Signing problem with NSS 3.6.0

REGIBEAU Julien Thu, 13 Feb 2003 01:50:51 -0800

Hello all,

I'm currently using NSS with a Baltimore PKCS#11 compliant hardware. I would like to 
sign a message with the private key that
resides on this hardware. It works perfectly with NSS 3.2.1 but not with NSS 3.6.0.
After some investigations, I've found that the problem comes from the function 
"pk11_getcerthandle" (the high level call is
"SEC_PKCS7Encode").  This function is different in NSS 3.6.0 than in 3.2.1 (you can 
see the differences in the code below).
The behavior of this function is quite strange, the first time it returns 0 (failed) 
and then, if we immediately re-run the
function, it works perfectly ! (because of this instruction: cert->series = 
slot->series;)


So, my questions are:
- why is the code different in NSS 3.6 ?
- what's the meaning of cert->series and slot->series ?

The modification appears in the file 'pk11cert.c' between the version 1.82 and 1.83.
The author of this modification is Bob Relyea.


Thanks in advance !
Julien

----------------------------------------------------------------------

/* NSS 3.2.1
 * get a certificate handle, look at the cached handle first..
 */
CK_OBJECT_HANDLE
pk11_getcerthandle(PK11SlotInfo *slot, CERTCertificate *cert,
     CK_ATTRIBUTE *theTemplate,int tsize)
{
    CK_OBJECT_HANDLE certh;

    if (cert->slot == slot) {
 certh = cert->pkcs11ID;
 if (certh == CK_INVALID_KEY) {
          certh = pk11_FindObjectByTemplate(slot,theTemplate,tsize);
      cert->pkcs11ID = certh;
 }
    } else {
     certh = pk11_FindObjectByTemplate(slot,theTemplate,tsize);
    }
    return certh;
}

----------------------------------------------------------------------

/* NSS 3.6.0
 * get a certificate handle, look at the cached handle first..
 */
CK_OBJECT_HANDLE
pk11_getcerthandle(PK11SlotInfo *slot, CERTCertificate *cert,
     CK_ATTRIBUTE *theTemplate,int tsize)
{
    CK_OBJECT_HANDLE certh;

    if (cert->slot == slot) {
 certh = cert->pkcs11ID;
 if ((certh == CK_INVALID_HANDLE) ||
   (cert->series != slot->series)) {
          certh = pk11_FindObjectByTemplate(slot,theTemplate,tsize);
      cert->pkcs11ID = certh;
      cert->series = slot->series;
 }
    } else {
     certh = pk11_FindObjectByTemplate(slot,theTemplate,tsize);
    }
    return certh;
}


--
Julien REGIBEAU
  e-Security Systems Engineer
  IT/OPS, e-Business Solutions.

  S.W.I.F.T. SCRL

  This email and any attachments there to may contain information that is confidential 
and/or proprietary and is
  intended for the sole use of the recipient(s) named above.  It is not intended to 
create or affect any contractual
  arrangements between the parties.  If you have received this email by mistake, 
please notify the sender and delete
  it immediately.  Thank you for your co-operation.

Signing problem with NSS 3.6.0

Reply via email to