Chris, Chris wrote:
> When Mozilla initially starts it does a C_FindObjects (with a max > count of 16 or so) for all certificates on the token. I return both > certificates at this point because the only search attribute is > CKA_CLASS == CKO_CERTIFICATE, no other search attributes are present > (the P11 module always searchs on all supplied attributes). Mozilla > then continues on and gets various attributes of the certificates > (CKA_LABEL, CKA_ID, CKA_SUBJECT, CKA_VALUE, etc.). > > I can see in my logs all the ID's and labels, each cert has unique > CKA_ID's and CKA_LABEL's and Mozilla retrieves the appropriate > attributes from each one. > > Later when Mozilla actually goes to sign a message, it does one > FindObjects looking for a CKA_CLASS of CKO_PRIVATE_KEY with a specific > CKA_ID. This matches the one private key for the certificate it has > determined it should use. It seems to have already chosen which cert > to use based on the information gathered above. It then calls C_Sign > using that specific key that matches one and only one specific cert. > Which key/cert pair it uses depends on the order in which I returned > the certificates in that very first C_FindObjects that listed all > available certs. Changing the e-mail signing cert in Account > Settings->Security appears to have no effect whatsoever on which > key/cert pair it tries to use. > > I can post very detailed logs on the calls into the P11 module if you > think that would be helpful. The calls you describe seem like an effect of our cert cache, which code I'm still unfamiliar with. Before you send me your PKCS#11 logs, can you extract your conflicting certs & keys from the smartcard, or generate news PKCS#12 files of those certs with identical subjects but different other properties ? If so, can you try importing them into softoken (internal certificate database) and see if the same problem exists with that module ? If yes, it is definitely a bug in either NSS or mozilla. If you can reproduce the problem that way, please open a bugzilla bug against PSM. Please make sure to cc me ([EMAIL PROTECTED]) and attach the PKCS#12 files, and I will investigate. If the problem occurs only in your module but not with softoken, the PKCS#12 files might still be helpful for me. I could try them with another vendor's smartcard.
