Hi, I have got a smart card here with 2 certificates on it (it's officially distributed in switzerland for digital signatures). They both have the same CKA_Subject, but different CKA_Label. One is for signing only, the other for non-repudiation only. When I choose the signing-certificate in Account Settings->Security, CERT_FindUserCertByUsage() gets called with the right nickname as argument, but returns a certificate with a different nickname (namely the non-repudiation certificate).
Basically, CERT_FindUserCertByUsage() does the following steps: -Find a cert with the given nickname (finds the correct cert) -Create a list of certs with the same subject the above found cert has (as a result, both certs are in the list, since both have the same subject) -Filter certs with wrong usage from this list (as a result, both certs remain in the list, since NR implies signing, which is the requested usage) -Return the first cert in this list (which is the NR-cert) So there is no possibility that the requested signing cert is ever returned, and so I am not able to sign mails with my signing cert. As a solution I would propose to filter the list also for the requested nickname, right after filtering for the usage. If this is the right way, I will file a new bug and propose an implementation of this solution. Thanks for reading, Angelo _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
