On 07/24/2013 10:55 AM, David Widen wrote:
Hi,I'm trying to generate a certificate for an RSA key and then put it onto a smart card using NSS. I can successfully generate the RSA key and a self-signed certificate as well as putting that certificate on the card. However, I am unable to store the associated private key on the card which makes the certificate rather useless. The following is roughly what operations I am performing. Most functions are taken from certutil.c and certgen.c.
I'm sort of guessing since you are calling some sort of higher level wrapping functions. Actual NSS API calls (and failure values would give more information).
This should have generated the key pair on the card. If the card can't do generateKeyPair, NSS will use softoken to generate the key pair and import it into the card.//slot is a PK11SlotInfo * SECKEYPrivateKey * privk = NULL; SECKEYPublicKey * pubk = NULL; GenerateKeyPair(slot, &pubk, &privk, keysize);
CERTCertificateRequest * req = make_cert_request(subject, pubk);
CERTCertificateRequest * temp_cert = make_cert (req, serial, &req->subject);
set_cert_type(temp_cert,
NS_CERT_TYPE_OBJECT_SIGNING |
NS_CERT_TYPE_OBJECT_SIGNING_CA);
SECItem * derCert = sign_cert(temp_cert, privk);
char * name = "John Doe\0";
char * trusts = "u,u,u\0";
AddCert(slot, db, name, trusts, derCert, PR_FALSE, NULL);
importKey(slot, privk, pubk, PR_TRUE, PR_FALSE);
yes, it's trying to extract the key from the token, and the token isn't giving the key up.The last line of this code is what fails. Specifically, it fails here: http://dxr.mozilla.org/mozilla-central/source/security/nss/lib/pk11wrap/pk11obj.c?from=pk11obj.c#l191
Does anyone have any advice about this problem?
smime.p7s
Description: S/MIME Cryptographic Signature
-- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
