[RFE] Certificate selection with identical nicknames

[nicholasbishop]

I'm in the unfortunate position of having a token with two certificates that share the same nickname. Is there an existing way to disambiguate which certificate I want to use when invoking pesign? If not, I'd be interested in contributing some code to do that (perhaps by specifying the fingerprint?), but I'm not well-versed in NSS so I'd need some pointers.

For now I have a hack that seems to work:

diff --git a/src/cms_common.c b/src/cms_common.c
index 2df2cfe..e296886 100644
--- a/src/cms_common.c
+++ b/src/cms_common.c
@@ -291,6 +291,13 @@ is_valid_cert(CERTCertificate *cert, void *data)
 	PK11SlotInfo *slot = cbdata->psle->slot;
 	void *pwdata = cbdata->pwdata;
 
+	static int first = 1;
+	if (first) {
+	  first = 0;
+	} else {
+	  return SECFailure;
+	}
+
 	SECKEYPrivateKey *privkey = NULL;
 	privkey = PK11_FindPrivateKeyFromCert(slot, cert, pwdata);
 	if (privkey != NULL) {

[vathpela]

I'd certainly review a patch for that. Perhaps just adding a counter and a target # to the callback data, count != target, count++ and return failure?