Re: [NSS] X509 Certificate Chain Verification Example

I found out that error -8172 is issued because of a cert duplicate found. Probably the self-signed root certificate is added twice to the trust chain because the building algorithm doesn't stop when it's found the first time, maybe because it's not considered a trust anchor. I recall that I check

Re: [NSS] X509 Certificate Chain Verification Example

Please, could someone give me a hint about this issue? Deadline for my testing program is getting closer and I need to get it works. Otherwise I should use the Cert_VerifyCertNow function even if it's deprecated. I would like to add that I try to call also CERT_VerifyCertNow on the same input chain

Re: [NSS] X509 Certificate Chain Verification Example

I'm quite sure that the certificate should be trusted. I forgot to write it, but i actually found it using certutil in the CERT DB provided by "roots cert" module: certutil -L -d DB_dir -h all | grep 'root_cn' Returns the certificate with trusted flags C,C,C. So i think it means it's already trus

Re: [NSS] X509 Certificate Chain Verification Example

As an aside, I would strongly advise you to use the first method - put the root CA in your cert DB, ahead of time, prior to starting your applications. Dynamically and blindly trusting a root CA, especially one received over a network, is asking for trouble and a big security no-no. You should n

Re: [NSS] X509 Certificate Chain Verification Example

Nicholas, Your root certificate needs to be trusted. Self-signed is fine, but you still need to trust it. It would either need to be present in your cert DB, with the proper trust flag, or you would need to dynamically set the trust on that root certificate using the API . You can use CERT_

Re: [NSS] X509 Certificate Chain Verification Example

I go on with my investigation, and I find that error -8172 should be related to the fact that the root certificate is self-signed, even if it's in the trust store contained in Root Certs module. Indeed, I search through the reference SEC_ERROR_UNTRUSTED_ISSUER, and I find this error seems to be set

Re: [NSS] X509 Certificate Chain Verification Example

About error -8101 with Facebook CA certificate, I found it should be related with this bug , so it's a certificate issue. However, with Apple's certificate chain, I got error -8102 when I try to validate only the CA certificate, while error -817

Re: [NSS] X509 Certificate Chain Verification Example

Anyone up for a possible solution? 2016-02-06 14:51 GMT+01:00 Nicholas Mainardi : > If I remove cert_pi_certList from the array, invalid_args error turns into > untrusted_issuer error (-8172). So, it seems that even if I don't add the > intermediate CA certificate in certList, the lookup in cert

Re: [NSS] X509 Certificate Chain Verification Example

If I remove cert_pi_certList from the array, invalid_args error turns into untrusted_issuer error (-8172). So, it seems that even if I don't add the intermediate CA certificate in certList, the lookup in cert DB is fine, but it doesn't manage to validate the CA certificate. Indeed, if I give only t

Re: [NSS] X509 Certificate Chain Verification Example

Nicholas, It looks like cert_pi_certList is indeed never processed. So that seems to be unimplemented. I'm not quite sure why that is. It's been a long type since I worked on NSS/libpkix. What happens if you remove that parameter from your list ? Once the certs are decoded, presumably in you

Re: [NSS] X509 Certificate Chain Verification Example

Hello, Thank you for your reply. I looked for the function you mentioned and I looked at the usage examples. I edit my previous code to use the function, but I'm getting error invalid_args (-8187). After some trials, I figure out it's caused by the cert_pi_certList t

Re: [NSS] X509 Certificate Chain Verification Example

CERT_VerifyCertNow is a legacy API that does not support the full set of RFC 3280/5280 features. To support things like policy checks, you can use libpkix . Look for CERT_PKIXVerifyCert . There are examples of usage in the NSS test programs vfychain and tstclnt . The library supports many more

[NSS] X509 Certificate Chain Verification Example

Hello, I'm comparing different libraries to verify X509 certificate chains. I had some issues to find how to use NSS to perform this task. At the end, I managed to get a working code with one certificate chain. You can find the code in this question