Am 05.05.2010 08:59, schrieb Kaspar Brand: > Does your cert / CKO_CERTIFICATE object lack a label?
My application sets it to "null" (Java app), but even when I put something into that label.. there are strange results. I read the labels with pkcs11-tool from openSC, and it prints out something. But on a working card, it prints something like Certificate Object, type = X.509 cert label: Test ID von Test Eins RA29'S Test ID von Test Eins RA29 ID: 2c16ebc2d33234a1d51a4939b46e52e847c602e7 on card that comes from my app it prints Certificate Object, type = X.509 cert label: OldKeyPairTest's Test ID - 02040FF11421 ID: db286c66aa9e50465801fd2f690afe090fd29d1d I did not investigate further yet, but the difference in the label (or the actual thing that causes this difference) prevents mozilla from building the trust chain for that cert. Unfortunately it looks like the pkcs11-tool makes some transformation to the label. Next I will try to read the "real" label from the token with my app and compare the values of working and broken tokens. > If the CKA_LABEL attribute is empty, then cert->nickname is also NULL, > and getCertType will therefore treat it as nsIX509Cert::UNKNOWN_CERT - > so it will show up in the "Others" tab (even if NSS sees the private key). In the meanwhile it appears in the correct tab, but the trust chain cannot be built. It says something like "this certificate could not be verified for an unknown reasen" (I have a localized version of FF). -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
