This forum is closed to new posts and
responses. Individual names altered for privacy purposes. The information contained in this website is provided for informational purposes only and should not be construed as a forum for customer support requests. Any customer support requests should be directed to the official HCL customer support channels below:
RE: The CKA_ID is typically derived from the key ~Sanjay Eknumarjip 23.Sep.03 01:21 PM a Web browser Notes Client 6.0.2 CF1Windows 2000
Hi Dave,
Thanks for you reply!
>>> I have tried to "Import Internet Certificate from a Smartcard" but encounter the following error, "Cannot accept internet
>>> certificate because the certificate is already in the ID file". I have also tried to do this with a new user that I have not
>>> imported the pkcs#12 certificate but it still gives me the same error. Do I need to create a user account that contain no
>>> certificate at all, if yes, how do I go about doing this(I have tried but could not find any options that allow me to do this).
> I believe that the GUI-level code will also display that error if there are no importable certificates on the token. Mozilla will
> definitely export certificates onto the token in a format that Notes can import -- you might want to try generating/exporting a
> certificate on the token with Mozilla, then importing it into Notes, and see if that works.
I have observed that the call to pkcs#11 when I do the "Import Internet Certificate from a Smartcard" only calls the following function:
23/09/2003 02:19:31.39 PM [0410:0002-0334] C_GetSessionInfo> Entering -- session 1
23/09/2003 02:19:31.39 PM [0410:0002-0334] C_GetSessionInfo> Request on session 1 succeeded
23/09/2003 02:19:31.39 PM [0410:0002-0334] C_GetSessionInfo> Entering -- session 1
23/09/2003 02:19:31.39 PM [0410:0002-0334] C_GetSessionInfo> Request on session 1 succeeded
23/09/2003 02:19:31.39 PM [0410:0002-0334] C_GetMechanismList> Get number of supported mechanisms -- Entering
23/09/2003 02:19:31.40 PM [0410:0002-0334] C_GetMechanismList> Fill in mechanism list -- Entering
Then Notes will prompt the "Cannot accept internet certificate because the certificate is already in ID file" error. From what I see there is no attempt to "import" the certificate. Also, may I know what pkcs#11 functions is called to "import" the certificate as I have not come across any function that does this.
Another interesting thing that I have found out is that it will proceed to C_GetMechanismInfo if I include the "CKM_RSA_PKCS_KEY_PAIR_GEN". But to my understanding of Notes it only uses CKM_RSA_PKCS, CKM_MD5_RSA_PKCS and CKM_SHA1_RSA_PKCS (since we will not expect Notes to generate the key pair as our smartcard is pre-loaded with keys and certificates). Please correct me if I'm wrong in this.
After I included "CKM_RSA_PKCS_KEY_PAIR_GEN", Notes continue the process and call the C_FindObject with a template that only contains a single attribute which is CKA_CLASS with CKO_PRIVATE_KEY. But I have not notice any calls to C_CreateObject for this. What is Notes trying to achieve?
> The best way to check the certificates on the token to confirm that Notes could successfully import them is through
> SECManipulateSC.
I actually tried to use SECManipulateSC but I faced the problem as I could not find any sample code that uses this that I can follow. If you do have any sample code that uses SECManipulateSC as an example, could you please direct me to it.
> You are correct in your observation that you have not given out your "container name" through any function to Notes. I
> cannot think of any functions in the PKCS#11 2.11 API that could be used to transmit such information. The information
> contained in the CKA_ID is typically derived from the key, and is not directly related to the storage formats used internally
> by whatever token we currently happen to be using.
Since the CKA_ID is derived from the key, how does Notes get this "key" information through pkcs#11 function. I believe that this is done when Notes "Import Internet Certificate from a Smartcard" but what function will it calls to get this as we have not coded any part in pkcs#11 that does this. According to my understanding, some of the smartcard will not allow the private key information to be release so how will Notes get the hash(MD5/SHA1) of the private key.
> I would expect that most tokens would maintain a mapping somewhere
> between their internal index, the object's PKCS#11 identifiers, and the object's MS-CAPI identifiers. But any such
> implementation would be invisible at the level of an application calling through one of the higher-level interfaces.
> The CKA_ID is "usually" an MD5 hash because if we create the key ourselves, we will use an MD5 hash of the BER-
> encoded SPKI for that attribute. However, if we "import" a key, then we will use the pre-existing CKA_ID attribute, which is
> usually a SHA1 hash. Same concept, just four bytes longer. However, if an imported key used the Declaration of
> Independence as its CKA_ID attribute, we could handle that as well.
If we would want to introduce the "Declaration of Independence" CKA_ID to Notes. How can we achieve this? Is this done through pkcs#11 (if yes, which function) or there is a interface provided by Notes to set this.
Please allow me to do a brief description of how our smartcard uses with Outlook.
Base on our implementation on Microsoft Outlook. We export our certificates( we have a smartcard preloaded with 3 certificates) into the Microsoft Certificate Store. This Certificate Store actually stores all the certificates used by Windows. We then input the Container Name for each certificate and also specify the CSP to be used with individual certificate. Thus when the certificate is used for signing/decryption process, it will know which CSP to look for and the container name to used since we have 3 certificates. This will uniquely identify which certificate to be used for the signing/decryption process. I believe the container name in this case is equal to the CKA_ID on pkcs#11 implementation.
Thanks in advance!
Apologise for the long mail. :-)
Return to top
. . . . . . . . . . . . . . . . . . . . RE: The CKA_ID is typically derived... (~Sanjay Eknumar... 23.Sep.03) 
Print this page
