2009/9/10 Sam Laidler <sam.laid...@the-logic-group.com> > > I’d like to make a variety of connections within the same application – one > acting as server the other as client. I would like to be able to use one list > of trusted CA certificates for one connection, but a different list for the > other. Having read the documentation, I’m not sure how (or if) I can do this.
I have a different answer from Bob Relyea's. I believe the new NSS 3.12 function CERT_PKIXVerifyCert allows you to do that. It allows you to specify the list of trusted root CA certs: http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/security/nss/lib/certdb/certt.h&rev=1.52&mark=942-949#942 It is a little intimidating to set up the inputs and outputs for CERT_PKIXVerifyCert, but you can use the Mozilla and Chromium source code as examples: http://mxr.mozilla.org/mozilla-central/source/security/manager/ssl/src/nsIdentityChecking.cpp#963 http://src.chromium.org/viewvc/chrome/branches/202/src/net/base/x509_certificate_nss.cc?view=markup Note that Mozilla uses CERT_PKIXVerifyCert for verifying extended validation (EV) certificates only, so it specifies strict revocation checking flags. Chromium's flags may be more appropriate for your purpose. > I then looked at the API. The closest command I could find to what I need was > SSL_AuthCertificate(), but it only accepts the certificate database handle, > it does not allow you to select a subset of CA certificates you want to use > in authentication. You should not use SSL_AuthCertificate. Instead, write your own version of SSL_AuthCertificate, replacing the CERT_VerifyCertNow call by a CERT_PKIXVerifyCert call. Wan-Teh -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
