pkcs11proxy is a usage example for pkcs11mod. It simply passes through all PKCS#11 calls to another PKCS#11 module. You might find it useful for tracing PKCS#11 calls to a log file. In the real world, you would set backend to a struct of your own creation that implements the same API as pkcs11.Ctx.
- Build pkcs11mod (see parent directory).
CGO_ENABLED=1 go build -buildmode c-shared -o libpkcs11proxy.so- If building for a Windows target, replace
libpkcs11proxy.sowithpkcs11proxy.dll
- If building for a Windows target, replace
Set the PKCS11PROXY_CKBI_TARGET environment variable to the PKCS#11 module that will be proxied to. If this variable is unset or empty, the default is /usr/lib64/nss/libnssckbi.so (the Mozilla NSS CKBI PKCS#11 module).
- Find the CKBI PKCS#11 module that Firefox ships with. Depending on your OS, it is probably called
libnssckbi.so,libnssckbi.dylib, ornssckbi.dll. - Rename the Firefox CKBI module, e.g. rename
libnssckbi.sotolibnssckbi.orig.so. - Place the pkcs11proxy module where the Firefox CKBI module was, e.g. rename
libpkcs11proxy.sotolibnssckbi.soand put it in the directory where the original module was. - Set
PKCS11PROXY_CKBI_TARGETto the renamed Firefox CKBI module, e.g.export PKCS11PROXY_CKBI_TARGET=/usr/lib64/nss/libnssckbi.orig.so. - Run Firefox. If you did it right, certificate validation will work as it did before, but you'll see a log file from pkcs11proxy.