Thank you very much for this precious information, I will focus my effort on this ...and I'm pretty optomistic ... ThanX Again Jens
"Jens B. Jorgensen" <[EMAIL PROTECTED]> wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > Emmanuel, > > If you created these certs with Netscape 4.X then I may know exactly what your > problem is. There was a bug in Netscape 4.X where when a certificate was > generated for a PKCS11 token it would store the certificate's issuer number > without the ASN.1 tag and length (for example in my case the serial number > stored on the token was 08:0f:ad when it should have been 02:03:08:0f:ad). When > you receive an encrypted mail mozilla searches for the cert it was encrypted for > by the issuer DN and serial number but this bug is now fixed so when it searches > with a correct serial number *including* the ASN.1 tag and length at the front > it cannot match and so it will not decrypt. > > I had this problem with my iButton and the way I fixed it was to actually change > the issuer number attribute for the certificate on my token. As long as your > token allows this you should be able to get this done. How to do this then? > Well, in my case had already written a PKCS11 Python wrapper module so I just > used that to call the C_SetAttributes function for the cert. Once I did this all > was well. Here's the python script I used: > > import sys, getpass > sys.path.append('./build/lib.win32-2.1') > import pkcs11 > > dllname = 'c:\\winnt\\system32\\dspkcs.dll' > label = '[EMAIL PROTECTED]' > > pdll = pkcs11.open(dllname) > > slot_list = pdll.getSlotList(1) > > if len(slot_list) == 0 : > print 'no token present' > sys.exit(0) > > # open up a session > session = pdll.openSession(slot_list[0], pkcs11.CKF_RW_SESSION) > > # now we'll log in! > passwd = getpass.getpass('Please enter User PIN: ') > session.login(pkcs11.CKU_USER, passwd) > > obj_list = session.findObjects(((pkcs11.CKA_CLASS, pkcs11.CKO_CERTIFICATE), > (pkcs11.CKA_LABEL, label))) > > if len(obj_list) == 0 : > print 'certificate not found' > sys.exit(1) > elif len(obj_list) > 1 : > print 'more than one certificate found' > sys.exit(1) > > session.setAttributeValue(obj_list[0], ((pkcs11.CKA_SERIAL_NUMBER, > '\x02\x03\x08\x0f\xad'),)) > sys.exit(0) > > Pretty cool eh?! > > If you have some standalone app for manipulating your crypto token you may be > able to get the fix done that way. Otherwise if you're a Python guy (or ready to > be one to get this fixed) I can send you source or a binary module so you can > get this done yourself. > > > Emmanuel Deveze wrote: > > Hi, > > I've been using a PKCS#11 (cryptoki) implementation of with my NS4.75 for > > years without any problem but now I've got some problems with Mozilla > > 1.0.2. I can send encrypted/signed email ok, but when it comes to reception, > > Mozilla cannot decrypt and pretend that signature is not valid (which is > > false). I've got a log file (debug trace) from my PKCS library and it shows > > strange arguments values in PKCS API calls made by Mozilla .... > > Does anyone knows what I'm talking about ? > > Is there a place where I could find informations about PKCS implementation > > in Mozilla ? ..(other than > > http://developer.netscape.com/docs/manuals/security/pkcs/index.html) > > Should I address this issue to the BugZilla Web ? > > Am I alone in this world ???? > > > > ThanX > > Emmanuel > > > > > > -- > Jens B. Jorgensen > [EMAIL PROTECTED] >
