If you created these certs with Netscape 4.X then I may know exactly what your problem is. There was a bug in Netscape 4.X where when a certificate was generated for a PKCS11 token it would store the certificate's issuer number without the ASN.1 tag and length (for example in my case the serial number stored on the token was 08:0f:ad when it should have been 02:03:08:0f:ad). When you receive an encrypted mail mozilla searches for the cert it was encrypted for by the issuer DN and serial number but this bug is now fixed so when it searches with a correct serial number *including* the ASN.1 tag and length at the front it cannot match and so it will not decrypt.
I had this problem with my iButton and the way I fixed it was to actually change the issuer number attribute for the certificate on my token. As long as your token allows this you should be able to get this done. How to do this then? Well, in my case had already written a PKCS11 Python wrapper module so I just used that to call the C_SetAttributes function for the cert. Once I did this all was well. Here's the python script I used:
import sys, getpass
sys.path.append('./build/lib.win32-2.1')
import pkcs11
dllname = 'c:\\winnt\\system32\\dspkcs.dll'
label = '[EMAIL PROTECTED]'
pdll = pkcs11.open(dllname)
slot_list = pdll.getSlotList(1)
if len(slot_list) == 0 :
print 'no token present'
sys.exit(0)
# open up a session
session = pdll.openSession(slot_list[0], pkcs11.CKF_RW_SESSION)
# now we'll log in!
passwd = getpass.getpass('Please enter User PIN: ')
session.login(pkcs11.CKU_USER, passwd)
obj_list = session.findObjects(((pkcs11.CKA_CLASS, pkcs11.CKO_CERTIFICATE), (pkcs11.CKA_LABEL, label)))
if len(obj_list) == 0 :
print 'certificate not found'
sys.exit(1)
elif len(obj_list) > 1 :
print 'more than one certificate found'
sys.exit(1)
session.setAttributeValue(obj_list[0], ((pkcs11.CKA_SERIAL_NUMBER, '\x02\x03\x08\x0f\xad'),))
sys.exit(0)
Pretty cool eh?!
If you have some standalone app for manipulating your crypto token you may be able to get the fix done that way. Otherwise if you're a Python guy (or ready to be one to get this fixed) I can send you source or a binary module so you can get this done yourself.
Emmanuel Deveze wrote:
Hi, I've been using a PKCS#11 (cryptoki) implementation of with my NS4.75 for years without any problem but now I've got some problems with Mozilla 1.0.2. I can send encrypted/signed email ok, but when it comes to reception, Mozilla cannot decrypt and pretend that signature is not valid (which is false). I've got a log file (debug trace) from my PKCS library and it shows strange arguments values in PKCS API calls made by Mozilla .... Does anyone knows what I'm talking about ? Is there a place where I could find informations about PKCS implementation in Mozilla ? ..(other than http://developer.netscape.com/docs/manuals/security/pkcs/index.html) Should I address this issue to the BugZilla Web ? Am I alone in this world ????ThanX Emmanuel
-- Jens B. Jorgensen [EMAIL PROTECTED]
