Christian Bongiorno wrote:
I am currently writing a PKCS11 module for a new card that is required by policy to have 3 certs for 3 different uses (I have no idea why). There is 1 for client authentication, 1 for signing emails, and 1 for encryption. When I go to use firefox for client authentication the 1 certificate that is valid for client authentication is shown (which is good).

However, FF ALWAYS uses the first certificate it finds from PKCS11. I can switch the order around of the certs in my code and FF will always select the first one even if the usage for SSL is not there, even if I didn't select it when prompted.
So all signing certs are expected to be usable for Client Auth, as long as they chain to one of the root certificates sent by the server. There are recent changes to FF to prefer certificates which do have the non-repudiation bit turned off. I believe these changes went into FF 2.0.

SSL usage in a certificate really means SSL server usage.

So that's answers the first set of issues, the last one is it didn't even use the cert you selected in the selection box (I'm assuming you set ask every), Do both certs show up in the selection box? How did you select between the 2 certs in the box?

bob



This seems like a bug to me and I can certainly see how this may have not been so thoroughly tested (it's an obscure part of the app and it's being used in a very non-conventional manner). Unless I missed something I am calling this a bug.

I am inlining a snip of the logs to show the situation. You'll notice at the end that it looks for:
    CKA_ID                [size : 0x4 (4)]
    04000000
    CKA_CLASS             CKO_PRIVATE_KEY

but infact, CKA_ID 4 is the wrong one (it is however the first X_509 cert it encounters). The one we want is hObject = 0x5 (CKA_ID) 5.

Christian
http://christian.bongiorno.org



-------------------------------

...


Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

_______________________________________________
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto

Reply via email to