Re: nss and mozilla database

Thu, 21 Jun 2007 09:11:06 -0700 

> I created a self-signed certificate and put it into my ~/.ca database.
> I used signtool -G to create it, so I have a private key and
> x509.cacert. This is the output with certutil -L
> testcert                                                     u,u,Cu
>
> I load the x509.cacert into my ~/.xulapp database. According to the
> docs, it is now an object-signing CA, so I cannot sign objects using
> this cert.

Actually, a cert generated with signtool -G can be used as both a CA and
an end-entity cert. If you look at its extensions (with "certutil -L -d
path/to/dir -n testcert"), you will find this one here:

            Name: Certificate Type
            Critical: True
            Data: <Object Signing,ObjectSigning CA>

(Note that it has both "ObjectSigning CA" and "Object Signing". To be
precise, using the netscape-cert-type extension is actually deprecated,
but that's what signtool -G does, and it shouldn't be a problem for your
test setup.)

> Now I need a private key from ~/.xulapp to sign my object. To the best
> of my knowledge, I create a certificate request and use ~/.ca to
> validate it. That is what I did. I then imported the file. This is the
> output with certutil -L
> Common Name - Organization                                   CT,C,C
> [EMAIL PROTECTED]                                                pu,pu,pu

How exactly did you create (and sign) the request for [EMAIL PROTECTED] By
"validating", do you mean using "certutil -V"? If so, the problem might
be the correct certusage ("-u" switch) - you should actually specify
object signing, but it seems that certutil will only allow you to
specify these five here:

   -u certusage      Specify certificate usage:
                          C      SSL Client
                          V      SSL Server
                          S      Email signer
                          R      Email Recipient
                          O      OCSP status responder

> Which looks ok (I think), but when I try to sign a directory, I get
> the following (2zo52e9f.default/ would be my ~/.xulapp database) :
> bash-3.00$ signtool -d 2zo52e9f.default/ -k [EMAIL PROTECTED] -p test foo
> using certificate directory: 2zo52e9f.default/
> Generating foo/META-INF/manifest.mf file..
> --> bar
> Generating zigbert.sf file..
> signtool: PROBLEM signing data (Certificate not approved for this
> operation)

What does "certutil -L -d 2zo52e9f.default -n [EMAIL PROTECTED]" give as
output? If the certificate doesn't include an appropriate
netscape-cert-type or extended key usage extension (which permits object
signing), then you can't use it to sign code.

Kaspar
_______________________________________________
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto

Reply via email to