[EMAIL PROTECTED] wrote:
Thanks for your message. It pointed out a number of all bugs in NSS.
I'm going to file bug reports on each of them that I found.
> I'm trying to sign Firefox plugin with a certificate. Cert is located
> in .pfx file. I successfully created local db and added my cert into
> it. "certutil -L -d ." shows the following:
> PvkTmp:99ace907-0a0c-4066-bd60-751431d09f92 u,u,u.
Two questions:
1) You are using signtool and certutil from some version of NSS.
What version of NSS are they from?
2) Do you have a crypto "module" or "token" or "smart card" configured?
And is its name "PvkTmp" ?
If you're not sure, then in the same directory where you did the above
command, do this other NSS command and send us the output:
modutil -list -dbdir .
If you find the string "PvkTmp" in that output, then you do have a slot
or token by that name, otherwise you don't.
> When I try to sign my dir with
> signtool -d . -k "PvkTmp:99ace907-0a0c-4066-bd60-751431d09f92 "
That trailing space could be a problem..............................^
> -p "passw" signed/
(nit: the trailing slash shouldn't be there. That's not the cause of
your problem, but it does cause the double-slash you see in the output
below, and on some systems will be treated as an invalid path name.)
> I get the following:
> using certificate directory: .
> Generating signed//META-INF/manifest.mf file..
> --> install.rdf
> --> Plugins/NPSoda.dll
> Generating zigbert.sf file..
> signtool: the cert "PvkTmp:99ace907-0a0c-4066-bd60-751431d09f92"
> does not exist in the database: No more entries in the directory.
That "No more entries in the directory." string is the wrong error string
for the error you experienced. The error you experienced had nothing
to do with names in a file system directory.
Also the error string "the cert <name> does not exist in the database"
is misleading because it makes you think that it only looked in NSS's
cert DB. I'm sure that, in this case, it did NOT look in the cert DB
at all.
> the tree signed/ was NOT SUCCESSFULLY SIGNED.
> But i can see this cert in db using certutil (and actually see this
> guid inside cert8.db file).
> The same thing happens when i try to inject my cert into Firefox built-
> in db. At the same time with manually generated fake cert i signed
> plugin with no problem.
> Thanks for any suggestions.
*Assuming that you do NOT have a PKCS#11 slot or token named "PvkTmp",*
then the problem is due to the presence of the colon (':') character
in the "nickname" (a.k.a., "friendly name"). There are two potential
workarounds for that issue.
1) Try re-creating the PKCS#12 file (.pfx) with a nickname that has no
colon character in it. If you created the pfx file using MS Windows'
certificate export wizard, then you will need to go into Windows'
Certificate Manager and edit the "Friendly Name" of the certificate,
and then run the certificate export wizard again. Then create a fresh
pair of NSS cert and key DBs, and import the new pfx file.
2) Prepend the name of NSS's built-in PKCS#11 software token to the
nickname of your cert, e.g. instead of
-k "PvkTmp:99ace907-0a0c-4066-bd60-751431d09f92"
try
-k "NSS Certificate DB:PvkTmp:99ace907-0a0c-4066-bd60-751431d09f92"
--
Nelson B
_______________________________________________
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
