Wan-Teh Chang wrote:
This bug seems to have been introduced in NSS 3.4. (The core of the NSS certificate handling code was rewritten in NSS 3.4.) In NSS 3.3.2, PK11_ImportCert has the following code: if(includeTrust && PK11_IsInternal(slot)) { attrs++; certUsage = (SECCertUsage*)PORT_Alloc(sizeof(SECCertUsage)); if(!certUsage) { SECITEM_FreeItem(keyID,PR_TRUE); PORT_SetError(SEC_ERROR_NO_MEMORY); return rv; } *certUsage = certUsageUserCertImport;PK11_SETATTRS(attrs,CKA_NETSCAPE_TRUST, certUsage, sizeof(SECCertUsage)); } else {
I found that in the current version of NSS, CKA_NETSCAPE_TRUST is not used: http://lxr.mozilla.org/security/ident?i=CKA_NETSCAPE_TRUST So perhaps the fix for this bug is to rename the "includeTrust" argument of PK11_ImportCert and PK11_ImportDERCert and the "addCertUsage" argument of PK11_ImportCertForKeyToSlot to "ignored" or "reserved". Bob Relyea is the best person to answer this question. David, I suggest that you pass includeTrust=PR_FALSE to PK11_ImportCert. Wan-Teh
_______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
