Christian Bongiorno wrote:
I am currently writing a PKCS11 module for a new card that is required by policy to have 3 certs for 3 different uses (I have no idea why). There is 1 for client authentication, 1 for signing emails, and 1 for encryption. When I go to use firefox for client authentication the 1 certificate that is valid for client authentication is shown (which is good).So all signing certs are expected to be usable for Client Auth, as long as they chain to one of the root certificates sent by the server. There are recent changes to FF to prefer certificates which do have the non-repudiation bit turned off. I believe these changes went into FF 2.0.However, FF ALWAYS uses the first certificate it finds from PKCS11. I can switch the order around of the certs in my code and FF will always select the first one even if the usage for SSL is not there, even if I didn't select it when prompted.
SSL usage in a certificate really means SSL server usage.So that's answers the first set of issues, the last one is it didn't even use the cert you selected in the selection box (I'm assuming you set ask every), Do both certs show up in the selection box? How did you select between the 2 certs in the box?
bob
This seems like a bug to me and I can certainly see how this may have not been so thoroughly tested (it's an obscure part of the app and it's being used in a very non-conventional manner). Unless I missed something I am calling this a bug.I am inlining a snip of the logs to show the situation. You'll notice at the end that it looks for:CKA_ID [size : 0x4 (4)] 04000000 CKA_CLASS CKO_PRIVATE_KEYbut infact, CKA_ID 4 is the wrong one (it is however the first X_509 cert it encounters). The one we want is hObject = 0x5 (CKA_ID) 5.Christian http://christian.bongiorno.org
------------------------------- ...
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto