I added some certificates to the libnssckbi.so built-ins module that
aren't CA certificates. I found I can grab them in the code by
prefixing their nickname with "Builtin Object Token:" when I call
PK11_FindCertFromNickname.
Sometimes when I pass the certificate in to CERT_VerifyCertificate, I
get an error -8179 which is SEC_ERROR_UNKNOWN_ISSUER and has a
description of "Peer's certificate issuer is not recognized" for some of
the certificates.
I was thinking maybe it wasn't working because I am passing the function
"CERT_GetDefaultCertDB()" as the first parameter of
CERT_VerifyCertificate which is expecting a CERTCertDBHandle and the
"default" certdb doesn't look at the roots module but it works in some
cases and not in others.
I am testing with a mix of rsa and dsa certificates issued from a 3
level hierarchy (root, intermediate, end-entity) of our CAs and then I
have some rsa certificates from another hierarchy not under our control.
Also in the built-ins module are all of the root CAs marked as trusted
("C,C,C") and all of the intermediate CAs marked with no trust when I
imported them (",,"). So basically the full chain from the cert I'm
asking to verify up to the root should be accessible in the built-ins
module. There doesn't seem to be any pattern to the ones that
successfully verify versus the ones that don't but the ones that don't
always don't, it's always repeatable.
Should I just be using a normal key/cert db or should what I'm doing work?
Dave
_______________________________________________
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
