Mikolaj Habryn wrote:
On Sun, 2006-04-09 at 22:08 -0700, Nelson B wrote:
(d) A local "user" cert that is not obviously unsuitable on its face (e.g.
not expired, not bearing extended key usage extension that prohibits use
for signing, etc.)
Is there an existing function I should mention in the bug report that
does all the above as an alternative to VerifyCert?
I think there's none, but I'll let Nelson give a definitive answer.
I also feel a key owner should be able to do whatever he wants with his
own key, so that :
- deep inside SEC_PKCS7CreateSignedData is not the right place for this
check ( instead in most case do that check externally first).
- no check at all can be appropriate. Of course, I understand many can
disagree on that and think instead that NSS should protect against what
will be an error in 99% of the cases. But I think there should be a
method to avoid the check or to sign despite it if you really want.
Odd that crypto.signtext should check for an email cert when it is not
performing email signing or encryption.
nsCrypto::SignText explicitly does a
CERT_FindUserCertsByUsage(certUsageEmailSigner); is there a better usage
bit to use?
There's no better usage bit to use, I know this the hard way :-)
IMO the impact on NSS of changing that would not be a minor and fast
change, but it's certainly worth raising it as a separate bug.
_______________________________________________
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
