Paul,
Paul Neyman wrote:
Hi!
You guys have been very helpful with my NSS questions :) Mind if I ask a
couple more?
1. Is it possible to import a CRL during runtime?
I.e:
- a process has NSS initialized and is using NSS db.
- a user then runs crlutil and imports a CRL (this has worked for me,
btw). crlutil -L lists CRL as imported
Would the original process be able to see this new CRL and its effects
on certificates without reinitializing?
You can import the CRL during runtime.
However, the NSS cert DB is not safe for writing by multiple processes,
or even reading from one and reading from another.
So, when you run crlutil, no other process should have the DB open.
The preferred way is for your application, which opened the DB
read/write, to import the CRL itself, using the APIs previously
mentioned in this newsgroup.
2. SEC_ERROR_BAD_DER error
I've taken the code from crlutil utility and massaged it to fit into our
application. All it does, is it opens the CRL file in DER format and
imports it using PK11_ImportCRL.
I've generated a CRL using crlutil and reimported it back into db using
CRL. That worked fine. However, the same call with the same decode and
import options results in a SEC_ERROR_BAD_DER error in a recursive call
to DecodeItem when I run it from within our application.
A little comment says that:
/* a required component is missing. abort */
Is there anything extra that needs to be set that I missed?
Thanks a lot.
You are going to need to be more specific about the call and the options
you are passing. If you are really passing in a buffer to the same CRL,
there is no reason why it would decode in one process and not the other.
Maybe in one case you are not decoding the entries, and in the other
case you are. Check the decode options. It's possible that there is an
encoding error in the CRL with the entries that would show up with one
set of options and not another. But you said you were using the same
decode options, so that's probably not it.
_______________________________________________
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
