I am currently writing a PKCS11 module for a new card that is required
by policy to have 3 certs for 3 different uses (I have no idea why).
There is 1 for client authentication, 1 for signing emails, and 1 for
encryption. When I go to use firefox for client authentication the 1
certificate that is valid for client authentication is shown (which is
good).
However, FF ALWAYS uses the first certificate it finds from PKCS11. I
can switch the order around of the certs in my code and FF will always
select the first one even if the usage for SSL is not there, even if I
didn't select it when prompted.
This seems like a bug to me and I can certainly see how this may have
not been so thoroughly tested (it's an obscure part of the app and it's
being used in a very non-conventional manner). Unless I missed something
I am calling this a bug.
I am inlining a snip of the logs to show the situation. You'll notice at
the end that it looks for:
CKA_ID [size : 0x4 (4)]
04000000
CKA_CLASS CKO_PRIVATE_KEY
but infact, CKA_ID 4 is the wrong one (it is however the first X_509
cert it encounters). The one we want is hObject = 0x5 (CKA_ID) 5.
Christian
http://christian.bongiorno.org
-------------------------------
...
46: C_GetAttributeValue
[in] hSession = 0x1
[in] hObject = 0x2
[in] pTemplate[10]:
CKA_CLASS requested with 4 buffer
CKA_TOKEN requested with 1 buffer
CKA_LABEL requested with 39 buffer
CKA_CERTIFICATE_TYPE requested with 4 buffer
CKA_ID requested with 4 buffer
CKA_VALUE requested with 1198 buffer
CKA_ISSUER requested with 96 buffer
CKA_SERIAL_NUMBER requested with 1 buffer
CKA_SUBJECT requested with 128 buffer
CKA_NETSCAPE_EMAIL(Netsc) requested with 0 buffer
[out] pTemplate[10]:
CKA_CLASS CKO_CERTIFICATE
CKA_TOKEN True
CKA_LABEL [size : 0x27 (39)]
582E3530 39204365 72746966 69636174 6520666F 72204469 67697461 6C205369
X . 5 0 9 . C e r t i f i c a t e . f o r . D i g i t a l . S i
676E6174 757265
g n a t u r e
CKA_CERTIFICATE_TYPE CKC_X_509
CKA_ID [size : 0x4 (4)]
04000000
CKA_VALUE [size : 0x4AE (1198)]
308204AA 30820392 A0030201 02020102 300D0609 2A864886 F70D0101
...
CKA_ISSUER [size : 0x60 (96)]
305E311B 30190603 55040313 12456C65 6374726F 736F6674 20504956 20434131
0B300906 03550406 13025553 310B3009 06035504 08130256 41310F30 0D060355
04071306 52657374 6F6E3114 30120603 55040A13 0B456C65 6374726F 736F6674
DN: CN=Electrosoft PIV CA, C=US, ST=VA, L=Reston, O=Electrosoft
CKA_SERIAL_NUMBER [size : 0x1 (1)]
02
CKA_SUBJECT [size : 0x80 (128)]
307E312D 302B0609 2A864886 F70D0109 01161E63 626F6E67 696F726E 6F40656C
65637472 6F736F66 742D696E 632E636F 6D310B30 09060355 04061302 55533114
30120603 55040A13 0B456C65 6374726F 736F6674 310C300A 06035504 0B13034C
6162311C 301A0603 55040313 13436872 69737469 616E2042 6F6E6769 6F726E6F
DN: [EMAIL PROTECTED], C=US,
O=Electrosoft, OU=Lab, CN=Christian Bongiorno
CKA_NETSCAPE_EMAIL(Netsc) has size -1
Returned: 18 CKR_ATTRIBUTE_TYPE_INVALID
50: C_GetAttributeValue
[in] hSession = 0x1
[in] hObject = 0x5
[in] pTemplate[10]:
CKA_CLASS requested with 4 buffer
CKA_TOKEN requested with 1 buffer
CKA_LABEL requested with 40 buffer
CKA_CERTIFICATE_TYPE requested with 4 buffer
CKA_ID requested with 4 buffer
CKA_VALUE requested with 1250 buffer
CKA_ISSUER requested with 96 buffer
CKA_SERIAL_NUMBER requested with 1 buffer
CKA_SUBJECT requested with 128 buffer
CKA_NETSCAPE_EMAIL(Netsc) requested with 0 buffer
[out] pTemplate[10]:
CKA_CLASS CKO_CERTIFICATE
CKA_TOKEN True
CKA_LABEL [size : 0x28 (40)]
582E3530 39204365 72746966 69636174 6520666F 72205049 56204175 7468656E
X . 5 0 9 . C e r t i f i c a t e . f o r . P I V . A u t h e n
74696361 74696F6E
t i c a t i o n
CKA_CERTIFICATE_TYPE CKC_X_509
CKA_ID [size : 0x4 (4)]
05000000
CKA_VALUE [size : 0x4E2 (1250)]
308204DE 308203C6 A0030201 02020101 300D0609 2A864886 F70D0101
...
CKA_ISSUER [size : 0x60 (96)]
305E311B 30190603 55040313 12456C65 6374726F 736F6674 20504956 20434131
0B300906 03550406 13025553 310B3009 06035504 08130256 41310F30 0D060355
04071306 52657374 6F6E3114 30120603 55040A13 0B456C65 6374726F 736F6674
DN: CN=Electrosoft PIV CA, C=US, ST=VA, L=Reston, O=Electrosoft
CKA_SERIAL_NUMBER [size : 0x1 (1)]
01
CKA_SUBJECT [size : 0x80 (128)]
307E312D 302B0609 2A864886 F70D0109 01161E63 626F6E67 696F726E 6F40656C
65637472 6F736F66 742D696E 632E636F 6D310B30 09060355 04061302 55533114
30120603 55040A13 0B456C65 6374726F 736F6674 310C300A 06035504 0B13034C
6162311C 301A0603 55040313 13436872 69737469 616E2042 6F6E6769 6F726E6F
DN: [EMAIL PROTECTED], C=US,
O=Electrosoft, OU=Lab, CN=Christian Bongiorno
CKA_NETSCAPE_EMAIL(Netsc) has size -1
Returned: 18 CKR_ATTRIBUTE_TYPE_INVALID
...
54: C_GetAttributeValue
[in] hSession = 0x1
[in] hObject = 0x8
[in] pTemplate[10]:
CKA_CLASS requested with 4 buffer
CKA_TOKEN requested with 1 buffer
CKA_LABEL requested with 36 buffer
CKA_CERTIFICATE_TYPE requested with 4 buffer
CKA_ID requested with 4 buffer
CKA_VALUE requested with 1198 buffer
CKA_ISSUER requested with 96 buffer
CKA_SERIAL_NUMBER requested with 1 buffer
CKA_SUBJECT requested with 128 buffer
CKA_NETSCAPE_EMAIL(Netsc) requested with 0 buffer
[out] pTemplate[10]:
CKA_CLASS CKO_CERTIFICATE
CKA_TOKEN True
CKA_LABEL [size : 0x24 (36)]
582E3530 39204365 72746966 69636174 6520666F 72204B65 79204D61 6E616765
X . 5 0 9 . C e r t i f i c a t e . f o r . K e y . M a n a g e
6D656E74
m e n t
CKA_CERTIFICATE_TYPE CKC_X_509
CKA_ID [size : 0x4 (4)]
06000000
CKA_VALUE [size : 0x4AE (1198)]
308204AA 30820392 A0030201 02020103 300D0609 2A864886 F70D0101
...
CKA_ISSUER [size : 0x60 (96)]
305E311B 30190603 55040313 12456C65 6374726F 736F6674 20504956 20434131
0B300906 03550406 13025553 310B3009 06035504 08130256 41310F30 0D060355
04071306 52657374 6F6E3114 30120603 55040A13 0B456C65 6374726F 736F6674
DN: CN=Electrosoft PIV CA, C=US, ST=VA, L=Reston, O=Electrosoft
CKA_SERIAL_NUMBER [size : 0x1 (1)]
03
CKA_SUBJECT [size : 0x80 (128)]
307E312D 302B0609 2A864886 F70D0109 01161E63 626F6E67 696F726E 6F40656C
65637472 6F736F66 742D696E 632E636F 6D310B30 09060355 04061302 55533114
30120603 55040A13 0B456C65 6374726F 736F6674 310C300A 06035504 0B13034C
6162311C 301A0603 55040313 13436872 69737469 616E2042 6F6E6769 6F726E6F
DN: [EMAIL PROTECTED], C=US,
O=Electrosoft, OU=Lab, CN=Christian Bongiorno
CKA_NETSCAPE_EMAIL(Netsc) has size -1
Returned: 18 CKR_ATTRIBUTE_TYPE_INVALID
...
138: C_GetAttributeValue
[in] hSession = 0x1
[in] hObject = 0x3
[in] pTemplate[2]:
CKA_ID requested with 4 buffer
CKA_CLASS requested with 4 buffer
[out] pTemplate[2]:
CKA_ID [size : 0x4 (4)]
04000000
CKA_CLASS CKO_PUBLIC_KEY
Returned: 0 CKR_OK
139: C_FindObjectsInit
[in] hSession = 0x1
[in] pTemplate[2]:
CKA_ID [size : 0x4 (4)]
04000000
CKA_CLASS CKO_PRIVATE_KEY
Returned: 0 CKR_OK
140: C_FindObjects
[in] hSession = 0x1
[in] ulMaxObjectCount = 0x1
[out] ulObjectCount = 0x1
Object 4 Matches
Returned: 0 CKR_OK
141: C_FindObjectsFinal
[in] hSession = 0x1
Returned: 0 CKR_OK
142: C_GetAttributeValue
[in] hSession = 0x1
[in] hObject = 0x4
[in] pTemplate[1]:
CKA_KEY_TYPE requested with 4 buffer
[out] pTemplate[1]:
CKA_KEY_TYPE CKK_RSA
Returned: 0 CKR_OK
143: C_GetAttributeValue
[in] hSession = 0x1
[in] hObject = 0x4
[in] pTemplate[1]:
CKA_TOKEN requested with 1 buffer
[out] pTemplate[1]:
CKA_TOKEN True
Returned: 0 CKR_OK
144: C_GetAttributeValue
[in] hSession = 0x1
[in] hObject = 0x4
[in] pTemplate[1]:
CKA_PRIVATE requested with 1 buffer
[out] pTemplate[1]:
CKA_PRIVATE True
Returned: 0 CKR_OK
145: C_GetAttributeValue
[in] hSession = 0x1
[in] hObject = 0x4
[in] pTemplate[1]:
CKA_MODULUS requested with 0 buffer
[out] pTemplate[1]:
CKA_MODULUS has size 128
Returned: 0 CKR_OK
146: C_GetAttributeValue
[in] hSession = 0x1
[in] hObject = 0x4
[in] pTemplate[1]:
CKA_MODULUS requested with 128 buffer
[out] pTemplate[1]:
CKA_MODULUS [size : 0x80 (128)]
B73090D3 B8A3073D 737DDE07 BA0DB69B 544DF5E6 621355A3 C36E4100 4B3BAF95
55B0E6DC FD5CE377 7192D7DF DA3211AD 8F340015 5B55977B 3AA1432C D7091BC2
ECD1AF91 6DA0911B B83DEC22 3EEE4301 AF640592 F7DA8C73 FA714911 7B60E267
ED9FAA44 194200A7 EA695B53 290C7F9C EC4D8FE7 5851ED45 D1F0A1E8 21EDF099
Returned: 0 CKR_OK
147: C_GetAttributeValue
[in] hSession = 0x1
[in] hObject = 0x4
[in] pTemplate[1]:
CKA_PRIVATE requested with 1 buffer
[out] pTemplate[1]:
CKA_PRIVATE True
Returned: 0 CKR_OK
148: C_OpenSession
[in] slotID = 0x0
[in] flags = 0x4
pApplication=0257B738
Notify=601DE130
[out] *phSession = 0x2dbfd3c
Returned: 177 CKR_SESSION_COUNT
149: C_SignInit
[in] hSession = 0x1
pMechanism->type=CKM_RSA_PKCS
[in] hKey = 0x4
Returned: 0 CKR_OK
150: C_Sign
[in] hSession = 0x1
[in] pData[ulDataLen] [size : 0x24 (36)]
2F98A6B3 DEC83DCF 2BC25E3D B00ADD33 40C606E2 D6522CFC A416D8CA 52CBCFAD
9B1CDCBE
[out] pSignature[*pulSignatureLen] [size : 0x80 (128)]
7D216698 4BC02842 31E11BE3 1DF93839 976543C1 EF77CBC6 C3B3AD20 58F28D3A
9B9E343B 8C51D732 FA9AD3DA FA6233C1 41EC7772 1F8D6678 955132BC E57E96CB
BAF9AE6E 1751F685 E9B02C22 5318BB3D 04476628 CB80FB27 6BE4EF4B 6BEA68A5
6D253E09 E71187D3 0C22CE48 CE4347AE BFCEE633 8776A714 FB8DE6FB 74FEBFF7
Returned: 0 CKR_OK
_______________________________________________
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
