On 22.03.11 12:23, Sergei Evdokimov <silent...@gmail.com> wrote:
I think, being able to support encryption or having an option that enables or
disables verification of email addresses in certificates would make sense.
Here is a hint for you.
At the lowest level, NSS doesn't track [email]->[certificate] relations, there
is no room for this in the CertDB.
But NSS tracks [email]->[smime caps] relation in the 'smime profile' CertDB
records. By chance, these records contain 'subject' of certificate used to sign
'smime caps'. Further, you can use this subject to lookup certificate in question.
At the PCKS#11 level it is CKO_NSS_SMIME/CKA_SUBJECT.
But I am in doubt you could change upper levels of NSS w/o significant changes
in design. IMO, the CMS level of NSS is built around the idea that 'crypto
participants' are presented just by their certificates. Emails are retrieved
from certificates, and not vice-versa.
Look at the key procedure for email encryption:
NSS_SMIMEUtil_FindBulkAlgForRecipients. It gets a list of rcpt certificates,
and they must contain emails. There is a lot of code in the NSS CMS, that looks
like:
CERTCertificate *cert = ...;
if (cert == NULL || cert->emailAddr == NULL || !cert->emailAddr[0])
return SECFailure;
Keep well,
Konstantin
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
