Verifying a certificate against a given root store

Tue, 21 Feb 2012 18:05:03 -0800 

I would like to know the rough workflow to verify a certificate
against a user-supplied root store. Specifically, what NSS functions
would one use for that purpose? I have looked at various headers
(nss.h, cert.h, pk11pub.h, etc.) and searched the web for usage
examples, but could not stich together a correct workflow of NSS 3.x
functions to use for this task.

The application I am writing essentially operates in two steps:

    1) Load a root store of certificates in memory
    2) Take a user-supplied certificate and verify it against the root
store

There is no persistence requirement, i.e., each new start of the
application performs (1) and (2) from scratch. That said, I tried the
code sequence shown below (C++11), which does not seem to work (a
valid cert does not seem to verify due to a missing issuer;
SEC_ERROR_UNTRUSTED_ISSUER). I'd be thankful for guidance of any form.

    Matthias

// Initialize database.
NSS_NoDB_Init(".");

// Load the root store in memory.
for (certificate const& cert : root_certs_in_DER_format)
{
    SECItem secitem{siDERCertBuffer, cert.data(), cert.size()};
    CERTCertificate* cert = CERT_NewTempCertificate(
        CERT_GetDefaultCertDB(),
        &secitem,
        nullptr,
        PR_TRUE, /* Add cert to root store?! */
        PR_FALSE);

    CERT_DestroyCertificate(cert);
}

// User provides certificate.
SECItem secitem{siDERCertBuffer, user_cert.data(), user_cert.size()};
CERTCertificate* user_cert = CERT_NewTempCertificate(
    CERT_GetDefaultCertDB(),
    &secitem,
    nullptr,
    PR_FALSE, /* Do NOT add user cert to root store?! */
    PR_FALSE);

// Verify the certificate.
SECCertificateUsage use = get_usage();
SECCertificateUsage verified_uses;
SECStatus rc = CERT_VerifyCertificate(
    CERT_GetDefaultCertDB(),
    user_cert,
    PR_TRUE,
    use,
    get_timestamp_from_user(),
    nullptr,
    nullptr,
    &verified_uses);

// Here I get: PR_GetError() == SEC_ERROR_UNTRUSTED_ISSUER
if (rc == SECFailure)
    extract_failure_and_report();

CERT_DestroyCertificate(user_cert);

// Clean up.
NSS_Shutdown();
-- 
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto

Reply via email to