Got it, Thanks Bob,..
On debugging I found out that there was a call coming in after the generation of pub/priv key pair to set the attribute value (CKA_ID) for the public key. (It was missing from the initial object template during public key creation). I had not implemented the SetAttribute functionality for the public key object, now after implementing it, things are working fine and the public key is getting deleted.
Thanks guys,..
- Vivek
On 1/25/06, Bob Relyea <[EMAIL PROTECTED]> wrote:
Julien Pierre wrote:
> Vivek,
>
> Vivek Kumar wrote:
>> Hi,
>> I am currently working with a PKCS#11 library, have modified it to
>> support generation of public keys on the token.
>>
>> When i try to delete the certificate from Mozilla
>> (Options->Advanced->Manage certificates), C_DestroyObject is getting
>> called only for the certificate and the private key objects and never
>> for the public key.
>>
>> I wanted to know whether it is normal behaviour for the browser and
>> my library should go about deleting the public key?
>>
>> If yes, could some one please tell me as to what would be the ideal
>> situtation to delete the public key, should I handle it during
>> deletion of the certificate object OR private key object OR not at
>> all and leave the public key as is on the token?
>>
>> Regards,
>> Vivek Kumar
>
> Mozilla/NSS creates a temporary session object for the public key from
> the content of the certificate, usually in its internal module. Thus
> it isn't aware that you have a public key object at all. Per the
> PKCS#11 spec you should leave the public key object alone in your
> token. If you are only going to use the token with mozilla, you might
> as well not create a public key object in the first place.
No, at keygen time Mozilla/NSS requests that the public key be created
as a token object, not a session object. NSS uses the public key to
determine if the certificate has the corresponding private key if the
token has the "Publically readable Certs" flag set (AKA the "Friendly"
flag).
Looking at the code, though, it certainly tries to delete the public
key. Before it starts deleting things, it makes a call:
pk11_FindPubKeyByAnyCert(). This searches the tokens for public keys
whose CKA_ID match the certificate we are deleting. (the code looks up
the certificate, uses get Attributes to find the CKA_ID value, then
looks for a public key with the same value). If your CKA_ID value is not
correct on your public key (or on your cert), then it won't find the
public key. 'Correct' simply means the the CKA_ID value is the same
value on the matching cert, private key, and public key.
> _______________________________________________
> dev-tech-crypto mailing list
> [email protected]
> https://lists.mozilla.org/listinfo/dev-tech-crypto
_______________________________________________
dev-tech-crypto mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-tech-crypto
--
- Vivek
_______________________________________________ dev-tech-crypto mailing list [email protected] https://lists.mozilla.org/listinfo/dev-tech-crypto
