Ulf Leichsenring wrote:
I understand your real concern is the ability to import the above two certs (and their private keys) into another module, other than softoken. I suggest you test that. To do so, you need to add another command line argument to the pk12util lines above, the option "-h tokenname" where tokenname is the name of a token using your module, as reported by NSS's modutil program.
I'm pretty sure Ulf is correct.The nickname aliasing happens within the cert library. When the new cert is imported, NSS discards the nickname if there is already an existing nickname for the cert. NSS maps nickname to Label in PKCS #11.
This was a semantic added long ago when the idea was that the nickname identified a user (that is subject). NSS would automatically pick the correct cert associated with that subject. This code is in the high level certificate code.
This has lead to some confusion in the following cases:1) the user has multiple certs with the same subject, but some certs map to different roles (evil IMHO). 2) nss picks the wrong cert (picks a non-repudiation cert rather than a auth cert). 3) the user "knows" about certs and is confused when he can pick his signing versus authentication cert. 4) NSS's actions affect applications that don't to this mapping and automatic selection. (This case here, were our single nickname view gets reflected in imports into PKCS #11 modules.
I think resolving this will take some thought so we don't break existing applications (perhaps adding a new friendly name parallel with out nickname which can be different even if the subject is the same).
bob
Hi Nelson Thanks for you help. Now I did the following -----------snip------------------------ # Create new Certstore for testing certutil -N -d . # Add Siemens PKCS#11 module modutil -add Siemens -libfile /usr/local/lib/libsiecap11.so -dbdir . # List all modules certutil -U -d . slot: NSS User Private Key and Certificate Services token: NSS Certificate DB slot: NSS Internal Cryptographic Services token: NSS Generic Crypto Services slot: OMNIKEY CardMan 4040 Socket 0 00 00 token: Testcard # add Certificates to Testcard via Siemens module pk12util -i Ulf\ Leichsenring-AUT-cert.p12 -d . -h Testcard Enter Password or Pin for "Testcard": Enter password for PKCS12 file: pk12util: PKCS12 IMPORT SUCCESSFUL pk12util -i Ulf\ Leichsenring-ENC-cert.p12 -d . -h Testcard Enter Password or Pin for "Testcard": Enter password for PKCS12 file: pk12util: PKCS12 IMPORT SUCCESSFUL # List alls imported Certificates on Testcard certutil -L -d . -h Testcard Enter Password or Pin for "Testcard": Testcard:Ulf Leichsenring (AUT) u,u,u Testcard:Ulf Leichsenring (AUT) u,u,u # compare with the friendlyName inside the PKCS#12 container # the AUT certificate openssl pkcs12 -info -in Ulf\ Leichsenring-AUT-cert.p12 -nokeys Enter Import Password: MAC Iteration 2048 MAC verified OK PKCS7 Encrypted data: pbeWithSHA1And40BitRC2-CBC, Iteration 2048 Certificate bag Bag Attributes localKeyID: 5A 6B 20 F9 71 6F 38 CD FE A9 EB 91 04 34 E5 D5 F3 F0 6A 16 friendlyName: Ulf Leichsenring (AUT) subject=/C=DE/O=Testcompany/CN=Ulf Leichsenring issuer=/C=DE/O=Testcompany/CN=Testcompany AUT CA # the ENC certificate openssl pkcs12 -info -in Ulf\ Leichsenring-ENC-cert.p12 -nokeys Enter Import Password: MAC Iteration 2048 MAC verified OK PKCS7 Encrypted data: pbeWithSHA1And40BitRC2-CBC, Iteration 2048 Certificate bag Bag Attributes localKeyID: 45 0A A6 DB 00 FA E2 7F 09 B4 C6 4A F1 CC 8F 7F 0F 69 E4 5D friendlyName: Ulf Leichsenring (ENC) subject=/C=DE/O=Testcompany/CN=Ulf Leichsenring issuer=/C=DE/O=Testcompany/CN=Testcompany ENC CA -----------snip------------------------Even if I import the two PKCS#12 files to the token, the CKA_LABEL ist set wrong. Both keys/certificates have it set to "... (AUT)" because this was the first imported certificate.Best regards Ulf
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
