Nelson, thanks for your suggestion. I am not very much familiar with low-level PK11 API. Which public functions should I use to get CKA_ID and find the cert using CKA_ID? I would appreciate if direct me some example code or if could give an pseudo-code using relevant methods. Thanks. -- Subrata
Nelson Bolyard wrote: > Robert Relyea wrote, On 2008-03-26 18:13: > >> Subrata Mazumdar wrote: >> >>> Hi, >>> is there any way I can find the certificate associated with a public key >>> using >>> the SubjectPublicKeyInfo (CERTSubjectPublicKeyInfo)? >>> >>> I am looking for public API and not too low level. >>> I looked in the .../nss/certdb/cert.h and .../nss/pk11wrap/pk11pub.h >>> files - couldn't find anything appropriate. >>> >>> Also, is there anyway I can find the private key using info in >>> SubjectPublicKeyInfo if the related private key exists in the key DB? >>> If I can find the private key then I can use >>> PK11_GetCertFromPrivateKey() method to find the related cert. >>> >>> >> Sigh, Certificates are indexed by public key (which is what's in a SPKI >> structure), at least not directly. >> > > I'm pretty sure that Bob meant: ... are NOT indexed by public key ... > > >> Private Keys have a potential index (the CKA_ID value is often a hash of >> a unique compenent of the public key), but that's not guarrenteed. >> > > It's true that applications that use NSS's softoken PKCS#11 module, but do > not use the rest of NSS, might create objects whose CKA_IDs are not derived > from the public key, but I'm pretty sure that NSS-based programs, such as > Mozilla clients, all do derive the CKA_ID from the public key (modulus, for > RSA). So, if Subrata is only concerned with objects that would have been > placed into the DB by an program using NSS, then I think he could find the > objects by searching by CKA_ID with C_FindObjects. > > Assuming that's correct, what public NSS function would he use to attempt > that search by CKA_ID? > > >> Probably the best what is to use PK11_TraverseSlotCerts and compare the >> cert's SPKI with your SPKI. Not really the best way if you need to do >> this a lot. >> > > That's the best way when searching through tokens on which objects may > have been created by non-NSS software. > > >> You could also use PK11_ListCerts, looking for just the user certs, >> which should give you a smaller list than PK11_TraverseSlotCerts. >> _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
