Hi Nelson,
my PKCS#11 returns this CKA_LABEL: <Certificado de NOMBRE CORRAL AGÜERO
FRANCISCO JOSE - NIF 16039283A> to Thunderbird.
Characters in this CKA_LABEL are coded with CK_UTF8CHAR data type, could
you tell me in wich format Thunderbird expects to receive CKA_LABEL?
I don´t know if I have to perform a special treatment when my PKCS11
reads a certificate with special UTF-8 chars in its CKA_LABEL.
The certificate I´m using has the proper attributes in order to mail
signing.
Thanks.
Nelson Bolyard escribió:
> j.fabre wrote:
>
>> Hi all,
>>
>> I´m trying to configure a user certificate for mail signing purposes in
>> Thunderbird (I´ve tested it in 1.5 and 2.0 versions with identical
>> results). This certificate is stored in a smart card, and I access to it
>> through a correctly installed PKCS11 module.
>> The DN of my user certificate has special caracters, like ü, or ñ.
>> When ThunderBird allows me to choose the user certificate that I want to
>> use for mail signing, it shows me only its serial number ("3C:91:44:B1")
>> in the certificate selection menu.
>>
>
> Mozilla shows you the name given to mozilla by the PKCS#11 module.
> IIRC, it is the CKA_LABEL attribute on the object that is shown as the
> "nick name" of the cert. Mozilla is at the mercy of the PKCS#11 module,
> and can't show you a different name than the one the PKCS#11 module gives it.
>
>
>> My problem emerges because thunderbird show me this option with the
>> serial number (instead of certificate´s CN), and I don´t find the way to
>> configure my certificate for signing purposes because I cannot select
>> this certificate :-( .
>>
>
> Does that serial number not show up in the drop-down list of "user" certs
> from which to select a cert?
>
> Is the cert valid for being a signing cert?
> or Does it have extensions that say (in effect)
> "this cert is only valid for purposes other than signing" ?
>
> Mozilla won't let you select a cert that isn't valid for signing, or that
> lacks a CKA_LABEL. I think UTF8 should be OK in CKA_LABELs.
>
> (I hope I'm not misremembering which of the PKCS#11 attributes holds the
> nick name/friendly name. I'm pretty sure it's CKA_LABEL, but not 100%.)
>
>
>> ¿Anyone knows if Mozilla Thunderbird has any limitation using
>> certificates with special characters (coded in UTF-8) at their CN for
>> signing purposes?
>>
>
>
>> I forgot to mention one detail.
>> I tested the same procedure importing the same certificate from a .PFX into
>> Thunderbird´s Certificate Repository, and I see a strange numbers in the
>> certificate selection menu:
>> 980bc80522425e2d97e9b057e7b524b2_f23bddfe-ed63-4dd1-8a64-eb0cb8bd01c6
>>
>
> That's a Microsoft GUID (or UUID), a 256-bit pseudo-random number that
> Windows assigned to your cert. Before you export your cert in a PFX file,
> you can go in and give the cert a humanly readable "friendly name" with
> Windows' certificate manager. If you do that, then when you export the
> cert in a PFX file, it will have the friendly name you gave it, otherwise
> it will have that awful UUID name.
>
>
>> [3C:91:44:B1].
>> I can select this certificate choosing the option with this strange numbers
>> above, and then I can sign emails without problems.
>>
>
> That tells me that mozilla was able to use the "friendly name" from the PFX
> file as a nickname and a CKA_LABEL, even though it wasn't very friendly. :)
> But apparently whatever was coming from the PKCS#11 module was unusable.
>
>
>> ¿What can I do to make Thunderbird to understand my certificate in order to
>> sign?
>> ¿I have to modify my PKCS11 code in order to make any kind of processing to
>> the certificate´s common name char array? I recover this char array using
>> Openssl´s function X509_NAME_get_text_by_NID.
>>
>
> Can't help you with OpenSSL.
>
>
>> Regards.
>>
>
>
>
> _______________________________________________
> dev-tech-crypto mailing list
> dev-tech-crypto@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-tech-crypto
>
>
_______________________________________________
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
