Hello, On 12-08-2012 00:13, Wan-Teh Chang wrote: > On Sat, Aug 11, 2012 at 5:37 AM, Gökçen Eraslan > <gokcen.eras...@gmail.com> wrote: >> >> When I traced the code I see that sec_pkcs7_create_signed_data call >> returns successfully but sec_pkcs7_add_signer fails. >> >> Trace is like that: >> >> sec_pkcs7_add_signer -> CERT_VerifyCertificate -> CERT_VerifyCertChain >> -> CERT_FindBasicConstraintExten -> cert_FindExtension >> >> and finally cert_FindExtensionByOID function returns >> SEC_ERROR_EXTENSION_NOT_FOUND. >> >> My full patch is here: http://pastebin.ca/2179231 >> >> Can anybody help me about that error? I need to create a PKCS7 object >> and encoded it via SEC_PKCS7Encode. May my certificate be the problem? > > Perhaps the CA certificate of your signing certificate does not have > the basic constraint extension? That's what I concluded from the call > stack you provided and the SEC_ERROR_EXTENSION_NOT_FOUND error code. >
Actually, what I do is to create a self-signed CA certificate and sign my certificate with my fake CA certificate. Then I try to create a detached SignedData structure with NSS. But, before signing PKCS7 object, NSS checks if the certificate is valid. Since my CA is not a trusted CA and therefore my cert is invalid, it fails. Now, I can create a PKCS7 object after marking my CA certificate as "trusted" in Firefox. I don't get any error anymore, but I still need to find a way to create a SignedData structure with an invalid certificate. How can I do that? Do new CMS functions permit that? > Also, it's better to use the new CMS functions in > mozilla/security/nss/lib/smime instead of the old PKCS7 functions. > Thank you for your attention. I'll try new CMS functions, and write the result. > Wan-Teh > -- Gökçen Eraslan
signature.asc
Description: OpenPGP digital signature
-- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto