ben wrote: > I installed my PKCS11 module into the Firefox browser. I can see my > certs on my token from the Certificates Manager of the browser.
> Turn on the option -- "Ask me evey time". Then I started a Client Site > SSL connection to my web server. The browser popped up the cert > selection list box. I selected one. However, my pkcs11 module cannot > get the correct selection. It always picks up the first cert. > Can someone tell me how the browser passes the pkcs11 module a selected > cert index? > Basically I use a selected cert index to locate its private in the key > store and then do a signing job. I gather that you're a developer of a PKCS#11 module. Yes? NSS has a built-in PKCS#11 interface logging facility, to help debugging PKCS#11 modules and their interactions with NSS. To learn about it, google for NSS_DEBUG_PKCS11_MODULE . I suspect it will show you what's really going on. Here are some guesses. Apparently, the different certs do not appear to FireFox to be uniquely identified in some way. Each of the certificate objects in the PKCS#11 module must have a unique CKA_ID attribute. If the certificates have different subject names, they should also have unique CKA_LABEL attributes. (That is, for each unique subject name, there should be a unique CKA_LABEL attribute, IIRC.) The private key object must have the same CKA_ID attribute value as its corresponding certificate object. (CKA_ID values must be unique among objects of the same type, but not among objects of different types.) Hope this helps. -- Nelson B _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
