Julien Pierre wrote:
No, at keygen time Mozilla/NSS requests that the public key be created as a token object, not a session object. NSS uses the public key to determine if the certificate has the corresponding private key if the token has the "Publically readable Certs" flag set (AKA the "Friendly" flag).Vivek,Vivek Kumar wrote:Hi,I am currently working with a PKCS#11 library, have modified it to support generation of public keys on the token. When i try to delete the certificate from Mozilla (Options->Advanced->Manage certificates), C_DestroyObject is getting called only for the certificate and the private key objects and never for the public key. I wanted to know whether it is normal behaviour for the browser and my library should go about deleting the public key? If yes, could some one please tell me as to what would be the ideal situtation to delete the public key, should I handle it during deletion of the certificate object OR private key object OR not at all and leave the public key as is on the token? Regards,Vivek KumarMozilla/NSS creates a temporary session object for the public key from the content of the certificate, usually in its internal module. Thus it isn't aware that you have a public key object at all. Per the PKCS#11 spec you should leave the public key object alone in your token. If you are only going to use the token with mozilla, you might as well not create a public key object in the first place.
Looking at the code, though, it certainly tries to delete the public key. Before it starts deleting things, it makes a call: pk11_FindPubKeyByAnyCert(). This searches the tokens for public keys whose CKA_ID match the certificate we are deleting. (the code looks up the certificate, uses get Attributes to find the CKA_ID value, then looks for a public key with the same value). If your CKA_ID value is not correct on your public key (or on your cert), then it won't find the public key. 'Correct' simply means the the CKA_ID value is the same value on the matching cert, private key, and public key.
_______________________________________________ dev-tech-crypto mailing list [email protected] https://lists.mozilla.org/listinfo/dev-tech-crypto
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ dev-tech-crypto mailing list [email protected] https://lists.mozilla.org/listinfo/dev-tech-crypto
