I found that PK11_KeyForCertExists did not always work with my external PK11 crypto tokens (See the other posting about this, with subject "PK11_KeyForCertExists") . Sometimes it returns a null slot (when it shouldn't), which directly affects the logic in JSS_PK11_wrapCert: if slot is null, then JSS concludes it must not be a user cert , and it wraps the cert into a PK11InternalCert object...
So I changed the JSS code a bit: instead of using PK11_KeyForCertExists, I check the trust flags in the cert object (this cert object is passed in the JSS_PK11_wrapCert function). There is a function defined in the same source code file (i.e., jss/pkcs11/PK11Cert.c) called isUserCert which does the same trick (and apparently was not being used anywhere in JSS). This seems to work a lot better than using PK11_KeyForCertExists, which for some yet unexplainable reason, does not always return a non-null value if the key for cert does exist. Moreover once I determine that the cert is a user cert, I wrap into a *PK11InternalTokenCert* object instead of a PK11InternalCert object... Jamie N., is the change you were contemplating? Is this an OK alternative for JSS_PK11_wrapCert? And the big question: why in the heck doesn't PK11_KeyForCertExists always work the way one expects? Could be broken (the logic for this function is a bit convoluted...) -- POC
