Hi all!
I have a SmartCard loaded as a PKCS11 module in NSS (as listed below):
modutil -list -dbdir /home/kiyohiko/.mozilla/firefox/qehmhsez.default/
Listing of PKCS #11 Modules
-----------------------------------------------------------
1. NSS Internal PKCS #11 Module
slots: 2 slots attached
status: loaded
slot: NSS Internal Cryptographic Services
token: NSS Generic Crypto Services
slot: NSS User Private Key and Certificate Services
token: NSS Certificate DB
2. Builtin Roots Module
library name: /usr/lib/firefox/libnssckbi.so
slots: 1 slot attached
status: loaded
slot:
token: Builtin Object Token
*3. PKCS#11 Module*
*library name: /usr/lib/opensc-pkcs11.so*
*slots: 8 slots attached*
*status: loaded*
*slot: Gemplus GemPC Twin 00 00*
*token: Rafael M. dos Santos Escolastico*
slot: Gemplus GemPC Twin 00 00
token:
slot: Gemplus GemPC Twin 00 00
token:
slot: Gemplus GemPC Twin 00 00
token:
slot: OpenCT reader (detached)
token:
slot: OpenCT reader (detached)
token:
slot: OpenCT reader (detached)
token:
slot: OpenCT reader (detached)
token:
4. EnterSafe PKCS#11 Module
library name: /usr/lib/libepsng_p11.so
slots: 2 slots attached
status: loaded
slot: FT SCR2000C 0 0
token:
slot: FT SCR2000C 1 0
token:
I am trying to list the certificate that is inside the SmartCard and its certificate chain (that is loaded by NSS. The certificate chain was installed in the firefox databases, specifically cert8.db).
I'm using this code:
public class PKCS11ListCerts {
private KeyStore keyStore = null;
KeyStore.Builder builder = null;
public static void main(String args[]) {
if ( args.length != 2 ) {
System.exit(1);
}
String configName = args[0];
Provider p = new sun.security.pkcs11.SunPKCS11(configName);
Security.addProvider(p);
Provider[] providers = Security.getProviders();
for ( int i=0; i < providers.length; i++ ) {
System.out.println("Provider " +i+ ": " + providers.getName());
}
try {
KeyStore.PasswordProtection pwd = new KeyStore.PasswordProtection(args[1].toCharArray());
KeyStore ks = KeyStore.getInstance("PKCS11", p);
ks.load(null, pwd.getPassword());
System.out.println("The algorithm " + ks.getType());
System.out.println("The provider " + ks.getProvider());
System.out.println("the number of certs " + ks.size());
for (Enumeration<String> list = ks.aliases(); list.hasMoreElements() ; ) {
String alias = list.nextElement();
System.out.println(alias);
}
} catch (Exception e) {
e.printStackTrace();
System.out.println("Wrong password");
}
}
}... and the configuration file is:
name = NSScrypto
nssLibraryDirectory = /usr/lib/firefox
nssSecmodDirectory = /home/kiyohiko/.mozilla/firefox/qehmhsez.default
nssDbMode = readWrite
nssModule = keystore
attributes = compatibility
When I use this configuration file, I can list the certificates that I have installed in firefox (cert8.db) but I cannot access the certificate of SmartCard. Meanwhile, I can access the certificate of SmartCard and cannot list the certificates in cert8.db when I use the following configuration file:
name = SmartCard
library = /usr/lib/opensc-pkcs11.soIs there a way to access all certificates of all NSS modules in the same keystore?
When I use the JSS API I can do this, but I need to use SunPKCS11 provider.
Thanks!
Diego Augusto