Nelson, Thanks for your help. Here are my anwsers for your asking:
Some questions: a) When you see the dialog for choosing a certificate, do the names of the certs that appear in that dialog bear the strings from your CKA_LABEL attributes? I think yes. Actually the string in my CKA_LABEL attr. is the friendly name of a cert. Do the names in that list start with the name of your token or slot? e.g. token name: cert label ? Yes. The name format is token name:cert label [cert serial number] e.g. A selected item from the cert selection list is EToken:[EMAIL PROTECTED] [a1:12:3d:34:78:81:45:ad:56:10] and the value of the CKA_LABEL and CKA_ID are set to [EMAIL PROTECTED] Where the [EMAIL PROTECTED] is unique. Is the LABEL [EMAIL PROTECTED] legal? b) how many certs from your module appear in that list? I have three. For my test purpose, I only selected the second one. If there is a single cert, then the auth is fine. c) Does the browser then ask for the wrong key, e.g. a key for a different cert in your token? or does it fail to ask for any key from your module? Actually what I want is the browser simply picks up the selected cert, then let the pkcs11 module figure out its corresponding private key based on the user selection. So assume not ask for a key is correct in my module. By checking the module log file, the last cert that appears in the selection list is always used for locating a private key. I think because internally my certs are passed and cached in the module in an ascending order, but the browser's cert selection box showes them in a descending order. d) You're doing SSL client authentication. What does the server see? - no client auth at all? if in the cert selection list there is a single cert, then client auth is fine. if selecting the last one from the list, then client auth is fine too. else fails. - client auth with the wrong cert? Yes. I think so. Internally when signing, the NSS passes in the handle of the first private key for a different and selected cert from the user. question: Is there anyone having the same problem? _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
