Re: NSS and PKCS#11 Certificate+Private key
On 9. 10. 2010 14:44, Matej Kurpel wrote: Hello, I am developing a PKCS#11 module for my diploma thesis and I am having problems with Thunderbird not recognizing my certificate for signing. When I want to set it for signing using the Security tab of Account settings (by clicking Select...), Thunderbird says that Certificate Manager can't locate a valid certificate that can be used to digitally sign your messages. However, I am able to view it properly, using the Certificate Manager. It states that the certificate has been verified for some number of purposes, including Email signer Certificate. It is a self-signed certificate and has object handle 1 in my device, and its CKA_ID is ID_Mek. The private key for this certificate has the same CKA_ID and the object handle is 2. In my opensc-spy log I can see that it should work this way: - Thunderbird searches for token certificates - Gets attributes of the certificates (including CKA_ID) - Searches for private keys with the same CKA_ID - ...Continues with whatever it needs to do. I can see the first three steps repeating twice, and then Thunderbird gives up. I really don't understand why doesn't it proceed; I am giving it object handle 2 as my private key, so where is the problem?... I am attaching my opensc-spy log with unneccessary info stripped out. Thanks in advance for any clues. Matej Kurpel --- SPY LOG BEGIN 9: C_OpenSession [in] slotID = 0x0 [in] flags = 0x4 pApplication=067E3000 Notify=6A2D5E19 [out] *phSession = 0x1 Returned: 0 CKR_OK 10: C_FindObjectsInit [in] hSession = 0x1 [in] pTemplate[1]: CKA_CLASS CKO_NETSCAPE_BUILTIN_ROOT_LIST Returned: 19 CKR_ATTRIBUTE_VALUE_INVALID 11: C_FindObjectsInit [in] hSession = 0x1 [in] pTemplate[2]: CKA_TOKEN True CKA_CLASS CKO_CERTIFICATE Returned: 0 CKR_OK 12: C_FindObjects [in] hSession = 0x1 [in] ulMaxObjectCount = 0xa [out] ulObjectCount = 0x1 Object 1 Matches Returned: 0 CKR_OK 13: C_FindObjectsFinal [in] hSession = 0x1 Returned: 0 CKR_OK 14: C_GetAttributeValue [in] hSession = 0x1 [in] hObject = 0x1 [in] pTemplate[2]: CKA_TOKEN requested with 0 buffer CKA_LABEL requested with 0 buffer [out] pTemplate[2]: CKA_TOKEN has size 4 CKA_LABEL has size 8 Returned: 0 CKR_OK 15: C_GetAttributeValue [in] hSession = 0x1 [in] hObject = 0x1 [in] pTemplate[2]: CKA_TOKEN requested with 4 buffer CKA_LABEL requested with 8 buffer [out] pTemplate[2]: CKA_TOKEN True CKA_LABEL [size : 0x8 (8)] 43657274 204D656B C e r t . M e k Returned: 0 CKR_OK 16: C_GetAttributeValue [in] hSession = 0x1 [in] hObject = 0x1 [in] pTemplate[10]: CKA_CLASS requested with 0 buffer CKA_TOKEN requested with 0 buffer CKA_LABEL requested with 0 buffer CKA_CERTIFICATE_TYPE requested with 0 buffer CKA_IDrequested with 0 buffer CKA_VALUE requested with 0 buffer CKA_ISSUERrequested with 0 buffer CKA_SERIAL_NUMBER requested with 0 buffer CKA_SUBJECT requested with 0 buffer CKA_NETSCAPE_EMAIL(Netsc) requested with 0 buffer [out] pTemplate[10]: CKA_CLASS has size 4 CKA_TOKEN has size 4 CKA_LABEL has size 8 CKA_CERTIFICATE_TYPE has size 4 CKA_IDhas size 6 CKA_VALUE has size 676 CKA_ISSUERhas size 107 CKA_SERIAL_NUMBER has size 11 CKA_SUBJECT has size 107 CKA_NETSCAPE_EMAIL(Netsc) has size -1 Returned: 18 CKR_ATTRIBUTE_TYPE_INVALID 17: C_GetAttributeValue [in] hSession = 0x1 [in] hObject = 0x1 [in] pTemplate[10]: CKA_CLASS requested with 4 buffer CKA_TOKEN requested with 4 buffer CKA_LABEL requested with 8 buffer CKA_CERTIFICATE_TYPE requested with 4 buffer CKA_IDrequested with 6 buffer CKA_VALUE requested with 676 buffer CKA_ISSUERrequested with 107 buffer CKA_SERIAL_NUMBER requested with 11 buffer CKA_SUBJECT requested with 107 buffer CKA_NETSCAPE_EMAIL(Netsc) requested with 0 buffer [out] pTemplate[10]: CKA_CLASS CKO_CERTIFICATE CKA_TOKEN True CKA_LABEL [size : 0x8 (8)] 43657274 204D656B C e r t . M e k CKA_CERTIFICATE_TYPE CKC_X_509 CKA_ID[size : 0x6 (6)] 49445F4D 656B CKA_VALUE [size : 0x2A4 (676)] 308202A0 30820209 A0030201 02020900 92159945 D0C657FE 300D0609 2A864886 F70D0101 05050030 69310B30 09060355 04061302 534B3111 300F0603 5504080C 08536C6F 76616B69 61311030 0E060355 04070C07 5472656E 63696E31 15301306
Re: NSS and PKCS#11 Certificate+Private key
On 10. 10. 2010 14:41, Matej Kurpel wrote: On 9. 10. 2010 14:44, Matej Kurpel wrote: Hello, I am developing a PKCS#11 module for my diploma thesis and I am having problems with Thunderbird not recognizing my certificate for signing. When I want to set it for signing using the Security tab of Account settings (by clicking Select...), Thunderbird says that Certificate Manager can't locate a valid certificate that can be used to digitally sign your messages. However, I am able to view it properly, using the Certificate Manager. It states that the certificate has been verified for some number of purposes, including Email signer Certificate. It is a self-signed certificate and has object handle 1 in my device, and its CKA_ID is ID_Mek. The private key for this certificate has the same CKA_ID and the object handle is 2. In my opensc-spy log I can see that it should work this way: - Thunderbird searches for token certificates - Gets attributes of the certificates (including CKA_ID) - Searches for private keys with the same CKA_ID - ...Continues with whatever it needs to do. I can see the first three steps repeating twice, and then Thunderbird gives up. I really don't understand why doesn't it proceed; I am giving it object handle 2 as my private key, so where is the problem?... I am attaching my opensc-spy log with unneccessary info stripped out. Thanks in advance for any clues. Matej Kurpel --- SPY LOG BEGIN 9: C_OpenSession [in] slotID = 0x0 [in] flags = 0x4 pApplication=067E3000 Notify=6A2D5E19 [out] *phSession = 0x1 Returned: 0 CKR_OK 10: C_FindObjectsInit [in] hSession = 0x1 [in] pTemplate[1]: CKA_CLASS CKO_NETSCAPE_BUILTIN_ROOT_LIST Returned: 19 CKR_ATTRIBUTE_VALUE_INVALID 11: C_FindObjectsInit [in] hSession = 0x1 [in] pTemplate[2]: CKA_TOKEN True CKA_CLASS CKO_CERTIFICATE Returned: 0 CKR_OK 12: C_FindObjects [in] hSession = 0x1 [in] ulMaxObjectCount = 0xa [out] ulObjectCount = 0x1 Object 1 Matches Returned: 0 CKR_OK 13: C_FindObjectsFinal [in] hSession = 0x1 Returned: 0 CKR_OK 14: C_GetAttributeValue [in] hSession = 0x1 [in] hObject = 0x1 [in] pTemplate[2]: CKA_TOKEN requested with 0 buffer CKA_LABEL requested with 0 buffer [out] pTemplate[2]: CKA_TOKEN has size 4 CKA_LABEL has size 8 Returned: 0 CKR_OK 15: C_GetAttributeValue [in] hSession = 0x1 [in] hObject = 0x1 [in] pTemplate[2]: CKA_TOKEN requested with 4 buffer CKA_LABEL requested with 8 buffer [out] pTemplate[2]: CKA_TOKEN True CKA_LABEL [size : 0x8 (8)] 43657274 204D656B C e r t . M e k Returned: 0 CKR_OK 16: C_GetAttributeValue [in] hSession = 0x1 [in] hObject = 0x1 [in] pTemplate[10]: CKA_CLASS requested with 0 buffer CKA_TOKEN requested with 0 buffer CKA_LABEL requested with 0 buffer CKA_CERTIFICATE_TYPE requested with 0 buffer CKA_IDrequested with 0 buffer CKA_VALUE requested with 0 buffer CKA_ISSUERrequested with 0 buffer CKA_SERIAL_NUMBER requested with 0 buffer CKA_SUBJECT requested with 0 buffer CKA_NETSCAPE_EMAIL(Netsc) requested with 0 buffer [out] pTemplate[10]: CKA_CLASS has size 4 CKA_TOKEN has size 4 CKA_LABEL has size 8 CKA_CERTIFICATE_TYPE has size 4 CKA_IDhas size 6 CKA_VALUE has size 676 CKA_ISSUERhas size 107 CKA_SERIAL_NUMBER has size 11 CKA_SUBJECT has size 107 CKA_NETSCAPE_EMAIL(Netsc) has size -1 Returned: 18 CKR_ATTRIBUTE_TYPE_INVALID 17: C_GetAttributeValue [in] hSession = 0x1 [in] hObject = 0x1 [in] pTemplate[10]: CKA_CLASS requested with 4 buffer CKA_TOKEN requested with 4 buffer CKA_LABEL requested with 8 buffer CKA_CERTIFICATE_TYPE requested with 4 buffer CKA_IDrequested with 6 buffer CKA_VALUE requested with 676 buffer CKA_ISSUERrequested with 107 buffer CKA_SERIAL_NUMBER requested with 11 buffer CKA_SUBJECT requested with 107 buffer CKA_NETSCAPE_EMAIL(Netsc) requested with 0 buffer [out] pTemplate[10]: CKA_CLASS CKO_CERTIFICATE CKA_TOKEN True CKA_LABEL [size : 0x8 (8)] 43657274 204D656B C e r t . M e k CKA_CERTIFICATE_TYPE CKC_X_509 CKA_ID[size : 0x6 (6)] 49445F4D 656B CKA_VALUE [size : 0x2A4 (676)] 308202A0 30820209 A0030201 02020900 92159945 D0C657FE 300D0609 2A864886 F70D0101 05050030 69310B30 09060355 04061302 534B3111 300F0603 5504080C 08536C6F 76616B69 61311030
Re: NSS and PKCS#11 Certificate+Private key
On 2010-10-10 07:45 PDT, Matej Kurpel wrote: Never mind, solved it myself. What turned out to be the problem, was that the CK_BBOOL values were 4-bytes and not 1 byte in size. Glad you figured it out. I think we could not have helped you without a LOT of work and looking at your code. -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
