D wrote:
>
> I'm a real novice in Mozilla's source code and trying to use NSS to
> sign a string given the following:
> 1. String to sign
> 2. Serial number of certificate to sign string with
> 3. Issuer name of certificate to sign string with
>
> I've done this using Microsoft Crypto API using the following logic:
> 1. Enumerate through certificates in store
> 2. If certificate issuer name and serial number matches
> 3. Use the cert to sign the string
> It was really easy since there are a lot of documentation on MS Crypto
> API
> I'm trying to do something similar if user's certificate is stored in
> Netscape's cert store. I managed to build NSS, found that SMimeTools
> and CertUtil has the functionalities I'm looking for, but the problem
> is there's no documentation or roadmap for using the APIs (would
> appreciate for any pointers on getting documentation if you know of
> any).
Wan-Teh's posting points to the documentation that exists, but it's
not nearly complete.
> My question is:
> 1. Give an issuer name and serial no., I suspect the API to get the
> cert is "CERT_FindCertByIssuerAndSN". One of the params to this API is
> "CERTIssuerAndSN", how do I create that object to pass into the API?
You're on the right track. You'll have to create your own CERTIssuerAndSN.
It's declared in certt.h as
struct CERTIssuerAndSNStr {
SECItem derIssuer;
CERTName issuer;
SECItem serialNumber;
};
derIssuer is the DER-encoded issuer to be found in the cert for which
you're searching.
CERT_FindCertByIssuerAndSN doesn't use the "issuer" member.
serialNumber is NOT DER encoded. It contains the serial number as found
in the certificate for which you're searching. This number is stored in
big-endian (most significant byte first) order, with no leading zero bytes.
SECItem is a struct with 3 members,
struct SECItemStr {
SECItemType type;
unsigned char *data;
unsigned int len;
};
type is generally ignored.
data points to the first byte of an array of bytes,
len is the number of bytes in the array.
I suggest you have a CERTIssuerAndSN struct (automatic), zero it out,
intialize the derIssuer and serialNumber SECItems to point to your
der-encoded issuer and non-encoded serialNumber, and pass it to
CERT_FindCertByIssuerAndSN.
> Thanks
>
> --DS
--
Nelson Bolyard Netscape Communications (subsidiary of AOL)
Disclaimer: I speak for myself, not for Netscape
