j.fabre wrote:
> Hi all,
>
> I´m trying to configure a user certificate for mail signing purposes in
> Thunderbird (I´ve tested it in 1.5 and 2.0 versions with identical
> results). This certificate is stored in a smart card, and I access to it
> through a correctly installed PKCS11 module.
> The DN of my user certificate has special caracters, like ü, or ñ.
> When ThunderBird allows me to choose the user certificate that I want to
> use for mail signing, it shows me only its serial number ("3C:91:44:B1")
> in the certificate selection menu.
Mozilla shows you the name given to mozilla by the PKCS#11 module.
IIRC, it is the CKA_LABEL attribute on the object that is shown as the
"nick name" of the cert. Mozilla is at the mercy of the PKCS#11 module,
and can't show you a different name than the one the PKCS#11 module gives it.
> My problem emerges because thunderbird show me this option with the
> serial number (instead of certificate´s CN), and I don´t find the way to
> configure my certificate for signing purposes because I cannot select
> this certificate :-( .
Does that serial number not show up in the drop-down list of "user" certs
from which to select a cert?
Is the cert valid for being a signing cert?
or Does it have extensions that say (in effect)
"this cert is only valid for purposes other than signing" ?
Mozilla won't let you select a cert that isn't valid for signing, or that
lacks a CKA_LABEL. I think UTF8 should be OK in CKA_LABELs.
(I hope I'm not misremembering which of the PKCS#11 attributes holds the
nick name/friendly name. I'm pretty sure it's CKA_LABEL, but not 100%.)
> ¿Anyone knows if Mozilla Thunderbird has any limitation using
> certificates with special characters (coded in UTF-8) at their CN for
> signing purposes?
> I forgot to mention one detail.
> I tested the same procedure importing the same certificate from a .PFX into
> Thunderbird´s Certificate Repository, and I see a strange numbers in the
> certificate selection menu:
> 980bc80522425e2d97e9b057e7b524b2_f23bddfe-ed63-4dd1-8a64-eb0cb8bd01c6
That's a Microsoft GUID (or UUID), a 256-bit pseudo-random number that
Windows assigned to your cert. Before you export your cert in a PFX file,
you can go in and give the cert a humanly readable "friendly name" with
Windows' certificate manager. If you do that, then when you export the
cert in a PFX file, it will have the friendly name you gave it, otherwise
it will have that awful UUID name.
> [3C:91:44:B1].
> I can select this certificate choosing the option with this strange numbers
> above, and then I can sign emails without problems.
That tells me that mozilla was able to use the "friendly name" from the PFX
file as a nickname and a CKA_LABEL, even though it wasn't very friendly. :)
But apparently whatever was coming from the PKCS#11 module was unusable.
> ¿What can I do to make Thunderbird to understand my certificate in order to
> sign?
> ¿I have to modify my PKCS11 code in order to make any kind of processing to
> the certificate´s common name char array? I recover this char array using
> Openssl´s function X509_NAME_get_text_by_NID.
Can't help you with OpenSSL.
> Regards.
_______________________________________________
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
