On Wed, Jul 9, 2008 at 4:54 AM, Joe Orton <[EMAIL PROTECTED]> wrote:
> For a test suite I'm importing a PKCS#12 cert into a fresh database as
> follows:
>
> rm -rf nssdb
> echo foobar > nssdb.pw
>
> ${CERTUTIL} -d nssdb -N -f nssdb.pw
> ${PK12UTIL} -d nssdb -K foobar -W '' -i unclient.p12
>
> and then using that database with the softokn PKCS#11 module.
>
> With NSS 3.11, doing a FindObjects search for an object in this database
> with a CKA_CLASS of CKO_CERTIFICATE would return one object, which would
> have a CKA_CERTIFICATE_TYPE of CKC_X_509. This matched how other
> hardware tokens would work.
>
> With NSS 3.12, I'm seeing that the certificate type of the single object
> with class of CKO_CERTIFICATE has changed to CKC_X_509_ATTR_CERT. Is
> this expected behaviour?
Since NSS doesn't support X.509 attribute certificates, this is definitely
a regression in NSS 3.12. Looking at the NSS 3.12 source code
(http://lxr.mozilla.org/security/search?string=CKC_X_509_ATTR_CERT)
I can't see where the bug is. Since the value of CKC_X_509_ATTR_CERT
is 1, we may have returned some other constant incorrectly whose value
is also 1.
I filed a bug report:
https://bugzilla.mozilla.org/show_bug.cgi?id=444367
Thanks,
Wan-Teh
_______________________________________________
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
