Nelson B wrote:
Thanks for the bug and the patch, Dave!
The extra "p" (trusted Peer) trust flags are annoying, but harmless.
The nssckbi file was never intended to contain peers, so it is especially
odd that it returns trusted peer flags.
p is just valid peer, P is trusted peer. The current addbuiltin falls
through the if blocks in the getTrustString method and defaults to
CKT_NETSCAPE_VALID which is what ends up being a little p when you check
the module with certutil.
The missing "c" (valid CA) trust flags are more mysterious. One *would*
expect the nssckbi file to supply those, so it's odd that they're missing.
But neither of these flags, whether missing when desired or present when
unwanted, should cause the error you were experiencing, -8179.
The missing c (or C) is exactly what was causing the problem. I had
originally added all my CAs using "C,C,C" but then I realized it
probably wasn't checking the whole chain because the verify algorithm
short circuits if it gets an explicitly trusted cert. I traced the
-8179 error to a spot in the code where it calls a function named
something like FindIssuer and that function returned NULL basically when
it SHOULD have found the intermediate CA that *was* in the built-ins
module. I imagine that it ignored the intermediate CA certificate
because when it was looking through its big list of certificate
candidates it didn't find one that had either c (valid CA) or C (trusted
CA), it only found certificates marked as peers so it ignored them and
hence "unkown issuer". That's just my take on the issue from rifling
through the code.
I suggest you go back to using the cert DB until you solve the mystery
of the unknown issuer.
Everything with my application is working perfectly now that I have my
intermediate CAs marked with "c,c,c". This makes it a lot easier to
have the multiple key/cert DBs point to a single libnssckbi.
Dave
_______________________________________________
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
