On 23. 10. 2010 22:18, Nelson B Bolyard wrote:
On 2010-10-21 13:31 PDT, Matej Kurpel wrote:
This looks like Thunderbird cannot find the user certificate in its
database. Well, it shouldn't anyway, since it resides on the token
provided by a PKCS#11 module I am developing.
Right. It's not necessary for the cert to be in the database. It's only
necessary that NSS can find it in one of the attached tokens.
However, in its properties it says it couldn't verify the certificate
for unknown reasons. And the CA certificate is added into the
authorities correctly. Any more ideas, please?
For purposes of your command line testing, you should add your PKCS#11
module to the secmod.db configuration file, using the modutil program.
Thereafter, you should be able to get the command line utilities to
see and attempt to verity the certificate in your token. I'd tell you
how to do that, but you seem to be doing VERY VERY well at figuring it
out on your own! Here are some hints:
certutil -d . -L -h all
certutil -d . -L -n "my token name:my cert name"
I did what you said but didn't really get anywhere... First I did this:
certutil -d . -L -h all
It showed all certificates in this way:
Mekova CA - CA organizacia CT,C,C
Google Internet Authority ,,
DigiCert High Assurance CA-3 ,,
VeriSign Class 3 Extended Validation SSL CA ,,
HTC Touch HD T8282:Matej Kurpel u,u,u
Builtin Object Token:Verisign/RSA Secure Server CA CG,C,p
Builtin Object Token:GTE CyberTrust Root CA CG,C,C
(more Builtin Object token lines following)
You can clearly see both my CA and user certificates. Certutil has used
my PKCS#11 module to obtain my user certificate. Then I launched the
second commany you were suggesting:
certutil -d . -L -n "HTC Touch HD T8282:Matej Kurpel"
Now it popped up a message that certutil.exe has stopped working. From
my PKCS11-spy logs it's apparent that it searched for the certificate,
found it, got some of its atttributes, and then searched for a private
key belonging to this certificate (and found it): FindObjectsInit -
FindObjects - FindObjectsFinal. That's all it did and then crashed.
Looks like something is wrong with my certificate but how can I check it
when certutil is crashing? :( Windows didn't have any problems with the
certificate... Also in an ASN.1 Editor I have downloaded off the web,
the certificate loads up fine. Can you suggest anything more to try, please?
-------------------- pkcs11-spy log begin ---------------------
9: C_OpenSession
[in] slotID = 0x0
[in] flags = 0x4
pApplication=0219E338
Notify=004564D0
[out] *phSession = 0x1
Returned: 0 CKR_OK
10: C_GetMechanismList
[in] slotID = 0x0
[out] pMechanismList[1]:
Count is 1
Returned: 0 CKR_OK
11: C_GetMechanismList
[in] slotID = 0x0
[out] pMechanismList[1]:
CKM_RSA_PKCS
Returned: 0 CKR_OK
12: C_FindObjectsInit
[in] hSession = 0x1
[in] pTemplate[1]:
CKA_CLASS CKO_NETSCAPE_BUILTIN_ROOT_LIST
Returned: 19 CKR_ATTRIBUTE_VALUE_INVALID
13: C_FindObjectsInit
[in] hSession = 0x1
[in] pTemplate[2]:
CKA_TOKEN True
CKA_CLASS CKO_CERTIFICATE
Returned: 0 CKR_OK
14: C_FindObjects
[in] hSession = 0x1
[in] ulMaxObjectCount = 0xa
[out] ulObjectCount = 0x1
Object 1 Matches
Returned: 0 CKR_OK
15: C_FindObjectsFinal
[in] hSession = 0x1
Returned: 0 CKR_OK
16: C_GetAttributeValue
[in] hSession = 0x1
[in] hObject = 0x1
[in] pTemplate[2]:
CKA_TOKEN requested with 0 buffer
CKA_LABEL requested with 0 buffer
[out] pTemplate[2]:
CKA_TOKEN has size 1
CKA_LABEL has size 12
Returned: 0 CKR_OK
17: C_GetAttributeValue
[in] hSession = 0x1
[in] hObject = 0x1
[in] pTemplate[2]:
CKA_TOKEN requested with 1 buffer
CKA_LABEL requested with 12 buffer
[out] pTemplate[2]:
CKA_TOKEN True
CKA_LABEL [size : 0xC (12)]
4D617465 6A204B75 7270656C
M a t e j . K u r p e l
Returned: 0 CKR_OK
18: C_GetAttributeValue
[in] hSession = 0x1
[in] hObject = 0x1
[in] pTemplate[10]:
CKA_CLASS requested with 0 buffer
CKA_TOKEN requested with 0 buffer
CKA_LABEL requested with 0 buffer
CKA_CERTIFICATE_TYPE requested with 0 buffer
CKA_ID requested with 0 buffer
CKA_VALUE requested with 0 buffer
CKA_ISSUER requested with 0 buffer
CKA_SERIAL_NUMBER requested with 0 buffer
CKA_SUBJECT requested with 0 buffer
CKA_NETSCAPE_EMAIL(Netsc) requested with 0 buffer
[out] pTemplate[10]:
CKA_CLASS has size 4
CKA_TOKEN has size 1
CKA_LABEL has size 12
CKA_CERTIFICATE_TYPE has size 4
CKA_ID has size 4
CKA_VALUE has size 805
CKA_ISSUER has size 159
CKA_SERIAL_NUMBER has size 9
CKA_SUBJECT has size 141
CKA_NETSCAPE_EMAIL(Netsc) has size -1
Returned: 18 CKR_ATTRIBUTE_TYPE_INVALID
19: C_GetAttributeValue
[in] hSession = 0x1
[in] hObject = 0x1
[in] pTemplate[10]:
CKA_CLASS requested with 4 buffer
CKA_TOKEN requested with 1 buffer
CKA_LABEL requested with 12 buffer
CKA_CERTIFICATE_TYPE requested with 4 buffer
CKA_ID requested with 4 buffer
CKA_VALUE requested with 805 buffer
CKA_ISSUER requested with 159 buffer
CKA_SERIAL_NUMBER requested with 9 buffer
CKA_SUBJECT requested with 141 buffer
CKA_NETSCAPE_EMAIL(Netsc) requested with 0 buffer
[out] pTemplate[10]:
CKA_CLASS CKO_CERTIFICATE
CKA_TOKEN True
CKA_LABEL [size : 0xC (12)]
4D617465 6A204B75 7270656C
M a t e j . K u r p e l
CKA_CERTIFICATE_TYPE CKC_X_509
CKA_ID [size : 0x4 (4)]
01000000
CKA_VALUE [size : 0x325 (805)]
30820321 3082028A A0030201 02020900 F1EB20AD 80774744 300D0609 2A864886
F70D0101 04050030 819C310B 30090603 55040613 02534B31 11300F06 03550408
1308536C 6F76616B 6961310F 300D0603 55040713 065A696C 696E6131 17301506
0355040A 130E4341 206F7267 616E697A 61636961 311A3018 06035504 0B131143
41204F72 672E2075 6E697420 6E616D65 31123010 06035504 0313094D 656B6F76
61204341 3120301E 06092A86 4886F70D 01090116 116D656B 6F76615F 63614073
70616D2E 6C61301E 170D3130 31303230 31363033 31325A17 0D323031 30313731
36303331 325A3081 8A310B30 09060355 04061302 534B3111 300F0603 55040813
08536C6F 76616B69 61311730 15060355 040A130E 4341206F 7267616E 697A6163
69613116 30140603 55040B13 0D4D656B 206F6464 656C656E 69653115 30130603
55040313 0C4D6174 656A204B 75727065 6C312030 1E06092A 864886F7 0D010901
16116D6B 75727065 6C40676D 61696C2E 636F6D30 819F300D 06092A86 4886F70D
01010105 0003818D 00308189 02818100 C153CDAE 885F2DA2 B3DCF784 9050A73F
8DB8650B 723915C9 9D92DA72 5D578A7E 05E6E226 9597CCD7 C567AEB6 038BEEF3
6C6930BF BF5B2D42 37D12750 3FB78761 10C639E3 F643945B 4F1D01B6 DF6C4B0E
DBB96129 399EDD96 72B5D0FF 4E4032E5 AE0648AB 55DB76B6 C7729081 28CF5CEE
4B25C16B 1949D6EB 6090DA70 1AEFC927 02030100 01A37B30 79300906 03551D13
04023000 302C0609 60864801 86F84201 0D041F16 1D4F7065 6E53534C 2047656E
65726174 65642043 65727469 66696361 7465301D 0603551D 0E041604 14CD65BA
C64E22F1 3E7439FC 06AE35B2 359B5445 F4301F06 03551D23 04183016 8014610A
7C6545E8 608F786D 3CA7CFBB A4696F43 7792300D 06092A86 4886F70D 01010405
00038181 007907B9 58205663 34311EF0 184DEDB2 35568546 E632C081 AD9EF657
6307377B 8CBE9A9A D32BFC01 E2C378C2 0AFCB67F 323C5732 918BA0B4 7F0651E5
BF5345CC 2FF32D07 F170B522 D6069249 879E782A 2634A935 6D578E6C 26AD3A40
BED84A9B EBAEE200 452B4B92 B77CA359 685AC9B7 87D8076F D52859E6 E2ABF98F
0B2C96E9 8E
CKA_ISSUER [size : 0x9F (159)]
30819C31 0B300906 03550406 1302534B 3111300F 06035504 080C0853 6C6F7661
6B696131 0F300D06 03550407 0C065A69 6C696E61 31173015 06035504 0A0C0E43
41206F72 67616E69 7A616369 61311A30 18060355 040B0C11 4341204F 72672E20
756E6974 206E616D 65311230 10060355 04030C09 4D656B6F 76612043 41312030
1E06092A 864886F7 0D010901 16116D65 6B6F7661 5F636140 7370616D 2E6C61
DN: C=SK, ST=Slovakia, L=Zilina, O=CA organizacia, OU=CA Org. unit
name, CN=Mekova CA/emailaddress=mekova...@spam.la
CKA_SERIAL_NUMBER [size : 0x9 (9)]
44477780 AD20EBF1 00
CKA_SUBJECT [size : 0x8D (141)]
30818A31 0B300906 03550406 1302534B 3111300F 06035504 080C0853 6C6F7661
6B696131 17301506 0355040A 0C0E4341 206F7267 616E697A 61636961 31163014
06035504 0B0C0D4D 656B206F 6464656C 656E6965 31153013 06035504 030C0C4D
6174656A 204B7572 70656C31 20301E06 092A8648 86F70D01 09011611 6D6B7572
70656C40 676D6169 6C2E636F 6D
DN: C=SK, ST=Slovakia, O=CA organizacia, OU=Mek oddelenie, CN=Matej
Kurpel/emailaddress=mkur...@gmail.com
CKA_NETSCAPE_EMAIL(Netsc) has size -1
Returned: 18 CKR_ATTRIBUTE_TYPE_INVALID
20: C_GetAttributeValue
[in] hSession = 0x1
[in] hObject = 0x1
[in] pTemplate[1]:
CKA_NETSCAPE_EMAIL(Netsc) requested with 0 buffer
[out] pTemplate[1]:
CKA_NETSCAPE_EMAIL(Netsc) has size -1
Returned: 18 CKR_ATTRIBUTE_TYPE_INVALID
21: C_GetAttributeValue
[in] hSession = 0x1
[in] hObject = 0x1
[in] pTemplate[1]:
CKA_NETSCAPE_EMAIL(Netsc) requested with 0 buffer
[out] pTemplate[1]:
CKA_NETSCAPE_EMAIL(Netsc) has size -1
Returned: 18 CKR_ATTRIBUTE_TYPE_INVALID
22: C_FindObjectsInit
[in] hSession = 0x1
[in] pTemplate[2]:
CKA_TOKEN True
CKA_CLASS CKO_NETSCAPE_TRUST
Returned: 19 CKR_ATTRIBUTE_VALUE_INVALID
23: C_GetAttributeValue
[in] hSession = 0x1
[in] hObject = 0x1
[in] pTemplate[2]:
CKA_ID requested with 0 buffer
CKA_CLASS requested with 0 buffer
[out] pTemplate[2]:
CKA_ID has size 4
CKA_CLASS has size 4
Returned: 0 CKR_OK
24: C_GetAttributeValue
[in] hSession = 0x1
[in] hObject = 0x1
[in] pTemplate[2]:
CKA_ID requested with 4 buffer
CKA_CLASS requested with 4 buffer
[out] pTemplate[2]:
CKA_ID [size : 0x4 (4)]
01000000
CKA_CLASS CKO_CERTIFICATE
Returned: 0 CKR_OK
25: C_FindObjectsInit
[in] hSession = 0x1
[in] pTemplate[2]:
CKA_ID [size : 0x4 (4)]
01000000
CKA_CLASS CKO_PRIVATE_KEY
Returned: 0 CKR_OK
26: C_FindObjects
[in] hSession = 0x1
[in] ulMaxObjectCount = 0x1
[out] ulObjectCount = 0x1
Object 2 Matches
Returned: 0 CKR_OK
27: C_FindObjectsFinal
[in] hSession = 0x1
Returned: 0 CKR_OK
-------------------- pkcs11-spy log end ---------------------
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
