David Stutzman wrote: > I'm currently working with JSS and the question pertains to that but I > imagine it's applicable to NSS as well.
Yes, in this case, JSS is just using NSS directly, so the question is an NSS question as much as it is a JSS question. > Certs in the "softoken" certdb don't have any prefix and you just ask for > them by normal name. Any certs that are on tokens get the token name > prefixed and separated by a :. A nickname has this syntax: [tokenname:]label There is a token name for the softoken module's DB token, but it's optional in nicknames. Any nickname given without a token name prefix is presumed to be in softoken module's DB token/slot. > The method CryptoManager.findCertByNickname doesn't search all > tokens. It doesn't search any tokens. It takes the token name from the nickname (which may be implicitly the softoken's DB slot) and asks that token for an object with that "label" string. The token either replies with the object with that label, or responds that it has no such object. It's not a search, in the sense that NSS doesn't enumerate all the objects on the token looking for one with that label. It's a direct request to the token for that labeled object. > I don't see any sort of flag to search on all tokens (such as > certutil's -h option that you can use to list the contents of all > tokens). Right. When you use certutil's -L (list) command without the "-n nickname" option, it enumerates the certs in the token named by the -h option (or in the softoken, if -h is not used). If the -h option is used, but there is no token by the given token name, it searches ALL slots. That's why "-h all" works. "all" isn't a reserved word, and if you had a token named "all", then "-h all" would search only that token. > Is the intended behavior to ask the CryptoManager for an > enumeration of all tokens and get their names and then run through > multiple calls to CryptoManager.findCertByNickname with the token name > prefixed before the nickname? Intended behavior of what? That's essentially how certutil's list option works. It might be instructive to look at certutil's list code, and then figure out how to do that same thing with JSS. > Thanks, > Dave -- Nelson B _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
