Nelson B. Bolyard wrote:
> Patrick wrote: > > >>My NSS app was able to read a cert off a smartcard but *failed* to use >>it for SSL client authentication. I have used a couple of different >>PKCS#11 libraries with NSS, and the error message I get back are: >>"key not authorized for requested operation", >> > > I don't recognize that error message. It's not one of the NSS library's > error messages, as far as I can tell. I suspect you saw this message: > > "The key does not support the requested operation." > > That's SEC_ERROR_INVALID_KEY. This error means that we attempted some > operation with a key (often a private key), and got an error. There > are many places in NSS where this error code is set. However, in the > context of signing, the two most likely candidates are: > > 1. When NSS asked the PKCS#11 module for the length of the modulus of > the private key (which is how NSS determines the length of a signature > made with that private key), the module returned an error rather than > the length. This is the most likely change between Communicator and current versions of NSS. From our discussions, I suspect that this is what is wrong with the old Active Card drivers (Communicator wouldn't fail in these cases, but continue assuming a maximum RSA modulus size, since it had a hard limit to the RSA modulus anyway. Modern versions of NSS (including NSS 2.x) no longer have that limit, so that failure is much more fatal). In know that we are running the latest versions of the Active card drivers with NSS 3.3 here. bob
