On 04.05.2010 18:42, Nelson B Bolyard wrote: > IIRC, NSS will expect that the private key object will have the same > CKA_ID attribute value as the CKA_ID attribute value on the certificate.
oh yes.. I actually knew that and the application did it that way when putting the certs on the token. Apparently there has evolved a bug since I last tested the token with a browser - the IDs were different. > That is, NSS will search for a private key with the matching CKA_ID > and if one is found, it will presume that is the corresponding private > key. If none is found, it will presume that the token does not possess > the corresponding private key. That seems true. Now the IDs are equal - and another problem arises. The certificate is now shown in the "Your certificates" tab, but something seems to be wrong with the labels. The certificate cannot be linked to the certificate chain somehow. Unfortunately, setting a label on the certificate object doesn't seem to work with that particular PKCS#11 library. When I inspect a "proper" card, the label is some human readable stuff like: Certificate Object, type = X.509 cert label: Test Intermediate'S Test Root ID: 62b2e17482644a87ce0943eff93c272e515c7d7e or Certificate Object, type = X.509 cert label: Test Root'S Test Root ID: 121ba8e8c6ffe3d6b7ea596fad1d18235cdf69c7 Is there some magic done with the labels, too? In the code pointed out by Honza I can only find a match on the ID: http://mxr.mozilla.org/mozilla-central/source/security/nss/lib/pk11wrap/pk11obj.c#1573 >> Is there any chance to set this via GUI, >> about:config or hex editor? > Better yet, use NSS's command line utility program "modutil" and set > the "FRIENDLY" pseudo-mechanism as a default on that module. > http://www.mozilla.org/projects/security/pki/nss/tools/modutil.html Didn't know that tool - thanks! MH -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto