Hello,
I'm facing a new problem regarding pk12util from NSS Tools:
When I import the _first_ certificate of a user into the database with
pk12util, then certificate's name in the NSS database will be:
*NSS Certificate DB: <friendly_name_taken_from_p12_file>
*
Okay, but as soon as I import the _second_ certificate (or any further
certificate), it won't be added to the DB with a distinct name. Instead,
the entry that was created when importing the _first_ certificate will
appear several times! :-\
*
*Suppose user "John Doe" has two distinct certificates, one for signing
and one for encryption, which have the proper friendly names added in
their respective PKCS#12 files, i.e. "John Doe (sign)" and "John Doe
(encrypt)".*
*After adding the _first_ certificate via pk12util and running
"certutil.exe -L", I will get this:*
*
NSS Certificate DB:John Doe (sign) u,u,u´´
*
*But after adding the _second_ certificate via pk12util and running
"certutil.exe -L" again, I will get:
NSS Certificate DB:John Doe (sign) u,u,u´´
NSS Certificate DB:John Doe (sign) u,u,u´´ <-- wrong!
*
*Expected result would be:
NSS Certificate DB:John Doe (sign) u,u,u´´
NSS Certificate DB:John Doe (encrypt) u,u,u´´
*
*And yes, I have tripple-checked that my PKCS#12 files really have the
proper friendly names set and that I use the correct files ;-) *
*Is this an intended behaviour of pk12util, and if so, how can I achieve
the required result? If it's *not* intended and actually a bug, should I
file a bug report now?*
*
Note: It appears that pk12util is missing the "-n" option that certutil
offers, so I cannot specify nickname explicitly... (would be sufficient
for my purpose)*
*Of course these certificates need to have distinct names, because the
"prefs.js" file uses the nickname to specificity which certificate to
use for signing or encryption. If they end up with the *same* name, we
clearly have a problem.
Actually, it seems that when I specify the _same_ name in the "prefs.js"
file for both, signing and encryption certificate, Thunderbird will
still happens to pick the "correct" certificate for each action. It
probably looks at the key-usage flags to find the correct certificate!?
But we need also to keep in mind that user certificates expire and "new"
certificates _for the same user_ will be imported in the future. How do
we ensure that we can distinguish between "old" and "new" certificates ???*
*Best Regards,
Daniel
*
*
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
