Hi again, Jim,
James Rome wrote:
I am trying to get the Maxim/Dallas java-powered iButton to work.
It accepts 1024-byte certificates.
I can install the crypto module in both Mozilla and Firefox/Thunderbird.
The certificate will not import in Mozilla, but will import in Firefox. How can there be a difference?
I gather that, by "the certificate", you are referring to a PKCS 12 file (.p12), and that you're using mozilla/FF to import the cert and private key into the iButton. Yes?
What failure do you experience with mozilla?
If I try to access a site that accepts client certs from my CA, I get:
SL_ERROR_SIGN_HASHES_FAILURE -12222 "Unable to digitally sign data required to verify your certificate."
Means that libSSL asked the PKCS11 slot that holds your selected cert (and private key) to digitally sign a piece of data that was computed during the handshake, and the PKCS11 module for that slot returned a PKCS11 error code. Unfortunately, there's no way to see the exact PKCS11 error code in mozilla or FF, AFAIK.
NSS has a facility to help developers debug PKCS11 modules. IIRC, it logs all calls to PKCS 11 functions in a single module, and also logs the return value. In effect, it lets you trace all the activity between the NSS-based application and the selected PKCS11 module. Such info is of use to the PKCS11 module developer, or an integrator, but is not intended for end users. So, It's not enabled in mozilla builds, but you (or someone) should be able to build a version of NSS with it in place, and use it to trace the activity on your module. The question would be, after using it, would you be able to get resolution based on that info?
If I try to sign S/MIME mail using th4e certificate in the token, it fails.
Yes, my CA certificate is in the software store and is trusted. (Does it mneed to be in the hardware store also??)
This is a failure of the PKCS11 module's function to actually compute the RSA signature with your private key. That function doesn't make any use of certs, so CA certs and cert chain validity aren't relevant to this issue.
Any help would be appreciated.
Here's something to try that is simpler than tracing the PKCS11 module. Try manually logging in to your token shortly before attempting to do either signing operation. Steps (for mozilla, hope FF is similar)
Edit -> Preferences. Select "Privacy & Security" -> Certificates. Click "Manage Security Devices..." Device Manager window will appear. Click on your device slot in the list of "Security Modules and Devices". Click the "Log In" button. Enter password. Click OK to close all dialogs.
Then try the ssl client auth or smime signing right away. If that succeeds, then the problem may be that that the private key down inside the token is not marked as requiring that you be logged in to the token to use it. (Yes, some devices intentionally do not mark the private keys to require logins, and perhaps yours has unintentionally done so.)
You didn't indicate what exact versions of mozilla (etc) you're using. That may very well also be relevant.
Thanks, Jim Rome
-- Nelson B _______________________________________________ mozilla-crypto mailing list [EMAIL PROTECTED] http://mail.mozilla.org/listinfo/mozilla-crypto
