Skip to main content
This forum is closed to new posts and responses. Individual names altered for privacy purposes. The information contained in this website is provided for informational purposes only and should not be construed as a forum for customer support requests. Any customer support requests should be directed to the official HCL customer support channels below:

HCL Software Customer Support Portal for U.S. Federal Government clients
HCL Software Customer Support Portal

Notes/Domino 6 and 7 Forum

Notes/Domino 6 and 7 Forum

  

PreviousPrevious NextNext

The CKA_ID is typically derived from the key
~Umberto Nongeroson 22.Sep.03 05:28 PM a Web browser
Notes Client 6.0.2 CF1 Windows 2000



I have tried to "Import Internet Certificate from a Smartcard" but encounter the following error, "Cannot accept internet certificate because the certificate is already in the ID file". I have also tried to do this with a new user that I have not imported the pkcs#12 certificate but it still gives me the same error. Do I need to create a user account that contain no certificate at all, if yes, how do I go about doing this(I have tried but could not find any options that allow me to do this).

I believe that the GUI-level code will also display that error if there are no importable certificates on the token. Mozilla will definitely export certificates onto the token in a format that Notes can import -- you might want to try generating/exporting a certificate on the token with Mozilla, then importing it into Notes, and see if that works.

The best way to check the certificates on the token to confirm that Notes could successfully import them is through SECManipulateSC.

Another question is regarding the CKA_ID that is used. I believe that this CKA_ID should correspond to our "container name" that we used to identify which key should be use for signing and/or decryption. But base on our coding of pkcs#11, we have not given out this information in any function to Notes. If I am not mistaken, this CKA_ID should be provided by Notes when Notes calls the C_CreateObject function to create the CKO_PRIVATE_KEY object. May I know at where or how does Notes get this CKA_ID information from us. Do we need another application just to load this or this should be provided in pkcs#11 function.

You are correct in your observation that you have not given out your "container name" through any function to Notes. I cannot think of any functions in the PKCS#11 2.11 API that could be used to transmit such information. The information contained in the CKA_ID is typically derived from the key, and is not directly related to the storage formats used internally by whatever token we currently happen to be using. I would expect that most tokens would maintain a mapping somewhere between their internal index, the object's PKCS#11 identifiers, and the object's MS-CAPI identifiers. But any such implementation would be invisible at the level of an application calling through one of the higher-level interfaces.

Also, base on the "Required Smartcard capabilities v0.6" that is email by you to us on 09/05/2003. You have mentioned that this CKA_ID is "<Usually a MD5 hash of the BER-encoded private-key>". What does the "Usually" means, is it that we can provide our own "container name" to identify the certificate or we need to MD5 hash the private key as the CKA_ID.

The CKA_ID is "usually" an MD5 hash because if we create the key ourselves, we will use an MD5 hash of the BER-encoded SPKI for that attribute. However, if we "import" a key, then we will use the pre-existing CKA_ID attribute, which is usually a SHA1 hash. Same concept, just four bytes longer. However, if an imported key used the Declaration of Independence as its CKA_ID attribute, we could handle that as well.


dave




"Smartcard login was not enabled:In... (~Sanjay Eknumar... 1.Sep.03)
. . RE: "Smartcard login was not enable... (~Tanita Desweve... 2.Sep.03)
. . . . RE: "Smartcard login was not enable... (~Sanjay Eknumar... 4.Sep.03)
. . . . . . RE: "Smartcard login was not enable... (~Tanita Desweve... 5.Sep.03)
. . . . . . . . RE: "Smartcard login was not enable... (~Sanjay Eknumar... 13.Sep.03)
. . . . . . . . . . RE: "Smartcard login was not enable... (~Tanita Desweve... 15.Sep.03)
. . . . . . . . . . . . Problems in signing and decryption ... (~Sanjay Eknumar... 17.Sep.03)
. . . . . . . . . . . . . . RE: Problems in signing and decrypt... (~Tanita Desweve... 17.Sep.03)
. . . . . . . . . . . . . . . . RE: Problems in signing and decrypt... (~Sanjay Eknumar... 22.Sep.03)
. . . . . . . . . . . . . . . . . . The CKA_ID is typically derived fro... (~Tanita Desweve... 22.Sep.03)
. . . . . . . . . . . . . . . . . . . . RE: The CKA_ID is typically derived... (~Sanjay Eknumar... 23.Sep.03)
. . . . . . . . . . . . . . . . . . . . . . RE: The CKA_ID is typically derived... (~Tanita Desweve... 23.Sep.03)
. . . . . . . . . . . . . . . . . . . . . . . . Smartcard decrypt error (~Sanjay Eknumar... 8.Oct.03)
. . . . . . . . . . . . . . . . . . . . . . . . . . RE: Smartcard decrypt error (~Tanita Desweve... 8.Oct.03)
. . . . . . . . . . . . . . . . . . . . . . . . . . . . modification to Logon process (~Sanjay Eknumar... 16.Oct.03)
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . RE: modification to Logon process (~Tanita Desweve... 20.Oct.03)
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . serial number (~Sanjay Eknumar... 28.Oct.03)
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . RE: serial number (~Tanita Desweve... 28.Oct.03)

Document Options






  Document options
Print this pagePrint this page

Search this forum

Forum views and search


  Forum views and search
Date (threaded)
Date (flat)
With excerpt
Category
Platform
Release
Advanced search

Member Tools


RSS Feeds

 RSS feedsRSS
All forum posts RSS
All main topics RSS