I'm in the unfortunate position of having a token with two certificates that share the same nickname. Is there an existing way to disambiguate which certificate I want to use when invoking pesign? If not, I'd be interested in contributing some code to do that (perhaps by specifying the fingerprint?), but I'm not well-versed in NSS so I'd need some pointers.
For now I have a hack that seems to work:
diff --git a/src/cms_common.c b/src/cms_common.c
index 2df2cfe..e296886 100644
--- a/src/cms_common.c
+++ b/src/cms_common.c
@@ -291,6 +291,13 @@ is_valid_cert(CERTCertificate *cert, void *data)
PK11SlotInfo *slot = cbdata->psle->slot;
void *pwdata = cbdata->pwdata;
+ static int first = 1;
+ if (first) {
+ first = 0;
+ } else {
+ return SECFailure;
+ }
+
SECKEYPrivateKey *privkey = NULL;
privkey = PK11_FindPrivateKeyFromCert(slot, cert, pwdata);
if (privkey != NULL) {
I'm in the unfortunate position of having a token with two certificates that share the same nickname. Is there an existing way to disambiguate which certificate I want to use when invoking
pesign? If not, I'd be interested in contributing some code to do that (perhaps by specifying the fingerprint?), but I'm not well-versed in NSS so I'd need some pointers.For now I have a hack that seems to work: