Chris, Chris wrote:
> When I actually sign the e-mail message is when it picks the wrong cert. > It appears to use the first certificate that can be used for signing > e-mail versus actually using the one I told it to use. If I reverse the > order that C_FindObjects returns the certificates, then Mozilla will > switch which one it always uses. This is just like how Netscape 4.x > handles them except the order seems to be reversed with respect to which > one it always uses. It seems that Mozilla shouldn't work that way since > it lets you pick which one to use. When you say that you are returning certificates in C_FindObjects in a certain order, I'm not sure why you are returning more than one. The template that you are receiving from NSS should include a name field with the nickname, so that your module should only return the one certificate that matches the template fully to NSS, and therefore there would be no ambiguity and no possibility for NSS & Mozilla to get confused. Are you sure that you are looking at all the fields in the template in your C_FindObjects code, or only some of them ? It might be helpful to compose your mail in mozilla, attach to it with a debugger, then set a breakpoint in your findobjects code, then hit the "send" button to generate the signature. Your findobjects will get called (probably more than once, due to the way NSS works). Try to find the template that includes a CKA_LABEL of the nickname you configured in mozilla, and see how many token objects you are returning. It should only be one, unless you have several certificates of different types under the same nickname, but that wasn't the case you described. -- "Except for the lack of debugging and the ps thing, [Linux] kernel threads are generally fine right now. And if you're not too fussed about the more fiddly details of POSIX threads, and your application doesn't spend most of its time in thread creation, then LinuxThreads is great too." Linux-Kernel archive
