'Certificate Not Listed For SSL Connection'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       mozilla-crypto
Subject:    Certificate Not Listed For SSL Connection
From:       ezman () adlanarif ! com (M Ezman Zainudin)
Date:       2003-11-17 9:17:14
[Download RAW message or body]

Hi,

I am developing a PKCS#11 module and I've managed to register it with
Mozilla. The module uses software token and I have already managed to
list the certificate in Mozilla. Nevertheless, when I was about to
establish an SSL connection to a web server, the certificate was not
listed for me to choose. Can someone please tell me what it takes to
get Mozilla to recognise that this is one of the certificates to be
used for client authentication?

The module currently lists the following mechanisms as return values
for C_GetMechanismList:

  - CKM_RSA_PKCS
  - CKM_RSA_X_509

After asking for the PIN, Mozilla looked for the objects in the
module, and in the first round I was asked for the certificate (in
C_FindObjectsInit), so I returned the handle to the certificate (in
C_FindObjects). As a follow up to this, Mozilla requested for the
attributes of the certificate, and the following are the relevant
attributes:

  - CKA_CLASS
  - CKA_TOKEN
  - CKA_LABEL
  - CKA_CERTIFICATE_TYPE
  - CKA_ID
  - CKA_VALUE
  - CKA_ISSUER
  - CKA_SERIAL_NUMBER
  - CKA_SUBJECT

Mozilla also requested for the value of attribute CKA_NETSCAPE_EMAIL,
therefore my C_GetAttributeValue returns CKR_ATTRIBUTE_TYPE_INVALID.

After that, Mozila initiated another object search (using
C_FindOjectsInit) and there are two attributes in pTemplate:

  - CKA_ID
  - CKA_CLASS

The pValue for the template (for CKA_CLASS) is CKO_PRIVATE_KEY,
therefore I return the handle to the private key. After that, the SSL
connection was completed and I was not shown a list of certificates
available for client authentication. Was Mozilla supposed to call my
C_GetAttributeValue function, passing the handle of the private key,
to obtain the attributes of my private key? What have I done wrong
here, or am I missing any critical steps which are required?

Please help. I am currently using Mozilla 1.2.1 on RedHat Linux 9. My
compiler is GCC 3.2.2. I have configured Apache 2.0.40 to request for
client authentication without requiring CA verification of the client
certificates. Your help will be very much appreciated.


Thanks
_______________________________________________
mozilla-crypto mailing list
mozilla-crypto@mozilla.org
http://mail.mozilla.org/listinfo/mozilla-crypto
[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic