Hello, I did not say that all the certificates are stored on the card. I only said that you wil see those who are.
You should use pkcs11-dump or any similar utility in order to see what objects are stored on your token. If there are certificate objects that are not visible, please send me the output of pkcs11-dump. Alon. On Mon, Apr 6, 2009 at 12:00 PM, Stéphanie De Maerteleire <[email protected]> wrote: > Hello, > > Ok, so the issuers are the root certificates, I get that. But you're saying > that ALL other certificates are stored in certs, but I've noticed that there > are several certificates that have an issuer that is neither in the issuers > list nor in the certs list. I need to get all issuers from a certificate in > some way to generate the certificate chain, and right now this is not > possible for certificates of which I can't find one of the issuers! > Could you tell me how it is possible to do this? Or does this just mean that > the issuers I can't find are simply not stored on the token, and if so, how > can I get them anyway? > > I don't want to store anything on the token, I just want to read from it. > > Many thanks in advance, > > Kind regards, > Stephanie > > > -----Original Message----- > From: Alon Bar-Lev [mailto:[email protected]] > Sent: vrijdag 3 april 2009 18:00 > To: Stéphanie De Maerteleire; opensc-devel > Subject: Re: Question about pkcs11-helper > > Hello, > > The issuers you get are the root certificates. > All other certificates are stored in the certs. > > Two facts you should consider: > 1. It is not safe to store root certificates on PKCS#11 token, as anyone, > even without authentication can add certificates into the token. > 2. Storing the complete chain on a PKCS#11 token wastes storage, so in most > cases you will find only the root certificate and the end certificate. > > Alon. > > On Fri, Apr 3, 2009 at 1:01 PM, Stéphanie De Maerteleire <[email protected]> > wrote: >> Hello, >> >> >> >> Am I correct that you are the developer of pkcs11-helper ? If so, you >> might be able to help me with this issue. I'm Goblin_Queen on the >> OpenSC forum, I posted a question before about using the Firefox >> PKCS11 provider with pkcs11-helper. >> >> >> >> I'm having the following problem: >> >> When I call the method enumTokenCertificateIds like this: >> >> >> >> if ((rv = pkcs11h_certificate_enumTokenCertificateIds ( >> >> gekozenToken, >> >> PKCS11H_ENUM_METHOD_RELOAD, >> >> NULL, >> >> PKCS11H_PROMPT_MASK_ALLOW_ALL, >> >> &issuers, >> >> &certs >> >> )) != CKR_OK) { >> >> fatal ("pkcs11h_certificate_enumCertificateIds >> failed", rv); >> >> } >> >> >> >> The variable 'issuers' is filled with a list of issuers on that token. >> But the problem is that I've discovered not all issuers are included >> in this list, how is this possible? I need a complete list of all >> issuers so I can generate a certificate chain. My certificate chain >> method works fine for certificates of which the issuer(s) is/are >> included in the list, but when the issuer is not included in the list, it >> obviously crashes. >> >> >> >> Thanks in advance! >> >> Kind regards, >> >> Stephanie > _______________________________________________ opensc-devel mailing list [email protected] http://www.opensc-project.org/mailman/listinfo/opensc-devel
