Hi Nelson, Did you see the message from Kaspar? I guess he is right and I'm another victim of that "bug", so there is nothing I can do to fix it : (
Thanks again. -Adriano Bonat On Sep 26, 1:24 am, Nelson Bolyard <[email protected]> wrote: > On 2009-09-25 05:04 PDT, Adriano Bonat wrote: > > > $ nss-certutil -d . -L -h all > > > this gave me the same result as without it. > > This is because you libnssckbi.so is not being loaded, as you have > already noted. Let's fix that. > > > BUT, I tried it on a Ubuntu machine with Signing Tool 3.12.3.1, and > > then it lists also the builtin modules... > > So, there's some difference between those machines. Did the MacPort > include nssckbi? > > > > > > > Later I was checking other things, and I found the following: > > > $ nss-modutil -dbdir . -list > > > Listing of PKCS #11 Modules > > ----------------------------------------------------------- > > 1. NSS Internal PKCS #11 Module > > slots: 2 slots attached > > status: loaded > > > slot: NSS Internal Cryptographic Services > > token: NSS Generic Crypto Services > > > slot: NSS User Private Key and Certificate Services > > token: NSS Certificate DB > > ----------------------------------------------------------- > > > Isn't missing here the "Mozilla Root Certs" that points to > > "libnssckbi.so" ? > > Yes, exactly. Do you have such a lib among the NSS libs from the MacPort? > If so, copy it into the "." directory (the directory specified as the > argument to the -d option of signtool, or the -dbdir option of modutil) > and then repeat your efforts. PSM (part of Firefox) does some of this > magic for you. > > > I found this information here: > >http://article.gmane.org/gmane.comp.mozilla.crypto/11137 > > > Testing on the Ubuntu machine confirmed this, there the "Root certs" > > are pointing to that library, so thats where the builtin certificates > > came from. > > yes. > > >>> Why all certificates (except the one that I installed) don't have > >>> trust attributes? This lead me to a problem when signing the file: > > >> Because they're almost all intermediate CA certificates, not root CA > >> certificates, or they _should_ be. As a general rule, trust flags are > >> only put on roots, not on intermediates. however, there are some > >> exceptions. > > > I see, but I find it strange, on the manual page when they list the > > certificates they all have trust attributes: > >http://www.mozilla.org/projects/security/pki/nss/tools/certutil.html > > Yes, there was formerly a bug in the browser that routinely set certain > trust flags on all certs that were manually imported by a user. I think > that's fixed now (not 100% positive though). The old examples reflect > that old bug. > > > > > > >>> $ nss-signtool -d . -l > > >>> Object signing certificates > >>> --------------------------------------- > >>> COMPANYNAME LLC's Starfield Technologies, Inc. ID > >>> Issued by: Starfield Secure Certification Authority > >>> Expires: Mon Sep 19, 2011 > >>> ++ Error ++ THIS CERTIFICATE IS NOT VALID (Certificate Authority > >>> certificate invalid) > >>> --------------------------------------- > >>> For a list including CA's, use "signtool -L" > > >> This is why I asked what version of NSS you're using. There were some > >> gross bugs in signtool versions before 3.12.3 > > > Maybe they are still there? :) > > Let's see if that persists after you get nssckbi in place. > > > > > Thanks again. > > -Adriano Bonat -- dev-tech-crypto mailing list [email protected] https://lists.mozilla.org/listinfo/dev-tech-crypto
