Re: pkcs11 provider password issues

Mon, 13 Feb 2006 05:49:40 -0800

Looks like I spoke too soon. I discovered after setting the token FRIENDLY I was unable to see any certificates with the certificates manager unless I was logged in. This was because my p11 provider was saving certs & keys in the same database and I required login to access the database.
So I split the certs out into a separate database and did not require login to access them. But I still cannot view my certs in the Certificate Manager unless I am logged in. When trying to populate the Certificate Manager dialog Firefox calls nssToken_IsPrivateKeyAvailable(). If the slot is logged in it searches for a private key but if not logged in it searches for a public key, searching by CKA_ID and CKA_CLASS. But the problem is that I didn't save any public keys in the token databases. When I imported the p12 identity Firefox called C_UnwrapKey() to create the private key and I added it to the key database. Firefox created the certificate with C_CreateObject() and I saved it in the cert database. Firefox created a public key with C_CreateObject() but did not specify CKA_TOKEN=true so it was created as as a session object and thus was not permanently saved. 

How do I fix this problem?




From: "robert dugal" <[EMAIL PROTECTED]>
To: dev-tech-crypto@lists.mozilla.org
Subject: Re: pkcs11 provider password issues
Date: Fri, 10 Feb 2006 13:27:53 +0000


Hi Robert,

robert dugal wrote:

> SSL_AuthCertificate() is called to verify a certificate chain during an 
> SSL/TLS handshake. It ends up calling pk11_RetrieveCrls() which then > 
calls PK11_GetAllTokens() which loads ever P11 token, including those > 
that need a login.  I am not certain how I can get around this.



This search isn't unnecessary. The cert verification algorithm is looking 
for CRLs and needs to search for objects in the token. If it didn't 
authenticate at this step, it would authenticate to find certificates.



One way around this is to make your token "friendly", which means it will 
allow C_FindObjects to work without being logged in, and will only require 
you to be logged in if you are using private keys in the token.


Thanks Julien, I tested this and it works.


_______________________________________________
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto



_______________________________________________
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto






















					Reply via email to