On 12/9/2010 2:29 PM, Wan-Teh Chang wrote:
I would go with adding an importNonUserCertPackage method,
or add a new method that exposes both the boolean noUser
and boolean leafIsCA parameters of the native method
importCertPackageNative.
I got around to testing the second method. I exposed the 2 boolean
parameters of importCertPackageNative in a new java method.
So now I'm calling CryptoManager.importCertPackage(certBytes, nick,
true,false)
It imports my cert (which is a leaf cert and none of the CAs in its
chain are in the DB already) but marks it as a valid ca (little c trust
bits).
It seems "the way I want it to work" and "the way it works" falls out of
step starting here:
http://mxr.mozilla.org/security/source/security/jss/org/mozilla/jss/PK11Finder.c#931
- where on line 934 noUser is false so slot = NULL
- 939 slot is NULL so enter the if block
- 940 !noUser //(!true) = false so it doesn't throw the exception and
continues to 991
- 991 if( numCerts-userCertFound>= 1 ) //(1 - 0 >=1)
right above here is where there's the comment "Now add the rest of the
certs (which should all be CAs)" but that's not true in this case.
The current implementation only seems to "understand" 2 types of certs:
- user certs where keys are already on the token
- CA certs
Suggestions on what path to take moving forward?
Dave
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
