David Stutzman wrote: > David Stutzman wrote: > >> I use certutil -L -d dbdir -h all to show all of certificates in the db >> as well as the roots module and I have "p,p,p" for all the user certs as >> well as the intermediate CAs and "C,C,p" for the Root CAs. Does anyone >> know why addbuiltin is appearing to ignore any trust flag except "C"? > > I looked over the code for addbuiltin and found that it basically > ignored the little c trust flag that I was passing in to the command. I > edited the source for that command and rebuilt NSS then I rebuilt my > libnssckbi.so using the modified addbuiltin and it put the proper trust > flags into the certdata.txt for me. Now all of my root CAs have "C,C,C" > and my intermediate CAs have "c,c,c". > > Is there any reason why addbuiltin doesn't support all the trust flags > that the documentation for it lists other than the fact that the nssckbi > is used primarily for root certificates? > > Created bug #348882 with a diff to the change I made to addbuiltin which > consists solely of an additional if block.
Thanks for the bug and the patch, Dave! The extra "p" (trusted Peer) trust flags are annoying, but harmless. The nssckbi file was never intended to contain peers, so it is especially odd that it returns trusted peer flags. The missing "c" (valid CA) trust flags are more mysterious. One *would* expect the nssckbi file to supply those, so it's odd that they're missing. But neither of these flags, whether missing when desired or present when unwanted, should cause the error you were experiencing, -8179. I suggest you go back to using the cert DB until you solve the mystery of the unknown issuer. -- Nelson B _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
