Posts

Showing posts from July, 2009

Dump PKCS11 Slot Info

Recently, I needed a tool to show the detailed PKCS11 slot information. Cryptoadm is a good utility to display cryptographic provider information for a system, but it does not show me the "ulMaxSessionCount" field, which was important to me at that time, I was eager to know what's the maximum number of sessions that can be opened with the token at one time by a single application. Google did not help this time, so I had to write a simple tool by myself.Past the code here, maybe one day, it will save me a lot time when I need such a detailed slot info.Compile the codes with:$gcc cryinfo.c -o slotinfo -lpkcs11Copy (or download), save, compile the source code bellow:#include <stdio.h>
#include <security/cryptoki.h>
#include <security/pkcs11.h>

extern void dump_info();

int main(int argc, char **argv) {
CK_RV rv;
CK_MECHANISM mechanism = {CKM_RC4, NULL_PTR, 0L};
CK_SESSION_HANDLE hSession;

// initialize teh crypto library
rv…

Enable OCSP checking

If a certificate is issued with a authority information access extension which indicates the OCSP access method and location, one can enable the default implementation of OCSP checker during building or validating a certification path.
Maybe you need to check your certificate firstly, in the purpose of making sure it includes a OCSP authority information access extension:

#${JAVA_HOME}/bin/keytool -printcert -v -file target.cert You are expected to see similar lines in the output:
#3: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false AuthorityInfoAccess [ [accessMethod: 1.3.6.1.5.5.7.48.1 accessLocation: URIName: http://onsite-ocsp.verisign.com] ]
In the above output, "http://onsite-ocsp.verisign.com" indicates the location of the OCSP service.
If you find one of similar authority information access extension in your certificate path, you need to enable OCSP checker.
For Sun PKIX implementation, OCSP checking is not enabled by default for compatibility, note that enabling OCSP …