Nelson, Thanks for your help. Here are my anwsers for your asking:
Some questions: a) When you see the dialog for choosing a certificate, do the names of the certs that appear in that dialog bear the strings from your CKA_LABEL attributes? I think yes. Actually the string in my CKA_LABEL attr. is the friendly name of a cert. Do the names in that list start with the name of your token or slot? e.g. token name: cert label ? Yes. The name format is token name:cert label [cert serial number] e.g. A selected item from the cert selection list is EToken:[EMAIL PROTECTED] [a1:12:3d:34:78:81:45:ad:56:10] and the value of the CKA_LABEL and CKA_ID are set to [EMAIL PROTECTED] Where the [EMAIL PROTECTED] is unique. b) how many certs from your module appear in that list? I have three. For my test purpose, I only selected the second one. If there is a single cert, then the auth is fine. c) Does the browser then ask for the wrong key, e.g. a key for a different cert in your token? or does it fail to ask for any key from your module? Actually what I want is the browser simply picks up the selected cert, then let the pkcs11 module figure out its corresponding private key based on the user selection. So assume not ask for a key is correct in my module. By checking the module log file, the first cert's that appears in the selection list is always used for locating a private key. d) You're doing SSL client authentication. What does the server see? - no client auth at all? if in the cert selection list there is a single cert, the client auth is fine. else fails. - client auth with the wrong cert? Yes. - client auth with the right cert but a bad signature? Nelson B wrote: > ben wrote: > > > In my case both the attributes CKA_ID and CKA_LABEL are set to a same > > unique name regardless whether the cert subject name is unique or not. > > For the corresponding private key the CKA_ID and CKA_LABEL attributes > > are also set to the same value as that of CKA_ID and CKA_LABEL > > attributes of its cert's. > > > Can CKA_ID and CKA_LABEL be set to the same value or not? > > Yes, they are separate spaces, so I think it doesn't matter if their > values match each other, or not, as long as each is unique within > its own space. > > > From my log file I cannot see a reason of why the browser didn't pick > > up the selected private key. > > Some questions: > > a) When you see the dialog for choosing a certificate, do the names of > the certs that appear in that dialog bear the strings from your CKA_LABEL > attributes? > > Do the names in that list start with the name of your token or slot? > e.g. token name: cert label ? > > b) how many certs from your module appear in that list? > > c) Does the browser then ask for the wrong key, > e.g. a key for a different cert in your token? > or does it fail to ask for any key from your module? > > d) You're doing SSL client authentication. What does the server see? > - no client auth at all? > - client auth with the wrong cert? > - client auth with the right cert but a bad signature? > > -- > Nelson B _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
