Hello NSS gurus,
I'm trying to write an application that can create and parse SCEP
PKCSReq and CertRep SCEP messages. I am running into two problems that
I'm not sure how to tackle using the public interfaces.
1. How do I set other Signed Attributes in a signed-data object aside
from the predefined attributes already provided in cms.h? Specifically
I'm trying to SCEP attributes (e.g. pkiStatus, messageType, senderNonce,
etc.). I see NSS_CMSSignerInfo_AddAuthAttr() but when I tried calling
it it gave me an unresolved symbol error...is it an exported function?
If not, are there any recommended ways to set custom Signed Attributes?
2. Is there a way to get CMS objects that come from self-signed sources
to validate? I get why normally one would not want to accept such a
signature. SCEP does allow for this case though during initial
enrollment, so I'm trying to cover it. I've tried adding the
self-signed cert into the temp Cert DB) and while that alone worked, it
didn't seem to validate no matter what I've tried (even tried changing
trust settings and that didn't get me very far). If I use a
non-self-signed cert that chains to a CA that I have trusted in my
certdb, things work...so I think I've got the general decoding correct.
I just can't get the weird self-signed case to fly.
I was hoping there was a way to get the signed object to validate
similar to what can be done with OpenSSL on the command-line using the
"-noverify" option. The cert used to sign the object I'm taking in is
pretty unremarkable; no extensions, 1 year validity, RSA/2048 bit
key...all pretty standard stuff.
Any suggestions are welcome.
Thank you,
Jamil Nimeh
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
