I am the trying to get a new (for me) hardware token to work with the nss lib on Linux. This is an ECA token (external certificate authority) specified by the U.S. Government. Apparently there are specifications for certificate common name naming conventions which require the inclusion of a colon in the common name.
As has been reported in other places on this group, there is an issue with proper functioning of the find_certs_from_nickname/PK11_FindCertFromNickname functions when the token name includes a colon. the opensc cac driver sets the token name to the common name of the first cert it finds. Thus my problem. So, my question is, is there any sort of solution for me.... It appears that that I can't ask for a different common name naming convention. I wouldn't think this is a bug in the opensc cac code, as the common name for a token name seems reasonable..... I understand that this is a working/well established api, and that there is appears to be some developer standard, however, this is seems to me like this is a set of tokens that are not going to work, unless a workaround is cerated... I have been able to get my certs to be recognized by either a) altering the opensc cac code to strip the colon from the token name it returns, OR by altering find_certs_from_nickname so that it splits token and nickname by searching for the last colon, instead of the first. however, I assume this would break any combination where the nickname itself had a colon in it.... I am not familiar enough with all the use cases. Is this a likely/or even unlikely scenario? I would prefer not ot have to bake my own nsslib/opensc lib, so any chance this is something worth trying to fix? Thanks for you time Bill -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
