帮助快速启动 NSS

Question

I am starting into NSS and I managed to build it. The outcome was placed in a folder named dist and has several subfolders that contain several exe's dlls etc.

dist  
    /WINNT6.0_DBG.OBJ  
         /bin  
         /include  
         /lib   

I am trying to try it but I am not sure what is the nssLibraryDirectory and nssSecmodDirectory .

For the nssLibraryDirectory should I copy everything in the dist in a single file and refer to it from nssLibraryDirectory ? What about nssSecmodDirectory ? I'm not sure how I am suppose to configure to start using sun's pkcs11.

For example this trivial:

String configName = "nss.cfg";
Provider p = new sun.security.pkcs11.SunPKCS11(configName );

Where nss.cfg is:

 name = NSS  
 nssLibraryDirectory = E:\NSS\nss-3.12.4-with-nspr-4.8\mozilla\dist\WINNT6.0_DBG.OBJ\lib 
 nssDbMode = noDb  

Gives exception

Caused by: java.io.IOException: The specified module could not be found. at sun.security.pkcs11.Secmod.nssLoadLibrary(Native Method)

Answer 1

Some note from my hard trying.... I think it would help anyone who want to use NSS.

I tend to construct a String in Java code to know in which line the error occurs. I must say it's better because Eclipse can eliminate all String construction errors. Then you pay attention to values to fill in.

I use these code:

String config = "xxxxxxx" +
                "xxxxxxx" +
                "xxxxxxx" +
                "\n";
provider = new SunPKCS11(new ByteArrayInputStream(config.getBytes()));
Security.insertProviderAt(provider, 1);

All flags for Provider config: (from http://j7a.ru/_config_8java_source.html , seems like openjdk 8 sun.security.pkcs11.Config.java .)

name=xxxxxx       //some text, " must be escaped with \
library=/location/of/your/.so/or/.dll/file //not compatible with NSS mode, must be quoted if contains space, and if quoted, " must be escaped
description=
slot=             //not compatible with NSS mode
slotListIndex=    //not compatible with NSS mode
enableMechanisms=
disableMechanisms=
attributes=
handleStartupErrors=
insertionCheckInterval=
showInfo=true/false
keyStoreCompatibilityMode=
explicitCancel=
omitInitialize=
allowSingleThreadedModules=
functionList=
nssUseSecmod=true/false  //not campatible with 'library'
nssLibraryDirectory=     //not campatible with 'library'
nssSecmodDirectory=      //not campatible with 'library'
nssModule=some text      //not campatible with 'library'
nssDbMode=readWrite, readOnly, noDb   //not campatible with 'library'
nssNetscapeDbWorkaround=true/false    //not campatible with 'library'
nssArgs="name1='value1' name2='value2' name3='value3' ... "          //not compatible with NSS mode
nssUseSecmodTrust=true/false

Examples of nssArgs= : (separated by space)

"nssArgs=\"configdir='" + NSS_JSS_Utils.getFireFoxProfilePath() + "' "
+ "certPrefix='' "                          
+ "keyPrefix='' "
+ "secmod='secmod.db' "
+ "flags='readOnly'\""

Some example of escaping in Java code:

String config = "name=\"NSS Module\"\n" +
                "......" +
                "\n";

If with space, must be quoted with " " . ' ' is not able to be used. Every " must be escaped with \ .

Now, some real examples.

To use Firefox security modules via NSS:

String config = "name=\"NSS Module\"\n"
+ "attributes=compatibility\n"
+ "showInfo=true\n"
+ "allowSingleThreadedModules=true\n"
+ "nssLibraryDirectory=" + NSS_JSS_Utils.NSS_LIB_DIR + "\n"
+ "nssUseSecmod=true\n"
+ "nssSecmodDirectory=" + NSS_JSS_Utils.getFireFoxProfilePath();

To use libsoftokn3.so (I don't know what it's used for, but I see someone have used it like this with nssArgs ):

String config = "library=" + NSS_JSS_Utils.NSS_LIB_DIR + "/libsoftokn3.so" + "\n"
    + "name=\"Soft Token\"\n";
    + "slot=2\n"
    + "attributes=compatibility\n"
    + "allowSingleThreadedModules=true\n"
    + "showInfo=true\n"
    + "nssArgs=\"configdir='" + NSS_JSS_Utils.getFireFoxProfilePath() + "' "
                + "certPrefix='' "
                + "keyPrefix='' "
                + "secmod='secmod.db' "
                + "flags='readOnly'\""
    + "\n";

NSS_JSS_Utils.NSS_LIB_DIR returns the directory where all the NSS library libs are. Sometimes they are installed by default(eg, in my RedHat 7.2), but sometimes you must install them manually.

NSS_JSS_Utils.getFireFoxProfilePath() returns where your FireFox profile are located. If you use modutil shipped with NSS/NSPR, you can see your installed security modules are stored in the secmod.db in this folder. If you cannot find them, you may have taken the wrong file.

More info about how to fill these values:

NSS PKCS#11 Spec

Answer 2

nssLibraryDirectory should only contain the lib subdirectory. Its also has to appear in PATH - either by modifying environment variable or specifying it in JVM parameters.