CERT_VerifyCertNow is a legacy API that does not support the full set of RFC 3280/5280 features.
To support things like policy checks, you can use libpkix .
Look for CERT_PKIXVerifyCert . There are examples of usage in the NSS test programs vfychain and tstclnt .
The library supports many more options than may be tested, though.


On 2/3/2016 08:37, Nicholas Mainardi wrote:

I'm comparing different libraries to verify X509 certificate chains. I had
some issues to find how to use NSS to perform this task. At the end, I
managed to get a working code with one certificate chain. You can find the
code in this question
I asked on stack overflow. I would like to know if the code I wrote is the
correct way to verify a certificate chain using NSS, and if there are other
parameters to customize the verify algorithm which can be set (i.e. a flag
to enable policy check etc.). If the code is correct, I suggest it could be
added to NSS examples on the documentation.

Thank You,


dev-tech-crypto mailing list

Reply via email to