need to implement any cryptographic mechanism. It will only care about object queries and responding to them. After loading the module with modutil, we can use certutil to ask for certificates, both are NSS tools.

Oddly, commanding certutil to look for our certificate yields nothing. But when asking certutil to serch specifically in our module, it does find it.
I believe it is related to an NSS flag/mechanism called FRIENDLY, which indicates whether a module allows to retrieve some public information without the need to login. Looks like only NSS uses such flag/mechanism, as Evolution and Firefox, both were capable of listing the hard coded certificate.

Hard coded certificate listed

Hard coded certificate listed

What comes next

I realized that I did not publish the proposed schedule anywhere (it is here now)
I’m a little bit ahead of schedule but that was the intent as my exams are still to come and I’ll have to slow down a bit, June is going to be a rough month.

I believe now is the time to study how I’m going to get a certificate in Evolution addressbook, along do some minor improvements to the module, like using autotools.


Source code can be found here.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s