How to handle nicknames/tokens with colons in ECA certificates

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view

How to handle nicknames/tokens with colons in ECA certificates

Bill McGrory
I am the trying to get a new (for me) hardware token to work with the
nss lib on Linux. This is an ECA token (external certificate authority)
specified by the U.S. Government. Apparently there are specifications
for certificate common name naming conventions which require the
inclusion of a colon in the common name.

As has been reported in other places on this group, there is an issue
with proper functioning of the
find_certs_from_nickname/PK11_FindCertFromNickname functions when the
token name includes a colon.

the opensc cac driver sets the token name to the common name of the
first cert it finds. Thus my problem.

So, my question is, is there any sort of solution for me.... It appears
that that I can't ask for a different common name naming convention.

I wouldn't think this is a bug in the opensc cac code, as the common
name for a token name seems reasonable.....

I understand that this is a working/well established api, and that
there is appears to be some developer standard, however, this is seems
to me like this is a set of tokens that are not going to work, unless a
workaround is cerated...

I have been able to get my certs to be recognized by either a) altering
the opensc cac code to strip the colon from the token name it returns,
OR by altering find_certs_from_nickname so that it splits token and
nickname by searching for the last colon, instead of the first.

however, I assume this would break any combination where the nickname
itself had a colon in it.... I am not familiar enough with all the use
cases. Is this a likely/or even unlikely scenario?

I would prefer not ot have to bake my own nsslib/opensc lib, so any
chance this is something worth trying to fix?

Thanks for you time

dev-tech-crypto mailing list
[hidden email]