I'm in the process of porting over certificate path building code from
using Sun's API to using JSS as we are gradually migrating all of our
crypto over to JSS/NSS. I'm running some testing with
CryptoManager.buildCertificateChain(X509Certificate leaf).
If I grab a cert out of the db and pass it, everything is fine. If I
want to chain a CA (either subCA with root in the DB or root) everything
is fine. The CAs probably work fine as they get imported first due to
the conversion problem. If I have a byte[] containing a certificate and
would like to build a chain to see if it is in my hierarchy I need to
get that certificate into an instance of the interface
org.mozilla.jss.crypto.X509Certificate to pass to buildCertificateChain.
The problem is, you can't seem to instantiate one of these in any way
if you are holding some bytes. I can ASN1 decode the bytes into a
org.mozilla.jss.pkix.cert.Certificate but that doesn't help. According
to the JSS FAQ
(http://www.mozilla.org/projects/security/pki/jss/faq.html#convertPkix)
I can call Cryptomanager.importCertPackage() and pass the DER encoded
certificate/PKCS7 bytes and it will return the leaf cert. The problem
is the only way it will work and return the leaf cert is if it has a
matching key in the token. The javadoc implies this and looking at the
code for the native import function in
http://mxr.mozilla.org/security/source/security/jss/org/mozilla/jss/PK11Finder.c,
the comments all say that's the intended behavior.
If I would like to build a chain to an SSL server's certificate, for
example, I can't as I would never have its key. I know the NSS db can
hold arbitrary non-CA certs (in Firefox, for ssl exceptions and in
thunderbird for another user's email cert). Is there any way to get
around this limitation in building chains using JSS? It seems odd that
I can't just present a random certificate to JSS and have it build the
chain if it's in a hierarchy I know/trust or throw an exception if it's not.
Another side-effect I'm not too fond of is if I'm in a situation where
the import-conversion is useful and works, I end up with the cert I've
imported in my permanent certDB. It's not a deal-breaker, but I'd
prefer in this case that it's just a temporary compare and the next time
I'd run the application it wouldn't be there.
Thanks,
Dave
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
