gstandefer wrote:
CMS enveloped data points to the certificate using the certs Issuer and Serial number. If you created a second cert with the same issuer and serial number, but a different key, then things are likely to break.I have a situation where I have created a keypair and a cert.I encrypt a CMS enveloped data with recip info using the public key. I am able to decrypt this data without any problem. I then re-create the certificate / keypair. Both private keys are now visible using CERTUTIL (they have the same "alias" which I had assumed meant little to NSS). I then try once more to decrypt using exactly the same code, but now it fails on NSS_CMSDecoder_Update() with a SEC_ERROR_BAD_DATABASE.
Also since CMS points to the certificate, you still need your old certificate (as well as old key) to be able to decrypt the message. Without it NSS can not determine which key to use.
bob
I had assumed, especially since the NSS db kept the old key around that decryption would be no problem. I also assume NSS would be able to figure out which key to use. What am I missing? Thanks, glenn _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
