canmove, Confirmed users
937
edits
FIPS Module Specification: Difference between revisions
Jump to navigation
Jump to search
→Approved Mode of Operation
| Line 64: | Line 64: | ||
===Approved Mode of Operation=== | ===Approved Mode of Operation=== | ||
By default the NSS cryptographic module operates in the non-FIPS Approved mode, meaning that if an application calls the standard PKCS #11 function <code>C_GetFunctionList</code> and calls the function pointers in that list, it gets the non-FIPS Approved mode. To run the NSS cryptographic module in the FIPS Approved mode, an application must call the alternative function <code>FC_GetFunctionList</code> and call the function pointers in that list. Here is the sample code using NSPR functions for dynamic library loading and function symbol lookup: | |||
<pre> | <pre> | ||
#include "prlink.h" | |||
#include "cryptoki.h" | |||
#include <assert.h> | |||
#include <stdio.h> | |||
typedef struct CK_C_INITIALIZE_ARGS_NSS { | |||
CK_CREATEMUTEX CreateMutex; | |||
/* | CK_DESTROYMUTEX DestroyMutex; | ||
CK_LOCKMUTEX LockMutex; | |||
rv = | CK_UNLOCKMUTEX UnlockMutex; | ||
CK_FLAGS flags; | |||
/* The official PKCS #11 spec does not have a 'LibraryParameters' field, but | |||
} | * a reserved field. NSS needs a way to pass instance-specific information | ||
* to the library (like where to find its config files, etc). This | |||
* information is usually provided by the installer and passed uninterpreted | |||
* by NSS to the library, though NSS does know the specifics of the softoken | |||
* version of this parameter. Most compliant PKCS#11 modules expect this | |||
* parameter to be NULL, and will return CKR_ARGUMENTS_BAD from | |||
* C_Initialize if Library parameters is supplied. */ | |||
CK_CHAR_PTR *LibraryParameters; | |||
/* This field is only present if the LibraryParameters is not NULL. It must | |||
* be NULL in all cases */ | |||
CK_VOID_PTR pReserved; | |||
} CK_C_INITIALIZE_ARGS_NSS; | |||
int main() | |||
{ | |||
char *libname; | |||
PRLibrary *lib; | |||
CK_C_GetFunctionList pC_GetFunctionList; | |||
CK_FUNCTION_LIST_PTR pFunctionList; | |||
CK_RV rv; | |||
CK_C_INITIALIZE_ARGS_NSS initArgs; | |||
CK_INFO info; | |||
PRStatus status; | |||
/* Get the platform-dependent library name of the NSS cryptographic module */ | |||
libname = PR_GetLibraryName(NULL, "softokn3"); | |||
assert(libname != NULL); | |||
lib = PR_LoadLibrary(libname); | |||
assert(lib != NULL); | |||
PR_FreeLibraryName(libname); | |||
pC_GetFunctionList = (CK_C_GetFunctionList) PR_FindFunctionSymbol(lib, | |||
"FC_GetFunctionList"); | |||
assert(pC_GetFunctionList != NULL); | |||
rv = (*pC_GetFunctionList)(&pFunctionList); | |||
assert(rv == CKR_OK); | |||
/* Call FC_Foo as pFunctionList->C_Foo */ | |||
initArgs.CreateMutex = NULL; | |||
initArgs.DestroyMutex = NULL; | |||
initArgs.LockMutex = NULL; | |||
initArgs.UnlockMutex = NULL; | |||
initArgs.flags = CKF_OS_LOCKING_OK; | |||
initArgs.LibraryParameters = (CK_CHAR_PTR *) | |||
"configdir='.' certPrefix='' keyPrefix='' secmod='secmod.db' flags= "; | |||
initArgs.pReserved = NULL; | |||
rv = pFunctionList->C_Initialize(&initArgs); | |||
assert(rv == CKR_OK); | |||
rv = pFunctionList->C_GetInfo(&info); | |||
assert(rv == CKR_OK); | |||
printf("General information about the PKCS #11 library:\n"); | |||
printf(" PKCS #11 version: %d.%d\n", | |||
(int)info.cryptokiVersion.major, (int)info.cryptokiVersion.minor); | |||
printf(" manufacturer ID: %.32s\n", info.manufacturerID); | |||
printf(" flags: 0x%08lX\n", info.flags); | |||
printf(" library description: %.32s\n", info.libraryDescription); | |||
printf(" library version: %d.%d\n", | |||
(int)info.libraryVersion.major, (int)info.libraryVersion.minor); | |||
printf("\n"); | |||
rv = pFunctionList->C_Finalize(NULL); | |||
assert(rv == CKR_OK); | |||
status = PR_UnloadLibrary(lib); | |||
assert(status == PR_SUCCESS); | |||
return 0; | |||
} | |||
</pre> | </pre> | ||
===Design Specification=== | ===Design Specification=== | ||