Yves Bronoel wrote:
> This didn't change anything in fact...
>
> The problem is that Mozilla doesn't look into my module when it needs
> a certificate for encryption (even if it is my email address).
> For example, when there is a click on the icon "security" in order
> to display which certificate is going to be used, there is no access to
> the PKCS11 module and "not found" is displayed.
>
> If I am right, it seems that in Mozilla, PKCS #11 modules are not
> designed to provide recipient's certificates. But something has to be
> done when the sender of the mail is also a recipient because, in this
> build of NSS, cert7.db remains empty when I read a mail signed or
> encrypted with my own certificate.
The problem is NSS looks up email certificates by finding the S/MIME
profile for a given email address. The profile points to the certificate
to use. Tokens do not currently store email profiles, so you need to get
the profile stored in the user database.
There are a couple of possibilities that could be causing problems:
1) you don't have an S/MIME record, therefore NSS simply cannot find
the cert given the email address (PKCS #11 has not email index for a
certificate).
2) you do have an S/MIME record, but it points to a non-existant of
invalid certificate (not the one in your smart card).
3) You do have an S/MIME record, but for some reason the subject
index for your certificate on the smart card is not valid.
Try this: Save your cert & key databases.
Launch Communicator without your smart card installed.
Open the Certificate manger (edit-> preferences ->Privacy&Security
->Certificates -> Manage Certificates)
Click on the "Other People's" tab.
If you can find your email cert there, check to make sure it's your
current valid email cert that's stored in your smart card.
If so, insert your smart card, close the cert manager and reopen it.
(You should be prompted for the PIN for your smart card at this point).
Make sure your certs show up in the 'Your certificates' tab and have
disappeared from 'Other People's' tab.
Remove your smart card. restart the manager again.
Delete your user certs.
Insert your smart card.
Send signed (but not encrypted email) to yourself.
Read that email.
remove the smart card and verify that the certificate shows up in 'Other
Peoples's'. (If not try reading the email without the smart card installed.
You should be able to send encrypted email to yourself at this point,
even without the smart card installed.... You will need the smart card
to read it, however.
(BTW this assumes you are running on the latest NSS).
bob
>
> Yves Bronoel
>
> Robert Relyea wrote:
>
>
>>You should be able to work around this by reading an encrypted message
>>to yourself. It's OK to have the cert stored in more than one token, you
>>just can't have the cert and key stored in the same token. The bugs
>>related to having the cert in the cert db and in the smart card at the
>>same time should be fixed now.
>>
>>bob
>>
>>Yves Bronoel wrote:
>>
>>>I built these files from the current version on the cvs and
>>>the bug disappeared. But there is new problem with this correction.
>>>As there is only one source of certificates for encryption, it is
>>>impossible to send an encrypted mail to myself. Indeed Mozilla
>>>didn't store the certificate in cert7.db (to prevent from masking
>>>my certificate) and it is not able to find an encryption certificate
>>>for my address. I think this bug is already known (#114893).Will it
>>>be fixed soon ?
>>>
>>>Yves Bronoel
>>>
>>>Robert Relyea wrote:
>>>
>>>
>>>>Mozilla 1.0 went out with a number of bugs in NSS. This is one of
>>>>them. You can replace your nss3.dll ssl3.dll smime3.dll and
>>>>softoken3.dll with more recent builds and that should solve this problem.
>>>>
>>>>bob
>>>>
>>>>Yves Bronoel wrote:
>>>>
>>>>
>>>>>I have some problems with the certificate store of
>>>>>Mozilla and I am wondering if it a known bug or not.
>>>>>
>>>>>I am writing a small PKCS #11 module and using it with
>>>>>mozilla 1.0. In the module I have got a certificate and
>>>>>a private key issued by OpenSSL for signing and
>>>>>encrypting mails. The certificate is well displayed and
>>>>>I can choose it as my user certificate and sign mails.
>>>>>
>>>>>But once I have read a mail signed with my own certificate,
>>>>>and restarted Mozilla, I am not able to view my certificate in
>>>>>"Your Certificates". It is only present in "Other People's".
>>>>>After, I am still able to sign and decrypt mail but I can't
>>>>>choose my certificate in "Mail & Newsgroup Account
>>>>>Settings". The result is empty as "Your certificate" of course.
>>>>>
>>>>>It seems that the certificate stored in cert7.db and displayed
>>>>>in "Other People's" is masking my own certificate.
>>>>>
>>>>>Another instance of this problem (without any PKCS #11
>>>>>module) may be seen by importing a user certificate thanks
>>>>>to PKCS#12 when the certificate is already present in
>>>>>"Other People's". It is said to be sucessful by Mozilla but
>>>>>you have no access to your certificate after. Moreover,
>>>>>after a new start of Mozilla, there is no certificate any
>>>>>more even in "Other People's"
>>>>>
>>>>>I have tried my module with Netscape 4.77 and it doesn't have
>>>>>this kind of problem.
>>>>>
>>>>>Yves Bronoel
>>>>>
>>>>
>>>
>
