Mariusz Mazur wrote:
> Afaik mozilla doesn't store ca keys in ca-bundle.crt but in a binary
> database. Is there any chance that mozilla will start using openssl's
> functions/databases?
Mozilla reads trusted certs from PKCS #11 (Cryptoki) modules. Currently
mozilla supports two sources by default, the built-in ca's (which are
compiled into (lib}nssckbi.{so,dll,sl}) and the softoken database. You
can "easily" build a pluggin to get trusted roots from additional
locations using the ckfw (Cryptoki framework), located in
mozilla/security/nss/libckfw . look at the built-in tokens as an example.
bob
>
>
