I would like to know the rough workflow to verify a certificate against a user-supplied root store. Specifically, what NSS functions would one use for that purpose? I have looked at various headers (nss.h, cert.h, pk11pub.h, etc.) and searched the web for usage examples, but could not stich together a correct workflow of NSS 3.x functions to use for this task.
The application I am writing essentially operates in two steps: 1) Load a root store of certificates in memory 2) Take a user-supplied certificate and verify it against the root store There is no persistence requirement, i.e., each new start of the application performs (1) and (2) from scratch. That said, I tried the code sequence shown below (C++11), which does not seem to work (a valid cert does not seem to verify due to a missing issuer; SEC_ERROR_UNTRUSTED_ISSUER). I'd be thankful for guidance of any form. Matthias // Initialize database. NSS_NoDB_Init("."); // Load the root store in memory. for (certificate const& cert : root_certs_in_DER_format) { SECItem secitem{siDERCertBuffer, cert.data(), cert.size()}; CERTCertificate* cert = CERT_NewTempCertificate( CERT_GetDefaultCertDB(), &secitem, nullptr, PR_TRUE, /* Add cert to root store?! */ PR_FALSE); CERT_DestroyCertificate(cert); } // User provides certificate. SECItem secitem{siDERCertBuffer, user_cert.data(), user_cert.size()}; CERTCertificate* user_cert = CERT_NewTempCertificate( CERT_GetDefaultCertDB(), &secitem, nullptr, PR_FALSE, /* Do NOT add user cert to root store?! */ PR_FALSE); // Verify the certificate. SECCertificateUsage use = get_usage(); SECCertificateUsage verified_uses; SECStatus rc = CERT_VerifyCertificate( CERT_GetDefaultCertDB(), user_cert, PR_TRUE, use, get_timestamp_from_user(), nullptr, nullptr, &verified_uses); // Here I get: PR_GetError() == SEC_ERROR_UNTRUSTED_ISSUER if (rc == SECFailure) extract_failure_and_report(); CERT_DestroyCertificate(user_cert); // Clean up. NSS_Shutdown(); -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto