Nelson, Thanks a lot for your help.
In my case both the attributes CKA_ID and CKA_LABEL are set to a same unique name regardless whether the cert subject name is unique or not. For the corresponding private key the CKA_ID and CKA_LABEL attributes are also set to the same value as that of CKA_ID and CKA_LABEL attributes of its cert's. >From my log file I cannot see a reason of why the browser didn't pick up the selected private key. Can CKA_ID and CKA_LABEL be set to the same value or not? Thanks again Nelson B wrote: > ben wrote: > > > I installed my PKCS11 module into the Firefox browser. I can see my > > certs on my token from the Certificates Manager of the browser. > > > Turn on the option -- "Ask me evey time". Then I started a Client Site > > SSL connection to my web server. The browser popped up the cert > > selection list box. I selected one. However, my pkcs11 module cannot > > get the correct selection. It always picks up the first cert. > > > Can someone tell me how the browser passes the pkcs11 module a selected > > cert index? > > > Basically I use a selected cert index to locate its private in the key > > store and then do a signing job. > > I gather that you're a developer of a PKCS#11 module. Yes? > > NSS has a built-in PKCS#11 interface logging facility, to help debugging > PKCS#11 modules and their interactions with NSS. To learn about it, > google for NSS_DEBUG_PKCS11_MODULE . I suspect it will show you what's > really going on. > > Here are some guesses. Apparently, the different certs do not appear > to FireFox to be uniquely identified in some way. Each of the certificate > objects in the PKCS#11 module must have a unique CKA_ID attribute. > > If the certificates have different subject names, they should also have > unique CKA_LABEL attributes. (That is, for each unique subject name, > there should be a unique CKA_LABEL attribute, IIRC.) > > The private key object must have the same CKA_ID attribute value as its > corresponding certificate object. (CKA_ID values must be unique among > objects of the same type, but not among objects of different types.) > > Hope this helps. > > -- > Nelson B _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
