Hi,
I suppose you were talking about OSX on Intel/Mac.
I compiled nss 3.11.4 from cvs, output is attached.
/steffen
PS: The other mail I sent today can be safely ignored, picked the wrong
one out of the postponed messages queue..
On 071001 at 04:35, Nelson B wrote:
> https://bugzilla.mozilla.org/attachment.cgi?id=282788
> It's a plain ASCII text file, containing a PEM-encoded certificate.
> Let's say you download it into a file named /tmp/ECARootCA.pem
> (I don't know if Mac users use /tmp. If not, then please choose some
> other suitable temporary/junk directory.)
>
> Then run commands similar to these:
>
> pp -t certificate -a -i /tmp/ECARootCA.pem > /tmp/testoutput.txt
> mkdir /tmp/DB
> echo test > /tmp/DB/pw
> # if the following command has problems, try without the "-z /dev/urandom"
> certutil -d /tmp/DB -N -z /dev/urandom -f /tmp/DB/pw
> # note: the following uses NSS's atob command
> grep -v .--- /tmp/ECARootCA.pem | atob -o /tmp/ECARootCA.der
> vfychain -d /tmp/DB -u 11 -v /tmp/ECARootCA.der >> /tmp/testoutput.txt 2>&1
> vfychain -d /tmp/DB -u 10 -v /tmp/ECARootCA.der >> /tmp/testoutput.txt 2>&1
> vfychain -d /tmp/DB -u 1 -v /tmp/ECARootCA.der >> /tmp/testoutput.txt 2>&1
>
> and email the /tmp/testoutput.txt to me (after removing all the NO and SPAM
> from my email address), or post it to the list.
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 14 (0xe)
Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption
Issuer: "CN=ECA Root CA,OU=ECA,O=U.S. Government,C=US"
Validity:
Not Before: Mon Jun 14 10:20:09 2004
Not After : Thu Jun 14 10:20:09 2040
Subject: "CN=ECA Root CA,OU=ECA,O=U.S. Government,C=US"
Subject Public Key Info:
Public Key Algorithm: PKCS #1 RSA Encryption
RSA Public Key:
Modulus:
ae:4a:f6:79:72:12:ea:80:0a:22:90:e4:3a:57:10:65:
d3:06:76:77:28:ca:00:84:21:4f:a4:b6:a6:37:a1:fe:
52:55:55:d4:ef:f8:ad:ee:42:75:11:4c:d1:e2:28:b6:
be:d8:50:b5:bc:30:f5:a0:27:a5:0c:5c:12:65:d9:93:
c7:84:ca:21:84:3f:2f:9c:09:03:25:94:16:3e:79:f3:
ad:2a:08:db:40:d0:d9:de:50:7d:d7:da:b3:50:9c:01:
97:60:4c:c6:c9:54:d5:7b:09:43:0f:52:2b:5d:25:3d:
b4:26:e1:ab:1a:f0:4f:1e:e7:34:d4:92:76:41:5a:71
Exponent: 65537 (0x10001)
Signed Extensions:
Name: Certificate Authority Key Identifier
Key ID:
f6:b8:04:27:0e:56:16:d9:b9:63:d9:fd:a1:54:65:41:
a0:08:48:2f
Name: Certificate Subject Key ID
Data:
f6:b8:04:27:0e:56:16:d9:b9:63:d9:fd:a1:54:65:41:
a0:08:48:2f
Name: Certificate Key Usage
Critical: True
Usages: Digital Signature
Certificate Signing
CRL Signing
Name: Certificate Basic Constraints
Critical: True
Data: Is a CA with no maximum path length.
Name: Certificate Policies
Data:
Policy Name: OID.2.16.840.1.101.3.2.1.12.1
Policy Name: OID.2.16.840.1.101.3.2.1.12.2
Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption
Signature:
1e:1d:04:41:8d:9c:67:6d:3d:68:16:f9:ab:4c:16:d4:
44:74:75:ce:0e:1b:3b:0b:ca:a8:c7:7d:a4:38:4c:46:
8c:99:4c:0b:00:94:6d:6b:f7:38:29:55:8b:8b:06:ce:
0e:cb:e0:26:4f:82:69:69:92:2f:4d:e0:45:6f:dc:89:
56:ff:a8:35:7b:aa:1f:4f:c9:dd:5c:3a:56:a7:65:30:
27:3e:88:36:8b:cd:b2:2f:78:b6:7c:af:43:08:2f:38:
ba:8c:44:41:b8:2a:2b:68:f1:f5:b2:23:15:3c:25:02:
a2:13:93:d7:c6:02:6e:66:75:3f:38:20:4c:2a:d4:6c
Fingerprint (MD5):
96:F1:CB:9C:06:AB:B4:80:DA:42:DA:03:57:01:2D:9E
Fingerprint (SHA1):
3A:32:EF:7B:9A:B8:36:F8:37:18:1A:4C:EF:A3:55:C6:46:67:AC:BF
Chain is good!
Chain is bad, -8172 = Peer's certificate issuer has been marked as not trusted
by the user.
PROBLEM WITH THE CERT CHAIN:
CERT 1. CN=ECA Root CA,OU=ECA,O=U.S. Government,C=US [Certificate Authority]:
ERROR -8172: Peer's certificate issuer has been marked as not trusted by the
user.
CN=ECA Root CA,OU=ECA,O=U.S. Government,C=US
Chain is bad, -8102 = Certificate key usage inadequate for attempted operation.
PROBLEM WITH THE CERT CHAIN:
CERT 0. CN=ECA Root CA,OU=ECA,O=U.S. Government,C=US :
ERROR -8102: Certificate key usage inadequate for attempted operation.
CN=ECA Root CA,OU=ECA,O=U.S. Government,C=US
_______________________________________________
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
