diff options
Diffstat (limited to 'doc/rst/legacy/pkcs11/faq/index.rst')
| -rw-r--r-- | doc/rst/legacy/pkcs11/faq/index.rst | 390 |
1 files changed, 390 insertions, 0 deletions
diff --git a/doc/rst/legacy/pkcs11/faq/index.rst b/doc/rst/legacy/pkcs11/faq/index.rst new file mode 100644 index 000000000..81fe12473 --- /dev/null +++ b/doc/rst/legacy/pkcs11/faq/index.rst @@ -0,0 +1,390 @@ +.. _mozilla_projects_nss_pkcs11_faq: + +PKCS11 FAQ +========== + +.. _pkcs11_faq: + +`PKCS11 FAQ <#pkcs11_faq>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + .. rubric:: QUESTIONS AND ANSWERS + :name: questions_and_answers + + .. rubric:: GENERAL QUESTIONS + :name: general_questions + + .. rubric:: After plugging in an external PKCS #11 module, how do you use the certificate + available on the token? Does the certificate need to be imported into NSS's internal + certificate database? If so, is there a way to get the certificate from an external token into + NSS's internal certificate database? + :name: after_plugging_in_an_external_pkcs_.2311_module.2c_how_do_you_use_the_certificate_available_on_the_token.3f_does_the_certificate_need_to_be_imported_into_nss.27s_internal_certificate_database.3f_if_so.2c_is_there_a_way_to_get_the_certificate_from_an_external_token_into_nss.27s_internal_certificate_database.3f + + NSS searches all the installed PKCS #11 modules when looking for certificates. Once you've + installed the module, the module's certificates simply appear in the list of certificates + displayed in the Certificate window. + + .. rubric:: What version of PKCS #11 does NSS support? + :name: what_version_of_pkcs_.2311_does_nss_support.3f + + NSS requires at least PKCS #11 version 2.0, but can support some features of later versions of + NSS, including NSS 2.20. NSS does not use all the features of later versions of PKCS #11. + + .. rubric:: What are the expectations in terms of session manipulation? Will NSS potentially open + more than one session at a time? Read-only sessions, read/write sessions, serial, parallel? + :name: what_are_the_expectations_in_terms_of_session_manipulation.3f_will_nss_potentially_open_more_than_one_session_at_a_time.3f_read-only_sessions.2c_read.2fwrite_sessions.2c_serial.2c_parallel.3f + + NSS typically holds one session read-only session per slot, in which some of the non-multipart + functions are handled. Multipart functions, such as bulk encryption, hashing, and mac functions + (for example, C_Digest and C_Sign) and those that require overlapped operation (C_Unwrap, + C_Decrypt) are handled by creating new sessions. If no new sessions are available, the one + read-only session is used, and the state is saved and restored after each multipart operation. + + NSS never uses Parallel mode. + + NSS opens new read/write sessions for key generation, some password management, and storage of + new certificates. + + If your token is read/write and has only one session, NSS will open that one initial session + read/write. + + .. rubric:: What permanent PKCS #11 objects are used by NSS or read from the token? Example: RSA + private key, CA certificate, user's own certificate, user's name. + :name: what_permanent_pkcs_.2311_objects_are_used_by_nss_or_read_from_the_token.3f_example:_rsa_private_key.2c_ca_certificate.2c_user.27s_own_certificate.2c_user.27s_name. + + Private keys (RSA and DSA) and the corresponding certificates are read from the token. Other + certificates on the token are also loaded (to allow building certificate chains), but it's not + necessary to include the full chain, as long as the full chain is available in the regular + certificate database. For the sake of completeness, it's also a good idea to expose public key + objects. NSS falls back to looking for the existance of public keys to determine if the token may + have the corresponding private key while the token is not logged in. + + .. rubric:: How are permanent PKCS #11 objects found by NSS? That is, which PKCS #11 attributes + are used in the object searches? Labels? Key IDs? Key types? + :name: how_are_permanent_pkcs_.2311_objects_found_by_nss.3f_that_is.2c_which_pkcs_.2311_attributes_are_used_in_the_object_searches.3f_labels.3f_key_ids.3f_key_types.3f + + These are the general guidelines: + + - User certificates are identified by their labels. + - Certificates and keys are often looked up by the following methods: + + - By looking up all private keys. + - By looking up all certificates. + - Certificates may be looked up by label. By convention, all certificates making up a single + personality should have the same label (that is, a pair of certificates, one for signing + and one for key exchange, should have the same label). + - S/MIME-capable certificates are also looked up by issuer/serial number. + - Certificates may be looked up by their DER value. + - Certificates may also be looked up by subject. More than one certificate can match, but + each certificate with the same subject should be part of the same personality. + - NSS may enumerate all the permanment certificates in a token (CKA_TOKEN set to true). + - Private keys must have the same CKA_ID value as their corresponding certificate, and this + value must be unique on the token. + - Orphaned keys have a CKA_ID generated from some part of the public key. This value is set + when the key is generated, so that NSS will be able to find the key when the certificate + for that key is loaded. This case is interesting only for read/write tokens. + + .. rubric:: What labels does NSS use to identify certificates? + :name: what_labels_does_nss_use_to_identify_certificates.3f + + NSS can use the CKA_LABEL attribute to identify user certificates (see previous question) and + presents this label to the user. Therefore, each user certificate must have some label associated + with it. The label for a token certificate is presented to the user as follows:*token label* + **:**\ *certificate label* . This implies that each\ *token label* should be unique and + meaningful to the user, and that each\ *certificate label* should be unique to the token. + + NSS gets the value of the CKA_LABEL attribute from the token. Labels should not have any trailing + blank characters. + + .. rubric:: Will NSS use the random number generation features of PKCS #11? + :name: will_nss_use_the_random_number_generation_features_of__pkcs_.2311.3f + + Only if you identify your token as the default random number generator. If you do, your token + must be able to generate random numbers even when it is not logged in. NSS uses installed random + number generators if PKCS11_MECH_RANDOM_FLAG is set in the installer script. For information on + how to do this, see Using the JAR Installation Manager to Install a PKCS #11 Cryptographic + Module. + + .. rubric:: Can Mozilla provide a list of all PKCS #11 functions that NSS will use? + :name: can_mozilla_provide_a_list_of_all_pkcs_.2311_functions_that_nss_will_use.3f + + Your token should expect to implement all the PKCS #11 functions that make sense for your token. + NSS continues to evolve, and periodically enhances it's functionality by using a more complete + list of PKCS #11 functions. You should have implementations for all the functions specified in + the version of the PKCS #11 spec your token implements. If you do not actually do the operation + specified by that function, you can return CKR_FUNCTION_NOT_SUPPORTED. + + .. rubric:: Will NSS get the user's CA certificate via PKCS #11 and push it into the CA + certificate database or is the CA certificate database expected to obtain the CA certificate + by some other means? + :name: will_nss_get_the_user.27s_ca_certificate_via_pkcs_.2311_and_push_it_into_the_ca_certificate_database_or_is_the_ca_certificate_database_expected_to_obtain_the_ca_certificate_by_some_other_means.3f + + PKCS #11 certificates that have private keys associated with them are loaded into the temporary + database (in memory) and marked as user certificates. All other certificates in the module are + loaded into the temporary database with no special trust bits associated with them. NSS is + perfectly capable of using token certificates in place. + + .. rubric:: Which function does NSS use to get login state information? + :name: which_function_does_nss_use_to_get_login_state_information.3f + + NSS calls C_GetSessionInfo to get the login/logout state. NSS never attempts to cache this + information, because login state can change instantly without NSS knowing about it (for example, + when the user removes the card). You must update all sessions correctly when the state changes. + Not doing so is a common source of problems. + + .. rubric:: I have noticed that NSS sometimes use a session handle value of 0. Is this an invalid + session handle? + :name: i_have_noticed_that_nss_sometimes_use__a_session_handle_value_of_0._is_this_an_invalid_session_handle.3f + + A session handle of 0 is indeed invalid. In the past, NSS uses the invalid session handle to mark + problems with acquiring or using a session. There have been cases where NSS would then use this + handle to try to do some operation. PKCS #11 modules should fail with CKR_INVALID_SESSION. We are + working to remove these cases as we find them. + + .. rubric:: What are "Generic Crypto Svcs" (the first item listed when you click the View/Edit + button for the NSS Internal PKCS #11 Module under Security Devices under Options/Security in + Firefox)? + :name: what_are_.22generic_crypto_svcs.22_.28the_first_item_listed_when_you_click_the_view.2fedit_button_for_the_nss_internal_pkcs_.2311_module__under_security_devices_under_options.2fsecurity_in_firefox.29.3f + + Generic Crypto Svcs are the services that NSS uses to do its basic cryptography (RSA encryption + with public keys, hashing, AES, DES, RC4, RC2, and so on).Other PKCS #11 modules can supply + implementations of these functions, and NSS uses those versions under certain conditions. + However, these are not the services NSS calls to get to other PKCS #11 modules, which show up + separately under Cryptographic Modules. + + .. rubric:: Our plugin provides several slots with different capabilities. For example, one does + all the hashing/symmetric operations, while another does only asymmetric RSA operations. Can + this kind of division lead to problems? + :name: our_plugin_provides_several_slots_with_different_capabilities._for_example.2c_one_does_all_the_hashing.2fsymmetric_operations.2c_while_another_does_only_asymmetric_rsa_operations._can_this_kind_of_division_lead_to_problems.3f + + The only issue is dealing with keys. For example, if the RSA slot unwraps a key, NSS needs to + move that key to a slot that can do the symmetric operations. NSS itself uses two tokens + internally--one that provides generic cryptographic services without authentication, and one that + provides operations based on the keys stored in the user's database and do need authentication. + NSS does this to avoid having to prompt for a password when performing an RSA verify operation, + DES encryption, and so on. Therefore, NSS can move keys around when necessary and possible. When + operating in FIPS mode, moving keys is significantly harder. In this case NSS uses a single token + to handle both key and cert storage and crypto operations. + + In general, you not should use different slots unless you have a good reason. Much of NSS's token + selection is based on where the key involved is currently stored. If the token that has your + private keys doesn't also do symmetric operations, for example, it's likely that the internal + token will end up doing the symmetric operations. + + .. rubric:: Is the PKCS #11 module supplied with NSS accessible through a shared library? + :name: is_the_pkcs_.2311_module_supplied_with_nss_accessible_through_a_shared_library.3f + + Yes, the token is call softokn3 (softokn3.dll on windows, libsoftokn3.so on most unix platforms). + The NSS softokn3 is not a complete PKCS #11 module, it was implemented only to support NSS, + though other products have managed to get it to work in their environment. There are a number of + bugs against softoken's non-compliance, but these bugs have lower priority than fixing NSS's + non-complient uses of PKCS #11 or adding new features to NSS. + + .. rubric:: If multiple PKCS #11 modules are loaded, how does NSS determine which ones to use for + the mechanisms required by SSL? + :name: if_multiple_pkcs_.2311_modules_are_loaded.2c_how_does_nss_determine_which_ones_to_use_for_the_mechanisms_required_by_ssl.3f + + NSS uses the first slot it finds that can perform all the required operations. On servers, it's + almost always the slot that contains the server's private key. + + .. rubric:: Does NSS support the use of PKCS #11 callbacks specified in the pNotify and + pApplication parameters for C_OpenSession? + :name: does_nss_support_the_use_of_pkcs_.2311_callbacks_specified_in_the_pnotify_and_papplication_parameters_for_c_opensession.3f + + NSS does not currently use any of the callbacks. + + NSS applications detect card insertion and deletion by means of polling to determine whether the + card is still in the slot and whether the open session associated with that card is still valid, + or by waiting on the C_WaitForSlotEvent call. + + .. rubric:: What must an X.509 certificate include to allow it to be recognized as an email + certificate for use with S/MIME? + :name: what_must_an_x.509_certificate_include_to_allow_it_to_be_recognized_as_an_email_certificate_for_use_with_s.2fmime.3f + + An email address must be included in the attribute of the subject DN or the mail attribute of the + subject DN. If the subject DN does not include an email address, the certificate extension + subjectAltName must include an email address. The subjectAltName extension is part of the X.509 + v3 and PKIX specifications. + + .. rubric:: If I have a multipurpose token that supports all required PKCS #11 functions and + provides RSA_PKCS and DSA mechanisms but not AES, DES or RC4, will NSS use the token for the + RSA_PKCS mechanisms and the NSS Internal PKCS #11 module for AES, DES or RC4 when making an + SSL connection? + :name: if_i_have_a_multipurpose_token_that_supports_all_required_pkcs_.2311_functions_and_provides_rsa_pkcs_and_dsa_mechanisms_but_but_not_aes.2c_des_or_rc4.2c_will_nss_use_the_token_for_the_rsa_pkcs_mechanisms_and_the_nss_internal_pkcs_.2311_module_for_aes.2c_des_or_rc4_when_making_an_ssl_connection.3f + + Once NSS starts using a token for a given operation (like S/MIME or SSL), it works hard to keep + using that same token (so keys don't get moved around). Symmetric operations supported by NSS + include the following: CKM_AES_XXX, CKM_DES3_XXX, CKM_DES_XXX, CKM_RC2_XXX, and CKM_RC4_XXX. NSS + knows about all the mechanisms defined in PKCS #11 version 2.01, but will not perform those that + aren't defined by NSS's policy mechanism. + + .. rubric:: When do NSS Applications spawn threads off the main thread, which in turn opens up a + new PKCS #11 session? + :name: when_do_nss_applications_spawn_threads_off_the_main_thread.2c_which_in_turn_opens_up_a_new_pkcs_.2311_session.3f + + This depends on the application. PKCS #11 sessions are cryptographic session states, independent + of threads. In NSS based servers, multiple threads may call the same session, but two threads + will not call the same session at the same time. + + .. rubric:: QUESTIONS ABOUT KEYS AND TOKENS + :name: questions_about_keys_and_tokens + + .. rubric:: Is the PKCS #11 token treated in a read-only manner? That is, no token init, no key + gens, no data puts, no cert puts, etc.? + :name: is_the_pkcs_.2311_token_treated_in_a_read-only_manner.3f_that_is.2c_no_token_init.2c_no_key_gens.2c_no_data_puts.2c_no_cert_puts.2c_etc..3f + + If the token is marked read-only, then it will be treated as such. If the token is marked + read/write and advertises that it can generate keys, NSS uses the token (through PKCS #11) to + generate the key and loads the user's certificate into the token. If the token is marked + read/write and does not advertise that it can generate keys, NSS generates the keys and loads + them into the token. + + .. rubric:: How is private key handled when an external PKCS #11 module is loaded? Is it picked + up from the token when securing, or does NSS expect it to be added in its private key database + to use it? + :name: how_is_private_key_handled_when_an_external_pkcs_.2311_module_is_loaded.3f_is_it_picked_up_from_the_token_when_securing.2c_or_does_nss_expect_it_to_be_added_in_its_private_key_database_to_use_it.3f + + While certificates may be read into the temporary database, private keys are never extracted from + the PKCS #11 module unless the user is trying to back up the key. NSS represents each private key + and a pointer to its PKCS #11 slot as a CK_OBJECT_HANDLE. When NSS needs to do anything with a + private key, it calls the PCKS #11 module that holds the key. + + .. rubric:: If a PKCS #11 library reports that, for example, it does not support RSA signing + operations, does NSS expect to be able to pull an RSA private key off the token using the + C_GetAttributeValue call and then do the operation in software? + :name: if_a_pkcs_.2311_library_reports_that.2c_for_example.2c_it_does_not_support_rsa_signing_operations.2c_does_nss_expect_to_be_able_to_pull_an_rsa_private_key_off_the_token_using_the_c_getattributevalue_call_and_then_do_the_operation_in_software.3f + + No. NSS will never try to pull private keys out of tokens (except as wrapped objects for PKCS + #12). Operations the token does not support are considered impossible for the key to support. + + NSS may try to pull and load symmetric keys, usually if the key exchange happens in a token that + does not support the symmetric algorithm. NSS works very hard not to have to pull any key out of + a token (since that operation does not always work on all tokens). + + .. rubric:: If so, by what means does NSS attempt to retrieve the data? By searching for some + fixed label attribute? Must the token store any temporary (session) objects? + :name: if_so.2c_by_what_means_does_nss_attempt_to_retrieve_the_data.3f_by_searching_for_some_fixed_label_attribute.3f_must_the_token_store_any_temporary_.28session.29_objects.3f + + In general, yes, the token should store temporary session objects. This may not be necessary for + "private key op only" tokens, but this is not guaranteed. You should be prepared to handle + temporary objects. (Many NSS based server products will use temporary session objects, even for + "private key op only" tokens.) + + .. rubric:: If a session key is unwrapped and stays on a hardware token, is it sufficient to + support just the usual decryption mechanisms for it, or is it assumed that such a symmetric + key will always be extractable from the token into the browser? The motivation for this is + that some hardware tokens will prevent extraction of symmetric keys by design. + :name: if_a_session_key_is_unwrapped_and_stays_on_a_hardware_token.2c_is_it_sufficient_to_support_just_the_usual_decryption_mechanisms_for_it.2c_or_is_it_assumed_that_such_a_symmetric_key_will_always_be_extractable_from_the_token_into_the_browser.3f_the_motivation_for_this_is_that_some_hardware_tokens_will_prevent_extraction_of_symmetric_keys_by_design. + + NSS attempts to extract an unwrapped key from a token only if the token cannot provide the + necessary service with that key. For instance if you are decrypting an S/MIME message and you + have unwrapped the DES key with the private key provided by a given token, NSS attempts to use + that token to provide the DES encryption. Only if that token cannot do DES will NSS try to + extract the key. + + .. rubric:: If the smartcard can't do key generation, will NSS do the key generation + automatically? + :name: if_the_smartcard_can.27t_do_key_generation.2c_will_nss_do_the_key_generation_automatically.3f + + Yes. If your token can do CKM_RSA_PKCS, and is writable, NSS displays it as one of the options to + do key generation with. If the token cannot do CKM_RSA_PKCS_GEN_KEYPAIR, NSS uses its software + key generation code and writes the private and public keys into the token using C_CreateObject. + The RSA private key will contain all the attributes specified by PKCS #11 version 2.0. This is + also true for CKM_DSA and CKM_DSA_GEN_KEYPAIR. + + .. rubric:: What is the C_GenerateKeyPair process? For example, what happens when an application + in the a server asks an NSS based client to do a keypair generation while a smartCard is + attached? How is the private key stored to the smartCard, and how is the public key sent to + the server (with wrapping?). + :name: what_is_the_c_generatekeypair_process.3f_for_example.2c_what_happens_when_an_application_in_the_a_server_asks_an_nss_based_client_to_do_a_keypair_generation_while_a_smartcard_is_attached.3f_how_is_the_private_key_stored_to_the_smartcard.2c_and_how_is_the_public_key_sent_to_the_server_.28with_wrapping.3f.29. + + The private key is created using C_GenerateKeyPair or stored using C_CreateObject (depending on + who generates the key). NSS does not keep a copy of the generated key if it generates the key + itself. Key generation in Mozilla clients is triggered either by the standard <KEYGEN> tag, or by + the keygen functions off the window.crypto object. This is the same method used for generating + software keys and certificates and is used by certificate authorities like VeriSign and Thawte. + (Red Hat Certificate Server also uses this method). The public key is sent to the server + base-64-DER-encoded with an (optional) signed challenge. + + .. rubric:: Are persistent objects that are stored on the token, such as private keys and + certificates, created by the PKCS #11 module? Is it safe to assume that NSS never calls + C_CreateObject for those persistent objects? + :name: are_persistent_objects_that_are_stored_on_the_token.2c_such_as_private_keys_and_certificates.2c_created_by_the_pkcs_.2311_module.3f_is_it_safe_to_assume_that_nss_never_calls_c_createobject_for_those_persistent_objects.3f + + No. As stated in the answer to the preceding question, when NSS does a keygen it uses + C_GenerateKeyPair if the token supports the keygen method. If the token does not support keygen, + NSS generates the key internally and uses C_CreateObject to load the private key into the token. + When the certificate is received after the keygen, NSS loads it into the token with + C_CreateObject. NSS also does a similar operation for importing private keys and certificates + through pkcs12. + + The above statement is true for read-write tokens only. + + .. rubric:: When and how does NSS generate private keys on the token? + :name: when_and_how_does_nss_generate_private_keys_on_the_token.3f + + As stated above, NSS uses C_GenerateKeyPair if the token supports the keygen method. If an RSA + key is being generated, the NSS application will present a list of all writable RSA devices asks + the user to select which one to use, if a DSA key is being generated, it will present a list of + all the writable DSA devices, if an EC key is being generated, it will present a list of all + writable EC devices. + + .. rubric:: Does NSS ever use C_CopyObject to copy symmetric keys if it needs to reference the + same key for different sessions? + :name: does_nss_ever_use_c_copyobject_to_copy_symmetric_keys_if_it_needs_to_reference_the_same_key_for_different_sessions.3f + + No. This is never necessary. The PKCS #11 specification explicitly requires that symmetric keys + must be visible to all sessions of the same application. NSS explicitly depends on this semantic + without the use of C_CopyObject. If your module does not support this semantic, it will not work + with NSS. + + .. rubric:: QUESTIONS ABOUT PINS + :name: questions_about_pins + + .. rubric:: Will a password change ever be done on the token? + :name: will_a_password_change_ever_be_done_on_the_token.3f + + Yes, NSS attempts to change the password in user mode only. (It goes to SSO mode only if your + token identifies itself as CKF_LOGIN_REQUIRED, but not CKF_USER_INITIALIZED). + + It's perfectly valid to reject the password change request with a return value such as + CKR_FUNCTION_NOT_SUPPORTED. If you do this, NSS applications display an appropriate error message + for the user. + + .. rubric:: If I have my smart card which has initial PIN set at '9999', I insert it into my + reader and download with my certificate (keygen completed), can I issue 'Change Password' from + the Firefox to set a new PIN to the smart card? Any scenario that you can give me similar to + this process (a way to issue a certificate on an initialized new card)? + :name: if_i_have_my_smart_card_which_has_initial_pin_set_at__.279999.27.2c_i_insert_it_into_my_reader_and_download_with_my_certificate_.28keygen_completed.29.2c_can_i_issue_.27change_password.27_from_the_firefox_to_set_a_new_pin_to_the_smart_card.3f_any_scenario_that_you_can_give_me_similar_to_this_process_.28a_way_to_issue_a_certificate_on_an_initialized_new_card.29.3f + + Yes. First open the Tools/Options/Advanced/Security window in Mozilla and click Security Devices. + Then select your PKCS #11 module, click View/Edit, select the token, and click Change Password. + For this to work, you must supply a C_SetPIN function that operates as CKU_USER. Mozilla, + Thunderbird, and Netscape products that use NSS have different UI to get the Security Devices + dialog. + + To get a key into an initialized token, go to your local Certificate Authority and initiate a + certificate request. Somewhere along the way you will be prompted with a keygen dialog. Normally + this dialog does not have any options and just provides information; however, if you have more + than one token that can be used in this key generation process (for example, your smartcard and + the NSS internal PKCS#11 module), you will see a selection of "cards and databases" that can be + used to generate your new key info. + + In the key generation process, NSS arranges for the key to have it's CKA_ID set to some value + derived from the public key, and the public key will be extracted using C_GetAttributes. This key + will be sent to the CA. + + At some later point, the CA presents the certificate to you (as part of this keygen, or in an + e-mail, or you go back and fetch it from a web page once the CA notifies you of the arrival of + the new certificate). NSS uses the public key to search all its tokens for the private key that + matches that certificate. The certificate is then written to the token where that private key + resides, and the certificate's CKA_ID is set to match the private key. + + .. rubric:: Why does Firefox require users to authenticate themselves by entering a PIN at the + keyboard? Why not use a PIN pad or a fingerprint reader located on the token or reader? + :name: why_does_firefox_require_users_to_authenticate_themselves_by_entering_a_pin_at_the_keyboard.3f_why_not_use_a_pin_pad_or_a_fingerprint_reader_located_on_the_token_or_reader.3f + + PKCS #11 defines how these kinds of devices work. There is an outstanding bug in Firefox to + implement this support.
\ No newline at end of file |