Re: libnssckbi.so problems with ROOt ca ceritifcate Trust flags

Thu, 28 Jun 2007 04:17:00 -0700 

Perhaps Nelson, Kai or one of the other NSS people know how to extract 
the trust bits which were set for NSS. However if you only need the CA 
certificates - similar to a ca-bundle - then you should be OK already 
with what you have.

-- 
Regards
 
Signer:      Eddy Nigg, StartCom Ltd.
Jabber:      [EMAIL PROTECTED]
Phone:       +1.213.341.0390

samrat saha wrote:
> Thanks!
> But is there anyway around to extract the trust flags. Due to the 
> library size limitation, i can not keep the library
> in the database directory but i need to have the complete CA 
> certificate in the databass.
>
>
> Thanks In Advance,
> Samrat
>
> On 6/28/07, *Eddy Nigg (StartCom Ltd.)* < [EMAIL PROTECTED] 
> <mailto:[EMAIL PROTECTED]>> wrote:
>
>     The trust flags are for internal usage of the NSS store and not
>     really part of the CA certificates. You might find however the
>     associated x.509 key usage and x.509 extension in the certificate.
>     Judging from your code snippet below, you extract the x.509
>     certificates, which don't have those trust flags.
>
>
>     samrat saha wrote:
>>     Dear All,
>>
>>     I was trying to create the CA store using the buildin CA certificates in
>>     libnssckbi library.
>>     I was extracting the certificate from the module using the following code
>>     snippet.
>>
>>     cert_list =  PK11_ListCertsInSlot(slot);
>>
>>
>>         for(cert_node = CERT_LIST_HEAD(cert_list);
>>                 !CERT_LIST_END(cert_node, cert_list);
>>                 cert_node = CERT_LIST_NEXT(cert_node)) {
>>
>>             cert_b64 = BTOA_DataToAscii(cert_node->cert->
>>
>>     derCert.data,
>>                                         cert_node->cert->derCert.len);
>>             fprintf(fp, "-----BEGIN CERTIFICATE-----\n");
>>             fprintf(fp, "%s\n", cert_b64);
>>             fprintf(fp, "-----END CERTIFICATE-------\n");
>>
>>
>>             PORT_Free(cert_b64);
>>
>>         }
>>
>>     I was using that backup file to restore the certificate to the database.
>>
>>     While viweing the certificate with
>>
>>     certutil -N -d .
>>
>>     There was no Trust flags associated with the certificates. Allthough if i
>>
>>
>>     copy the libnssckbi.so to the directory flags are coming properly.
>>
>>     I thought certificate flags are stored in the  databse. Then why it is
>>     required to have the libnssckbi.so library in the certificate database.
>>
>>
>>
>>
>>       
>
>

_______________________________________________
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto

Reply via email to