On 2010-05-04 06:41 PST, M.Hunstock wrote: > Hi all, > > I am currently developing an application for cryptographic > personalization of smart cards. One of the important usage scenarios is > (of course) SSL client authentication via a web browser. Now that my app > "produces" cards, I have a strange effect when trying to use them. > > There is a PKCS#11 module for the tokens used, which loads and works > fine e.g. in Firefox. When a token is inserted, Firefox shows the > certificate on the token only in the "Other Persons" tab, but not in > "Your certificates" although there is a matching keypair on the token > and I manually logged into the token... > In IE it works correctly (but that does not use PKCS#11), so the card's > contents cannot be totally wrong. > > That results in 2 questions from me: > > 1. What is the criteria of NSS for distinguishing between "own" and > "others" certificates?
If NSS can find, in one of the local PKCS#11 modules, the private key corresponding to the public key for a certificate, then it shows that certificate as "your own", otherwise it does not. IIRC, NSS will expect that the private key object will have the same CKA_ID attribute value as the CKA_ID attribute value on the certificate. That is, NSS will search for a private key with the matching CKA_ID and if one is found, it will presume that is the corresponding private key. If none is found, it will presume that the token does not possess the corresponding private key. > 2. I recently read that there is a hidden flag to mark a token > implementation as "friendly", allowing to search for certificates > without logging in. Is there any chance to set this via GUI, > about:config or hex editor? Better yet, use NSS's command line utility program "modutil" and set the "FRIENDLY" pseudo-mechanism as a default on that module. http://www.mozilla.org/projects/security/pki/nss/tools/modutil.html -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
