Ionut,
Ionut Marasescu wrote:
Hello everyone,
We've developed a pkcs#11 module for our smartcard terminal and
smartcard application. The smartcard contains 5 certificates (and
corresponding private keys), so we implemented 5 slots.
This isn't necessary. You could still have 5 certs and keys with the same subject in a single slot.
We wanted to select
one certificate for signing.
Are you talking about S/MIME message signing ? Or SSL client auth ?
Mozilla is not able to sign with the selected certificate (instead it uses the first one with the same subject displayed in the selection combo). If we set the slot names to be identical, it displays only one certificate (from the ones with the identical subject).
We've imported two certificates with same subject in the Mozilla Software security device. They both appear in the Certificate Manager, but when trying to select one of them for the digital signature, we've observed that only one appears. At this point it seems to be a Mozilla issue. Does anyone know how to override this ? Or if it's a Mozilla issue, when (or if) it will be fixed ?
We've tested with Mozilla 1.6 , 1.7 (releases) and Netscape 7.1, and the functionality is identical.
We even declared the slots as software slots (we normally set the flag CKF_HW_SLOT), in order to observe all the calls that Mozilla normally makes. At some point Mozilla searches (C_findObjects) a certificate by using only the subject (which we know it's not unique), so it seems that our problem is related to this kind of search (it will be more convenient if the find will search by an unique atribute (like ca&serial number) instead of subject).
Could you try to reproduce the problem with the software token instead of your token ?
To do this, export your 5 certs and keys to a PKCS#12 file (you may have to generate new ones if the keys aren't exportable from your smartcard).
Then import the PKCS#12 file into the database in mozilla.
Then, repeat what you are trying to do and see if you are able to sign with a particular cert.
_______________________________________________
mozilla-crypto mailing list
[EMAIL PROTECTED]
http://mail.mozilla.org/listinfo/mozilla-crypto
