Douglas E. Engert wrote:
If you move the public objects off of the slot, NSS won't be able to find the corresponding private objects. CKA_ID's are only specified to be unique across a given slot, so you can't match CKA_ID's from one slot to the next (so in the general case you can't identify a given private key with a given cert unless they live in the same slot).OK, so do you have any comments about adding all public objects to all slots? Based on how I read PKCS#11, there should be one slot for each auth PIN, and it should have the private objects that need that PIN and all the public objects. The way the code is now, The public objects are added to an extra slot, unless the auth_count=1 and the hide_empty_slots = yes. This works for my card with its one auth PIN but does not look correct for the more general case.
Adding all public objects to all slots is reasonably innocuous as long as it doesn't interfere with the ability to identify which slot has the private key. If you are depending on NSS's publically readable cert semantic (for example), then you will not want to include public keys that don't have the corresponding private keys in the slot.
In general, an application will either have to authenticate to all slots first, or have a way of identifying which slot actually holds the private key. Ideally you would only match up the related certificate, public key, and private key into the given slot associated with the private key. Certificates without keys associated with them could live in any slot (including an 'extra' slot).
Hope that helps. bob bob
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
