Hi,
I am testing NSS 3.9.12 with CKBI 1.82 on Windows. To verify that the
bogus certificates are recognized as such I run vfychain. The
certificates are exported from the Windows certificate store.
Having vfychain use CERT_VerifyCertificate gives me this output
[../nss/wntmsci12.pro/bin]$ ./vfychain.exe -d db -p www-google.cer
Chain is bad!
PROBLEM WITH THE CERT CHAIN:
CERT 0. Builtin Object Token:Bogus Google :
ERROR -8171: Peer's certificate has been marked as not trusted by the
user.
[../nss/wntmsci12.pro/bin]$
Same with all other bogus certificates.
Now using the CERT_PKIXVerifyCert function:
[../nss/wntmsci12.pro/bin]$ ./vfychain.exe -d db -pp -g leaf
www-google.cer
Chain is good!
[../nss/wntmsci12.pro/bin]$
Let nss use CRL distribution points proves that the invocation of
vfychain is correct:
[../nss/wntmsci12.pro/bin]$ ./vfychain.exe -d db -pp -g leaf -m crl
www-google.cer
Chain is bad!
PROBLEM WITH THE CERT CHAIN:
CERT 1. Builtin Object Token:UTN USERFirst Hardware Root CA [Certificate
Authority]:
ERROR -8180: Peer's Certificate has been revoked.
[../nss/wntmsci12.pro/bin]$
WireShark confirms that the CRL is being fetched via HTTP Get.
In both cases the nssckbi.dll is loaded from the db folder, as specified
by the -d switch. I confirmed this by using the ProcessMonitor.
Have I overlooked something? Can someone confirm this?
Best Regards,
Joachim
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
