find_certs_from_nickname problem with colons in nickname

Skip to first unread message

Bill McGrory

Feb 23, 2021, 12:20:01 PMFeb 23
I have an issue using an Identtrust ECA hardware token. I can successfully use this token using the identrust provided driver on windows. However, on linux, I must use the opensc module.

The opensc module identifies this card (an HID Activekey SIM) as a cac card. The cac card sets the token label used for the nicknmae from the CN of the first cert found on the card. The CN associated with this token has a colon ":" in it. This is a commercial token, so I don't have control of the CN used in these certs, so I can't simply change them..... Assuming colons are allowed in CN's I don't think I have much leverage to get the provider to change that for me.

when I try to select certs for thunderbird or evolution, it uses the nss lib routine find_certs_from_nickname. the nickname has two colons in it. and the routine tries to parse the nickname from the first : it finds

849 if ((delimit = PORT_Strchr(nickCopy, ':')) != NULL) {

However, this doesn't correctly parse, since it the common name includes a colon.

I was able to get the mailers to select the proper cert if I changed the call to a PORT_Strrchr call, to search from the end of the string.

However, I am not certain if a) this i the proper way to correct this bug, or b) if there are more places where this assumption is made, and thus I need to be more thorough.

Reply all
Reply to author
0 new messages