Hi Rob,

could you please have a look at this issue? Do we need login to all pkcs11
slots before setting up the connection at all? Thanks in advance!

Kamil

---------- Forwarded Message ----------

Subject: issues with pre-login to pkcs11 slots when using NSS
Date: Thursday 11 of June 2009
From: Claes Jakobsson <claes_at_versed.se>
To: curl-library_at_cool.haxx.se

Hi,

I spent some time trying to figure out why my client cert wasn't
working with curl using NSS while it worked for other stuff using NSS.

The issue boiled down to that curl tries to login to all pkcs11 slots
before actually setting up the connection. Normally PK11_Authenticate
just returns SECSuccess using NSS built in modules for certs but in
this case another certificate slot in the PKCS11 module I use returned
SECFailure and thus aborted the whole initialization and thus my
connection.

The code in question from lib/nss.c is
     ret = PK11_Authenticate(slot, PR_TRUE,
                             conn->data->set.str[STRING_KEY_PASSWD]);
     if(SECSuccess != ret) {
       if(PR_GetError() == SEC_ERROR_BAD_PASSWORD)
         infof(conn->data, "The password for token '%s' is incorrect\n",
               PK11_GetTokenName(slot));
       status = SECFailure;
       break;
     }
However just ignoring return code might not be what we want. Is there
a reason why a login to all slots is performed upfront instead of
relying on the pin arg that we pass to PK11_FindCertFromNickname but
never set using SSL_SetPKCS11PinArg so that PK11_FindCertFromNickname
can do the login to the token?
Cheers,
Claes

-------------------------------------------------------
Received on 2009-06-11