On Sun, 2006-04-09 at 22:08 -0700, Nelson B wrote: > These other functions > do not, as a rule, require that the user cert have a chain that verifiably > was issued by a locally trusted root. Verifying that the chain leads to > a locally trusted root is a function for a relying party, not for a signer.
The call chain looks something like nsCrypto::SignText -> SEC_PKCS7CreateSignedData -> sec_pkcs7_add_signer -> CERT_VerifyCert. Is that last call then a bug in all cases? (Presuming of course that _add_signer is only called in signing operations) > (d) A local "user" cert that is not obviously unsuitable on its face (e.g. > not expired, not bearing extended key usage extension that prohibits use > for signing, etc.) Is there an existing function I should mention in the bug report that does all the above as an alternative to VerifyCert? > Odd that crypto.signtext should check for an email cert when it is not > performing email signing or encryption. nsCrypto::SignText explicitly does a CERT_FindUserCertsByUsage(certUsageEmailSigner); is there a better usage bit to use? m. _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
