On Sun, 3 May 2015, David Woodhouse wrote: Hello David,
>For the case of NSS, I suspect the lack of CKA_SUBJECT shouldn't be a >real problem. I've just started looking at NSS with a view to fixing >it to take PKCS#11 URIs, and it looks like the common way of >specifying a certificate is by its "nickname", which is CKA_LABEL, >using the PK11_FindCertFromNickname() function. > >I think we just need to either extend PK11_FindCertFromNickname() to >spot when the string it's given starts with 'pkcs11:' and treat it as >a URI instead, or add a new parallel function PK11_FindCertFromURI(). overloading the existing function so that old applications just works seems like a way to go. It would be nice to have a new function for new code with a name that would better describe the current situation. I assume both searching by a nickname and URI will be needed in the future. >I'm inclined to favour the former, since it means that applications >which take nicknames on the command line would Just Work when given >RFC7512 URIs, without needing to modify the applications at all. > >Referring to the mini-howto at https://bugzilla.redhat.com/1217727#c1 >(a bug against the pesign utility) which shows how to deal with the >NSS issues around PKCS#11 usability, this would basically *solve* the >lack of URI support without having to touch pesign at all. > >Then we only need to deal with the fact that NSS doesn't load the >system-configured PKCS#11 tokens by default, which is an orthogonal >issue probably outside the scope of your interest, Jan. Don't know much about NSS. Wrote some code years ago, was curious how it worked, but probably forgot even that little bit I learned about it :-) Cheers, Jan. -- Jan Pechanec <jan.pecha...@oracle.com> -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
