[openssl-users] Access Mozilla NSS (shared) Database / PKCS#11 Modules via OpenSSL?
Jan Just Keijser
janjust at nikhef.nl
Wed Nov 9 12:46:59 UTC 2016
Hi,
On 08/11/16 17:33, Matthias Ballreich wrote:
>
> Hi there,
>
> how can i access the Mozilla NSS (shared) Database (cert8 or
> cert9d.db) / PKCS#11-Modules via OpenSSL?
>
> I need read & write access to the NSS User Cert Database (softokn3)
> and to the Built-In Cert Database (nssckbi) under Windows.
>
> I tried it with Libp11 this way:
>
> int rc = 0;
> PKCS11_CTX *pkcs11_ctx;
> pkcs11_ctx = PKCS11_CTX_new();
> PKCS11_CTX_init_args(pkcs11_ctx,
> "configdir=''C:/Users/Username/AppData/Roaming/Mozilla/Firefox/Profiles/5wzkdcjx.default'
> certPrefix='' keyPrefix='' secmod='secmod.db'");
> rc = PKCS11_CTX_load(pkcs11_ctx, " C:/Program Files
> (x86)/Mozilla/Firefox/softokn3.dll ");
> printf("Desc: %s\n", pkcs11_ctx->description);
> if (rc)
> printf("Error loading Module");
>
> But it return every time “-1” which tells me that the loading fails.
> So is this the right way? Or should I use another library? Or is my
> code not right?
>
> And can I edit the Trust Settings with that or another library like
> with NSS directly? Because I can’t delete the built-in certs of
> nssckbi because this is read-only I can edit the Trust-Settings for
> that certificate. Can I do that with OpenSSL in combination with a
> library, too? Or should I better use NSS instead of OpenSSL?
>
>
this is slightly off-topic for this mailinglist, but I'd try using
p11-kit to access the NSS device; the problem with the softokn3
pseudo-pkcs11 device is/was that it did not follow the PKCS11 standard
completely - this made the softokn3 device unusable for tools like
libp11 and opensc ; however, there are links on the web stating that
p11-kit does not how to read a nssdb file, e.g.
https://wiki.gnome.org/Projects/CryptoGlue/Integration#NSS_libsoftokn3
and p11-kit has been ported to both mingw and cygwin.
HTH,
JJK
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20161109/1002d646/attachment-0001.html>
More information about the openssl-users
mailing list