On 06/12/13 13:07, firef...@gmail.com wrote:
Hi,
I have a couple of questions concerning certificate handling in Firefox and
PKCS#11.
When Firefox receives a X.509 cert during HTTPS establishment, the certificate
(chain) is validated by NSS, right?! Is this done via PKCS#11 or are Firefox
and NSS communicating via an other interface?
I can't find an appropriate PKCS#11 function, accepting a certificate chain.
PKCS#11 doesn't work at that level. PKCS#11 tokens can store
certificates, but the PKCS#11 API doesn't interpret them in
any way. Operations like extracting a public key from a certificate,
or validation, are done outside PKCS#11 apart from signature
verification.
(You could, perhaps, build a PKCS#11 module that recognized when the
data passed to a C_Verify call happened to be a certificate and do
something other than just verify the signature, but that would be truly
horrible.)
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
