Robert Relyea wrote, On 2008-03-26 18:13: > Subrata Mazumdar wrote: >> Hi, >> is there any way I can find the certificate associated with a public key >> using >> the SubjectPublicKeyInfo (CERTSubjectPublicKeyInfo)? >> >> I am looking for public API and not too low level. >> I looked in the .../nss/certdb/cert.h and .../nss/pk11wrap/pk11pub.h >> files - couldn't find anything appropriate. >> >> Also, is there anyway I can find the private key using info in >> SubjectPublicKeyInfo if the related private key exists in the key DB? >> If I can find the private key then I can use >> PK11_GetCertFromPrivateKey() method to find the related cert. >> > > Sigh, Certificates are indexed by public key (which is what's in a SPKI > structure), at least not directly.
I'm pretty sure that Bob meant: ... are NOT indexed by public key ... > Private Keys have a potential index (the CKA_ID value is often a hash of > a unique compenent of the public key), but that's not guarrenteed. It's true that applications that use NSS's softoken PKCS#11 module, but do not use the rest of NSS, might create objects whose CKA_IDs are not derived from the public key, but I'm pretty sure that NSS-based programs, such as Mozilla clients, all do derive the CKA_ID from the public key (modulus, for RSA). So, if Subrata is only concerned with objects that would have been placed into the DB by an program using NSS, then I think he could find the objects by searching by CKA_ID with C_FindObjects. Assuming that's correct, what public NSS function would he use to attempt that search by CKA_ID? > Probably the best what is to use PK11_TraverseSlotCerts and compare the > cert's SPKI with your SPKI. Not really the best way if you need to do > this a lot. That's the best way when searching through tokens on which objects may have been created by non-NSS software. > You could also use PK11_ListCerts, looking for just the user certs, > which should give you a smaller list than PK11_TraverseSlotCerts. _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto