After generating a key pair, mozilla tests the key pair to ensure that it works before considering it valid and using it.
If the newly generated private key has the CKA_DECRYPT attribute set, mozilla will encrypt some data with the public key and then attempt to decrypt it on your token with the newly generated private key. If that fails, mozilla will treat the newly generated key pair as invalid. I think your test failed at this step. If a module does not implement C_DecryptInit then it should not set the CKA_DECRYPT attribute on any generated private key. If the newly generated private key has the CKA_SIGN attribute set, mozilla will attempt to sign some data using the new private key, and then will attempt to verify the signature using the public key. If that fails, then the newly generated key pair will be considered invalid. Only after these steps succeed will mozilla consider the new key pair valid. Note that mozilla will typically NOT use an external token to do the public key operations, but rather will get the generated public key value and do the public key operations in NSS's built-in PKCS 11 token. -- Nelson Bolyard Netscape Disclaimer: I speak for myself, not for Netscape
