On 2010-04-14 19:18 PST, 虎 季 wrote: > I am an engineer working in mozilla China, I'm going to provide a > solution for Chinese banks which support IE only in China now.
Welcome, 虎 季. Perhaps you can give us westerners some guidance on how to pronounce or transliterate your name in western alphabet. > The problem I met is that: > There are many vendors who supply smart-cards for banks, they have > implemented the pkcs#11 modules(maybe implemented most parts of > pkcs#11).There are two kinds of certificates in the smart-card, one > for personals, and one for bank which should be added to the clients' > trusted certificates list. Please tell us much more about this "one for bank". Is it a web server certificate for the bank's web server? If so, was it issued by a CA? Does that CA have its own CA certificate? Is that CA's certificate separately available? Is the "one for bank" certificate a CA certificate for the CA that issued the bank's web server certificate? Is it a CA certificate for the CA that issued the "personal" certificate that is also on the smart-card? Is it a "root" certificate? or is it issued by (and subordinate to) another CA with a separate certificate? > We can add their pkcs#11 security module into the secmod.db which is done > by an installer made by banks. So, when starting Fx, it loads all the > security modules in the secmod.db and load certificates into certificates > list through PKCS#11 APIs aotumatically. Then we can see the security > modules in the Fx security devices list and the personal certificat in > the certificates list. > I am not familiar with the PKCS#11 APIs, maybe they did not implenment > some, so Fx could not load the certificat for bank into the trusted > certificates list. Are you able to build and use NSS's command line tools from NSS's open sources? If so, those command line tools could be used to answer some of your questions. The PKCS#11 API provides a way to mark a certificate in a "token" (smart-card) as being trusted while it remains on that card. When properly implemented, there should be no need to "import" a trusted certificate into Firefox to get Firefox to trust it. However, as far as I know, at the present time, Firefox does not presently support the PKCS#11 "trusted" attribute,, so it is necessary to set the trust flag in Firefox. Still it should not be necessary to import the certificate into Firefox. It should only be necessary for Firefox to SEE the certificate in the token and for Firefox to set Firefox's own trust flag on that certificate in the token. If Firefox does not even see the bank's certificate in that token, then the problem is probably greater than merely lack of support for the trust attribute. There may be some other issue with the certificate that makes Firefox unable to deal with it. The only way I could tell with certainty would be to have a actual copy (e.g. DER) of that bank's certificate. Of course, I only need the certificate and not any private keys. > We can get the certificate for bank now, how to load it into Fx as root > certificate by other programme, not automatically? Shouldn't be necessary. > I have read the file of "cert.h", there is a function prototype > SECStatus CERT_ImportCerts(CERTCertDBHandle *certdb, SECCertUsage usage, > unsigned int ncerts, SECItem **derCerts, CERTCertificate ***retCerts, > PRBool keepCerts, PRBool caOnly, char *nickname); Yes, there is. > Could I invoke it to solve the problem ? You could try it. > But the page https://developer.mozilla.org/en/NSS/Certificate_functions > said the function is not available, Why do you say that? I don't see any statement like that on that page. > I am very confused. > Could you give me some advices? If you can obtain and run the NSS command line test tool named "certutil", I would suggest that you try that, and see if you can set the NSS trust flags on that bank cert on the token using certutil, and see if, having done that, the bank cert works for you in firefox as expected. If so, then I wouldn't make any further attempts to "import" the cert into Firefox, and instead would just suggest that you learn how to set that trust flag the way that certutil does. Regards, /Nelson -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
