On Mon, 2015-05-04 at 09:21 -0700, Robert Relyea wrote: > So in NSS, CKA_LABEL is simply a short cut to CKA_SUBJECT. That is NSS > looks up a cert from the nickname and picks all the certs that match > that cert's subject.
Hm... so if I have two certificates; one with: CKA_SUBJECT: "My CA" CKA_LABEL: "My CA (2010 instance)" and the other: CKA_SUBJECT: "My CA" CKA_LABEL: "My CA (2015 instance)" ... you're saying that if I use PK11_FindCertFromNickname() with the nickname "My CA (2015 instance)" I'm actually going to get *both* of those certs returned rather than only the one which actually matches? That seems a bit odd, but as long as we can keep that behaviour only to the 'old-style' lookup based on token:nickname, and don't have to tolerate it in lookups based on a PKCS#11 URI, it's fine. > Currently the only unique way to identify a cert is CKA_ISSUER and > CKA_SERIAL_NUMBER unless you want to include the value. Surely that's not unique? Using the above example, surely the first certificate issued by the 2010 instance of 'My CA', and the first certificate issued by the 2015 instance, are both going to have identical CKA_ISSUER and CKA_SERIAL_NUMBER, aren't they? > > > > > I think we just need to either extend PK11_FindCertFromNickname() to > > spot when the string it's given starts with 'pkcs11:' and treat it as > > a URI instead, or add a new parallel function PK11_FindCertFromURI(). > > If we are OK for the URI to return multiple certs, then use of > CKA_ID or CKA_LABEL/CKA_SUBJECT is fine. Yes, I think that's perfectly acceptable. The documentation at https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/SSL_functions/pkfnc.html#1035673 suggests that it doesn't "return multiple certs", but returns the "newest" of the certs which match. I can live with that behaviour. I note that same documentation also contradicts (my interpretation of) what you said above about CKA_LABEL. It just says that the nickname is an alias for the certificate subject. > > > > I'm inclined to favour the former, since it means that applications > > which take nicknames on the command line would Just Work when given > > RFC7512 URIs, without needing to modify the applications at all. > Assuming that the application doesn't have any tokens named 'pkcs11'. > The current nickname spec in NSS is 'token:nickname'. I think that that > is a fair assumption, but we just need to be clear That is what is > happening. OK, I'll see if I can come up with a patch. Then all I really need to fix in NSS is the fact that it doesn't load the tokens specified in the system's p11-kit configuration. I realise I had only filed that in Red Hat bugzilla, so I've also filed it at https://bugzilla.mozilla.org/show_bug.cgi?id=1161219 now. -- dwmw2
smime.p7s
Description: S/MIME cryptographic signature
-- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
