PK11_DeleteTokenCertAndKey will not delete the cert if there is no matching private key, so it is also necessary to call SEC_DeletePermCertificate. Due to the lack of documentation of these NSS functions, this code sequence is not obvious. JSS needs to do this in two places: 1. PK11Store.c: Java_org_mozilla_jss_pkcs11_PK11Store_deleteCert 2. JSSKeyStoreSpi.c: traverseTokenObjects The code in the two places is slightly different. We should pick the better one and turn it into a deleteTokenCertAndKey function that the two places would call.
Assignee: nicolson → wchang0222
You need to log in before you can comment on or make changes to this bug.