joshuaaa wrote: > However, I have not succeeded yet in importing a p12 file. When I do a > CertDB.ImportPKCS12File(null, cert_file); > it runs fine, asks for the password, I enter the password, and then I > get an alert that reads "Failed to restore the PKCS #12 file for > unknown reasons".
<sigh>. The report of "unknown reasons" is a failing of PSM, the FF code that provides the GUI for the crypto stuff. NSS *ALWAYS* provides a reason. PSM just takes a shortcut and says "unknown reasons" instead of displaying the error string associated with the NSS error code. I've been trying literally for years to get PSM to report the error string that NSS provides for all errors, and never report "unknown reasons". FF3 reports Unknown Reason in fewer circumstances than FF2 did, but it still reports that in way too many places. If I could get Mozilla Corporation to fix one thing about PSM, it would be to stamp out all reports of "unknown reasons", once and for all. > I don't know if this is because the private key is not already stored > in a token, but that doesn't make a whole lot of sense to me, I would > imagine it knows what to do with the p12 file (ie get the certificate > and keys). Can anyone shed some light on this? NSS reported a reason. But the GUI didn't bother to pass it on to the user. All we can do is guess. I'm at least as frustrated about this as you are. > 2) I know that writing to the database while firefox is running is > bad, but is it only bad when you are adding/removing certificates? No. It's always bad. > 3) How does NSS relate a particular private key on a token to a > certificate? Is the process as simple as: open a p12, get the private > key, add private key to token, import certificate and give it > nickname? Almost that simple. It also checks to make sure that the pkcs12 file has a private key that corresponds to at least one of the certs in the file. If you had a p12 file with a private key and a cert, but the public key in the cert did not correspond to the private key, that would fail. > I would imagine there is more to adding the key to the token > than just passing the key to the token? Not much. NSS computes a "key ID" value (the PKCS#11 CKA_ID attribute) and puts that on both the private key and the cert as it imports them. The CKA_ID is computed from the public key. That way, later when the user says "use the private key for this cert", NSS can find the key by looking for a key with the right CKA_ID value. > > I would like to accomplish this through the use of javascript, but jss > is an option if this can be done while the browser is running. If > anyone has done something similar, please get in touch with me. The possibilities are: - something wrong with the pkcs12 file (e.g. key and cert don't match, cert lacks a nickname, nickname conflict), - bug in some code I'd suggest you start by exporting a private key and cert to a PKCS12 file from the browser. The browser generally likes the file it makes. :) Then try importing that. > As always, thanks for the help. _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
