On 2009-09-25 05:04 PDT, Adriano Bonat wrote: > $ nss-certutil -d . -L -h all > > this gave me the same result as without it.
This is because you libnssckbi.so is not being loaded, as you have already noted. Let's fix that. > BUT, I tried it on a Ubuntu machine with Signing Tool 3.12.3.1, and > then it lists also the builtin modules... So, there's some difference between those machines. Did the MacPort include nssckbi? > Later I was checking other things, and I found the following: > > $ nss-modutil -dbdir . -list > > Listing of PKCS #11 Modules > ----------------------------------------------------------- > 1. NSS Internal PKCS #11 Module > slots: 2 slots attached > status: loaded > > slot: NSS Internal Cryptographic Services > token: NSS Generic Crypto Services > > slot: NSS User Private Key and Certificate Services > token: NSS Certificate DB > ----------------------------------------------------------- > > > Isn't missing here the "Mozilla Root Certs" that points to > "libnssckbi.so" ? Yes, exactly. Do you have such a lib among the NSS libs from the MacPort? If so, copy it into the "." directory (the directory specified as the argument to the -d option of signtool, or the -dbdir option of modutil) and then repeat your efforts. PSM (part of Firefox) does some of this magic for you. > I found this information here: > http://article.gmane.org/gmane.comp.mozilla.crypto/11137 > > Testing on the Ubuntu machine confirmed this, there the "Root certs" > are pointing to that library, so thats where the builtin certificates > came from. yes. >>> Why all certificates (except the one that I installed) don't have >>> trust attributes? This lead me to a problem when signing the file: >> >> Because they're almost all intermediate CA certificates, not root CA >> certificates, or they _should_ be. As a general rule, trust flags are >> only put on roots, not on intermediates. however, there are some >> exceptions. > > I see, but I find it strange, on the manual page when they list the > certificates they all have trust attributes: > http://www.mozilla.org/projects/security/pki/nss/tools/certutil.html Yes, there was formerly a bug in the browser that routinely set certain trust flags on all certs that were manually imported by a user. I think that's fixed now (not 100% positive though). The old examples reflect that old bug. >>> $ nss-signtool -d . -l >> >>> Object signing certificates >>> --------------------------------------- >>> COMPANYNAME LLC's Starfield Technologies, Inc. ID >>> Issued by: Starfield Secure Certification Authority >>> Expires: Mon Sep 19, 2011 >>> ++ Error ++ THIS CERTIFICATE IS NOT VALID (Certificate Authority >>> certificate invalid) >>> --------------------------------------- >>> For a list including CA's, use "signtool -L" >> >> This is why I asked what version of NSS you're using. There were some >> gross bugs in signtool versions before 3.12.3 >> > > Maybe they are still there? :) Let's see if that persists after you get nssckbi in place. > Thanks again. > -Adriano Bonat -- dev-tech-crypto mailing list [email protected] https://lists.mozilla.org/listinfo/dev-tech-crypto
