On 01/27/2010 03:38 PM, Kai Chan wrote: > Hi, > > From what I gather, keys are generated with matching certificates. If you mean 'when keys are generated, they have matching certs', then the answer is no. Keys are generated bare. When the cert is imported, it 'latches' on to the keys that it's related with. There's a special dance, where NSS uses a CKA_ID for the key that is generated from some unique component of the public key. This is the only time NSS expects the CKA_ID to be some specific value.
If you mean 'in a provisioned token (which keys and certs)', the keys and certs are matched with their CKA_ID's in triplets (private key, public key, cert). I'm going to try to answer the remaining assuming this is what you main > If I reference existing keys in a external PKCS #11 module, I would > have to use their CK_OBJECT_HANDLE. If wanted to be able to reference > these external keys by nicknames, what would I use to generate > certificates? Again the use of 'generate' is confusing me. In normal usage it means 'create a new cert from scratch'. That is given a Key, create a cert from that key. This operation involves building a certificate request from the private key, signing it and passing it off to a CA which generates the cert an sends it back to you. Then importing the result back into the token. It's a fairly involved process and I'm assuming this is not what you meant. If you mean given a token with some keys and a cert, how do I get a handle to the private key based on the nickname? Then the answer is, look up the cert by nickname (PK11_FindCertsFromNickname()). Make sure it's the cert you want (it's possible for multiple certs to map to the same nickname), Once you have the cert you call PK11_FindPrivateKeyFromCert(). > Since they don't exist, I wouldn't be able to do > PK11_FindKeyByKeyID(). Are you supposed to use > PK11_MakeIDFromPubKey() and PK11_GetLowLevelKeyIDForPrivateKey()? I'm not sure what you are trying to get here. PK11_MakeIDFromPubKey() and PK11_GetLowKeyIDForPrivateKey() already take a key, so why are you looking for the ID at this point? You could use PK11_GetLowLevelKeyIDForCert() followed by PK11_FindKeyByKeyID(), but then why wouldn't you just call PK11_FindPrivateKeyFromCert() to begin with. You need to be clear what exactly you have, what exactly is in your token, and what it is you are trying to find. bob > > Thanks, > Kai -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
