On 07/01/2013 03:53 AM, Stefan Scheidewig wrote:
Hello,I added a smart card PKCS#11 module to my certdb (without specifying any mechanisms) and I am able to list the certificates as well as the keys within the sole token of this smart card. Within the program I am able to login to the smart card and to read one of the three certificates. But a call to PK11_FindKeyByDERCert returns null.Why can't NSS fetch the associated key of this certificate?
Two possible reasons: 1) You need to be logged in when you call PK11_FindKeyByDERCert().2) The key may not have an NSS derived CKA_ID. PK11_FindKeyByDERCert() is used to find bare keys that were created as part of a certificate request. You shouldn't use it for the general case where the cert and key are already on the token. (It only works if NSS has generated the key and set the key id.
Instead use PK11_FindKeyByAnyCert(). It used CKA_ID matching (it looks up the token's CKA_ID for a certificate and finds the matching private key). This is how NSS internally finds a private key for a given certificate.
bob
Greetings, Stefan Scheidewig
smime.p7s
Description: S/MIME Cryptographic Signature
-- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
