Re: Selecting which cert to sign with doesn't work
Because the issuer is not part of the subject's identity. If the cert has the same subject and different issuers it is still considered part a cert for the same entity. This is how cross certification works. (The CA cert has the same subject, but may have different issuers). As I understand it this thread is mainly about how to distinguish between two certs not about identity (whatever identity means). That's what we are talking about. A the case where you are supplying a nickname which maps to identity, not to a specific cert. bob Ciao, Michael.
Re: Selecting which cert to sign with doesn't work
Because the issuer is not part of the subject's identity. If the cert has the same subject and different issuers it is still considered part a cert for the same entity. This is how cross certification works. (The CA cert has the same subject, but may have different issuers). bob Michael Ströder wrote: Robert Relyea wrote: If you need to distinguish between two certs, you should have different subjects for those certs. This is because a given use will eventually have many certs for their personality -- one for encryption (which may be escrowed), one for authentication, and one for signing I wonder why the issuer DN is not also considered to distinguish different certs. Ciao, Michael.
Re: Selecting which cert to sign with doesn't work
Robert Relyea wrote: If you need to distinguish between two certs, you should have different subjects for those certs. This is because a given use will eventually have many certs for their personality -- one for encryption (which may be escrowed), one for authentication, and one for signing I wonder why the issuer DN is not also considered to distinguish different certs. Ciao, Michael.
Re: Selecting which cert to sign with doesn't work
Hi Chris, The answer is that UI for picking one cert for signing and one cert for encryptions is a slight lie. When Mozilla goes and grabs the cert it calls a function FindCertByUsage() which returns the appropriate certificate among several with the same subject. All certs with the same subject should be attached to the same personality, so if two different certs are appropriate, then it shouldn't matter which is chosen (NSS will chose the 'most up to date' of the two). If you need to distinguish between two certs, you should have different subjects for those certs. This is because a given use will eventually have many certs for their personality -- one for encryption (which may be escrowed), one for authentication, and one for signing plus old expired versions of these certs as the user renews them. You don't want to reselect these certs every time. You don't want to be changing your cert selection everytime you renew. Initially there was only one selection box for your cert, and the use of encryption verse signing was completely handled in NSS. That underlying code still exists, which I think the original UI designer did not realize. (The UI does allow you to select an encryption cert that has a different personality than our signing cert, which may be useful in some exceptional cases, but in general I think, for the most part, it leaves a misleading impression on the user.). bob Chris wrote: I'm working with my smartcard PKCS #11 module and I have 2 certificates available that can be used for signing messages. Both certs are tied to the same e-mail address and have the same subject. Mozilla lets me pick which one I want to use for signing e-mail (Account Settings-Security) but it only seems to use one of them when it actually performs the signing of the message. No matter which one I pick in the dropdown, it always uses the same one. This seems like a bug in Mozilla but I wouldn't rule out the possibility of problem being on my end if there is something special Mozilla requires to be able to pick a particular certificate when it performs the signature operation. Any thoughts? -- // Chris
Re: Selecting which cert to sign with doesn't work
Chris, Chris wrote: Sure, I can take a look when I get a chance. If you have some pointers of where to look first that might be helpful. I don't know when I'll get around to doing this though. I'm currently using Mozilla RC3 on Debian Linux and Win32. Debian version is the Debian packaged version 1.0rc3-2. Win32 version is the 5-23-2002 build. I'm also testing with RC2 on Sparc Solaris, although I would rather not debug there. The build instructions for NSS 3.3 are at http://www.mozilla.org/projects/security/pki/nss/buildnss_33.html . RC3 was using NSS 3.4, and today NSS 3.5 should be going into the mozilla 1.0 branch. The NSS 3.5 branch is NSS_3_5_BRANCH , which is what you want to use when pulling from cvs . Specifically when building 3.5 I pull as follows : cvs co mozilla/nsprpub cvs co -r NSS_3_5_BRANCH mozilla/security/coreconf mozilla/security/nss cvs co -r DBM_1_61_RTM mozilla/dbm mozilla/security/dbm Then I build like this : setenv NSPR_AUTOCONF 1 cd mozilla/security/nss gmake nss_build_all As far as your debugging platform, I would recommend you avoid Linux due to the lack of support of threads of the debugger. Both Win32 and Solaris have good debuggers. In any case, the code is the same accross platforms. -- Except for the lack of debugging and the ps thing, [Linux] kernel threads are generally fine right now. And if you're not too fussed about the more fiddly details of POSIX threads, and your application doesn't spend most of its time in thread creation, then LinuxThreads is great too. Linux-Kernel archive
Re: Selecting which cert to sign with doesn't work
Chris, Chris wrote: When Mozilla initially starts it does a C_FindObjects (with a max count of 16 or so) for all certificates on the token. I return both certificates at this point because the only search attribute is CKA_CLASS == CKO_CERTIFICATE, no other search attributes are present (the P11 module always searchs on all supplied attributes). Mozilla then continues on and gets various attributes of the certificates (CKA_LABEL, CKA_ID, CKA_SUBJECT, CKA_VALUE, etc.). I can see in my logs all the ID's and labels, each cert has unique CKA_ID's and CKA_LABEL's and Mozilla retrieves the appropriate attributes from each one. Later when Mozilla actually goes to sign a message, it does one FindObjects looking for a CKA_CLASS of CKO_PRIVATE_KEY with a specific CKA_ID. This matches the one private key for the certificate it has determined it should use. It seems to have already chosen which cert to use based on the information gathered above. It then calls C_Sign using that specific key that matches one and only one specific cert. Which key/cert pair it uses depends on the order in which I returned the certificates in that very first C_FindObjects that listed all available certs. Changing the e-mail signing cert in Account Settings-Security appears to have no effect whatsoever on which key/cert pair it tries to use. I can post very detailed logs on the calls into the P11 module if you think that would be helpful. The calls you describe seem like an effect of our cert cache, which code I'm still unfamiliar with. Before you send me your PKCS#11 logs, can you extract your conflicting certs keys from the smartcard, or generate news PKCS#12 files of those certs with identical subjects but different other properties ? If so, can you try importing them into softoken (internal certificate database) and see if the same problem exists with that module ? If yes, it is definitely a bug in either NSS or mozilla. If you can reproduce the problem that way, please open a bugzilla bug against PSM. Please make sure to cc me ([EMAIL PROTECTED]) and attach the PKCS#12 files, and I will investigate. If the problem occurs only in your module but not with softoken, the PKCS#12 files might still be helpful for me. I could try them with another vendor's smartcard.
Re: Selecting which cert to sign with doesn't work
Chris, Chris wrote: When I actually sign the e-mail message is when it picks the wrong cert. It appears to use the first certificate that can be used for signing e-mail versus actually using the one I told it to use. If I reverse the order that C_FindObjects returns the certificates, then Mozilla will switch which one it always uses. This is just like how Netscape 4.x handles them except the order seems to be reversed with respect to which one it always uses. It seems that Mozilla shouldn't work that way since it lets you pick which one to use. When you say that you are returning certificates in C_FindObjects in a certain order, I'm not sure why you are returning more than one. The template that you are receiving from NSS should include a name field with the nickname, so that your module should only return the one certificate that matches the template fully to NSS, and therefore there would be no ambiguity and no possibility for NSS Mozilla to get confused. Are you sure that you are looking at all the fields in the template in your C_FindObjects code, or only some of them ? It might be helpful to compose your mail in mozilla, attach to it with a debugger, then set a breakpoint in your findobjects code, then hit the send button to generate the signature. Your findobjects will get called (probably more than once, due to the way NSS works). Try to find the template that includes a CKA_LABEL of the nickname you configured in mozilla, and see how many token objects you are returning. It should only be one, unless you have several certificates of different types under the same nickname, but that wasn't the case you described. -- Except for the lack of debugging and the ps thing, [Linux] kernel threads are generally fine right now. And if you're not too fussed about the more fiddly details of POSIX threads, and your application doesn't spend most of its time in thread creation, then LinuxThreads is great too. Linux-Kernel archive
Re: Selecting which cert to sign with doesn't work
Chris, Chris wrote: I'm working with my smartcard PKCS #11 module and I have 2 certificates available that can be used for signing messages. Both certs are tied to the same e-mail address and have the same subject. How do the certs exactly differ ? By issuer, date, or other ? This may be helpful in determining the cause of the problem. Mozilla lets me pick which one I want to use for signing e-mail (Account Settings-Security) but it only seems to use one of them when it actually performs the signing of the message. No matter which one I pick in the dropdown, it always uses the same one. I assume each of these signing certs has a different nickname, and that's how you are able to select them in the account/settings/security, is that correct ? When you say that it always uses the same one, do you mean that the same cert nickname always appears in the security dialog regardless of which one you selected in the drop-down, or is it at the time that you actually sign the e-mail message that the wrong signing cert is getting used ? If the former, you may be able to work around it by editing the preferences file and set the cert nickname manually (eg. yoursmartcard:yournickname). If the later, there is probably no workaround and you should open a defect. The component would be PSM. Please cc me on that defect. -- Except for the lack of debugging and the ps thing, [Linux] kernel threads are generally fine right now. And if you're not too fussed about the more fiddly details of POSIX threads, and your application doesn't spend most of its time in thread creation, then LinuxThreads is great too. Linux-Kernel archive