PKCS #11 JAR Format

PKCS #11 modules can be packaged into JAR files that support automatic installation onto the filesystem and into the security module database. The JAR file should contain:

The script can be in one of two forms. If the JAR file is to be run by Communicator (or any program that interprets Javascript), the instructions will be in the form of a SmartUpdate script. Documentation on creating this script can be found on DevEdge.

If the JAR file is to be run by a server, modutil, or any other program that doesn't interpret Javascript, a special information file must be included in the format described in this document.

Declaring the Script in the Manifest File

The script can have any name, but it must be declared in the manifest file of the JAR archive. The metainfo tag for this is Pkcs11_install_script. Meta-information is put in the manifest file by putting it in a file which is passed to Signtool. For example, suppose the PKCS #11 installer script is in the file pk11install. In Signtool's metainfo file, you would have a line like this: 
+ Pkcs11_install_script: pk11install

Sample Script File

ForwardCompatible { IRIX:6.2:mips Solaris:5.5.1:sparc }
Platforms {
	WINNT::x86 {
		ModuleName { "Fortezza Module" }
		ModuleFile { win32/fort32.dll }
		DefaultMechanismFlags{0x0001}
		DefaultCipherFlags{0x0001}
		Files {
			win32/setup.exe {
				Executable
				RelativePath { %temp%/setup.exe }
			}
			win32/setup.hlp {
				RelativePath { %temp%/setup.hlp }
			}
			win32/setup.cab {
				RelativePath { %temp%/setup.cab }
			}
		}
	}
	WIN95::x86 {
		EquivalentPlatform {WINNT::x86}
	}
	Solaris:5.5.1:sparc {
		ModuleName { "Fortezza UNIX Module" }
		ModuleFile { unix/fort.so }
		DefaultMechanismFlags{0x0001}
		CipherEnableFlags{0x0001}
		Files {
			unix/fort.so {
				RelativePath{%root%/lib/fort.so}
				AbsolutePath{/usr/local/netscape/lib/fort.so}
				FilePermissions{555}
			}
			xplat/instr.html {
				RelativePath{%root%/docs/inst.html}
				AbsolutePath{/usr/local/netscape/docs/inst.html}
				FilePermissions{555}
			}
		}
	}
	IRIX:6.2:mips {
		EquivalentPlatform { Solaris:5.5.1:sparc }
	}
}

Script File Grammar

--> valuelist

valuelist --> value valuelist
              <null>

value --> key_value_pair
          string

key_value_pair --> key { valuelist }

key --> string

string --> simple_string
           "complex_string"

simple_string --> [^ \t\n\""{""}"]+ (no whitespace, quotes, or braces)

complex_string --> ([^\"\\\r\n]|(\\\")|(\\\\))+ (quotes and backslashes must be escaped with a backslash, no newlines or carriage returns are allowed in the string)
Outside of complex strings, all whitespace (space, tab, newline) is considered equal and is used only to delimit tokens.

Keys

Keys are case-insensitive.

Global Keys

ForwardCompatible
Gives a list of platforms that are forward compatible. If the current platform cannot be found in the list of supported platforms, then the ForwardCompatible list will be checked for any platforms that have the same OS and architecture and an earlier version. If one is found, its attributes will be used for the current platform.
Platforms (required)
Gives a list of platforms. Each entry in the list is itself a key-value pair: the key is the name of the platform, and the valuelist contains various attributes of the platform. The ModuleName, ModuleFile, and Files attributes must be specified, unless an EquivalentPlatform attribute is specified. The platform string is in the following format: system name:os release:architecture. The installer will obtain these values from NSPR. os release is an empty string on non-UNIX operating systems. The following system names and platforms are currently defined by NSPR: Examples of valid platform strings: IRIX:6.2:mips, Solaris:5.5.1:sparc, Linux:2.0.32:x86, WIN95::x86.

Per-Platform Keys

These keys only have meaning within the value list of an entry in the Platforms list.
ModuleName (required)
Gives the common name for the module. This name will be used to reference the module from Communicator, modutil, servers, or any other program that uses the Netscape security module database.
ModuleFile (required)
Names the PKCS #11 module file (DLL or .so) for this platform. The name is given as the relative path of the file within the JAR archive.
Files (required)
Lists the files that should be installed for this module. Each entry in the file list is a key-value pair: the key is the path of the file in the JAR archive, and the valuelist contains attributes of the file. At least RelativePath and AbsoluteDir must be specified in this valuelist.
DefaultMechanismFlags
This key-value pair specifies of which mechanisms this module will be a default provider. It is a bitstring specified in hexadecimal (0x) format. It is constructed as a bitwise OR of the following constants. If the DefaultMechanismFlags entry is omitted, the value will default to 0x0. 
RSA:			0x0000 0001
DSA:			0x0000 0002
RC2:			0x0000 0004
RC4:			0x0000 0008
DES:			0x0000 0010
DH:			0x0000 0020
FORTEZZA:		0x0000 0040
RC5:			0x0000 0080
SHA1:			0x0000 0100
MD5:			0x0000 0200
MD2:			0x0000 0400
RANDOM:			0x0800 0000
FRIENDLY:		0x1000 0000
OWN_PW_DEFAULTS:	0x2000 0000
DISABLE:		0x4000 0000
CipherEnableFlags
This key-value pair specifies which SSL ciphers will be enabled. It is a bitstring specified in hexadecimal (0x) format. It is constructed as a bitwise OR of the following constants. If the CipherEnableFlags entry is omitted, the value will default to 0x0. 
FORTEZZA:		0x0000 0001
EquivalentPlatform
Specifies that the attributes of the named platform should also be used for the current platform. Saves typing when there is more than one platform that uses the same settings.

Per-File Keys

These keys only have meaning within the valuelist of an entry in a Files list. At least one of RelativePath and AbsolutePath must be specified. If both are specified, the relative path will be tried first and the absolute path used only if no relative root directory is provided by the installer program.
RelativePath
Specifies the destination directory of the file, relative to some directory decided at install-time. Two variables can be used in the relative path, "%root%" and "%temp%". "%root%" will be replaced at run-time with the directory relative to which files should be installed; for example, it may be the server's root directory or Communicator's root directory. "%temp%" is a directory that will be created at the beginning of the installation and destroyed at the end of the installation. Its purpose is to hold executable files (such as setup programs), or files that are used by these programs. For example, a Windows installation might consist of a setup.exe installation program, a help file, and a .cab file containing compressed information. All these files could be installed into the temporary directory. Files destined for the temporary directory are guaranteed to be in place before any executable file is run, and will not be deleted until all executable files have finished.
AbsoluteDir
Specifies the destination directory of the file as an absolute path. This will only be used if the installer is unable to determine a relative directory.
Executable
This string specifies that the file is to be executed during the course of the installation. Typically this would be used for a setup program provided by a module vendor, such as a self-extracting setup.exe. More than one file can be specified as executable, in which case they will be run in the order they are specified in the script file.
FilePermissions
This string is interpreted as a string of octal digits, according to the standard UNIX format. It is a bitwise OR of the following constants: 
user read:         400
user write:        200
user execute:      100
group read:        040
group write:       020
group execute:     010
other read:        004
other write:       002
other execute:     001
Some platforms may not understand these permissions. They will only be applied insofar as makes sense for the current platform. If this attribute is omitted, a default of 777 is assumed.