After digging more into this problem, I found the old subject is
misleading, so I change it, please refer to "incompatible cert7.db and
key3.db for Mozilla and Communicator" thread for the history.
OK, I got to tackle this since there is no other way out for me :(
environment:
Red Hat Linux 7.3 Kernel 2.4.18
nss-3.6
nspr-4.2.2
openssl 0.9.6g
This is the output of signtool -L
loren@home:~/nss/nss-3.6/bin$ ./signtool -d . -L
using certificate directory: .
S Certificates
- ------------
Test Root CA - Test Company
* Test User One
- ------------
Certificates that can be used to sign objects have *'s to their left.
The -l gave following output:
loren@home:~/nss/nss-3.6/bin$ ./signtool -d . -l
using certificate directory: .
Object signing certificates
---------------------------------------
Test User One
Issued by: Test Root CA - Test Company (Test Root CA)
Expires: Tue Oct 28, 2003
Assertion failure: 0, at certvfy.c:1483
Aborted
using gdb, and run signtool -l again, its stack trace shows that the
PORT_Assertion is failed at the default clause of the switch
(certUsage) block of the function CERT_VerifyCert(), where the value
of certUsage is certUsageAnyCA, however, I did add an object signing
CA extension as nsCertType for the CA cert, and check the trust
settings for identifying software makers only in Mozilla, but I don't
know where the certUsageAnyCA in the trust flag comes from. So, the
problem is, why the certUsageAnyCA and how can I get over the
PORT_Assertion?
Any hint is greatly appreciated.
PS. Using certutil -L -n to dump the certs:
Root cert:
=====================================================================
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1 (0x1)
Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption
Issuer: [EMAIL PROTECTED], CN=Test Root CA, O=Test Company,
L=Taipei, ST=Taiwan, C=TW
Validity:
Not Before: Tue Oct 29 07:42:47 2002
Not After: Mon Oct 29 07:42:47 2007
Subject: [EMAIL PROTECTED], CN=Test Root CA, O=Test Company,
L=Taipei, ST=Taiwan, C=TW
Subject Public Key Info:
Public Key Algorithm: PKCS #1 RSA Encryption
RSA Public Key:
Modulus:
00:c4:7a:a9:fa:0f:d5:b5:0d:32:ab:09:6d:b6:f0:
69:a3:b6:30:d6:54:c4:2b:6d:52:68:db:7e:7d:ba:
bb:ea:5d:76:ce:df:74:61:68:f0:6a:09:f7:13:c8:
a2:83:cc:fc:5f:22:ca:a8:b1:b9:a0:a1:aa:1c:fc:
91:8f:8e:61:81:06:93:69:11:df:d4:60:31:f4:3a:
e9:63:10:1f:a2:79:19:9b:0c:08:df:78:42:86:ac:
8b:4a:c0:29:7d:dc:57:75:b7:7a:eb:cf:44:87:00:
5a:f1:91:46:d0:c7:f1:5b:f1:9c:20:8c:cb:63:3f:
95:d3:de:c3:26:96:1d:63:67
Exponent: 65537 (0x10001)
Signed Extensions:
Name:
Certificate Subject Key ID
Data:
04:14:18:9f:6e:62:1e:f2:31:2d:e4:1b:74:f3:a3:35:
63:3e:84:43:df:42
Name:
Certificate Authority Key Identifier
Data: Sequence {
Option 0
18:9f:6e:62:1e:f2:31:2d:e4:1b:74:f3:a3:35:63:
3e:84:43:df:42
Option 1
84:a4:81:81:30:7f:31:0b:30:09:06:03:55:04:06:
13:02:54:57:31:0f:30:0d:06:03:55:04:08:13:06:
54:61:69:77:61:6e:31:0f:30:0d:06:03:55:04:07:
13:06:54:61:69:70:65:69:31:15:30:13:06:03:55:
04:0a:13:0c:54:65:73:74:20:43:6f:6d:70:61:6e:
79:31:15:30:13:06:03:55:04:03:13:0c:54:65:73:
74:20:52:6f:6f:74:20:43:41:31:20:30:1e:06:09:
2a:86:48:86:f7:0d:01:09:01:16:11:74:65:73:74:
52:6f:6f:74:40:74:65:73:74:2e:63:6f
6d:82:01:01
}
Name:
Certificate Basic Constraints
Data: Is a CA with a maximum path length of -2.
Name:
Certificate Key Usage
Data:
03:02:01:06
Name:
Certificate Type
Data: <ObjectSigning CA>
Fingerprint (MD5):
D4:1D:8C:D9:8F:00:B2:04:E9:80:09:98:EC:F8:42:7E
Fingerprint (SHA1):
DA:39:A3:EE:5E:6B:4B:0D:32:55:BF:EF:95:60:18:90:AF:D8:07:09
Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption
Signature:
67:c4:a5:66:c9:ae:52:eb:d2:ff:74:04:59:b6:af:a4:a8:98:
8e:ee:ce:28:16:bf:20:a0:64:2f:a0:e7:95:3c:35:9c:04:0e:
d7:44:1c:fa:8b:72:7e:cf:bd:b1:94:56:5f:23:72:83:37:28:
00:d6:08:4e:22:56:de:19:5f:e3:d2:3e:37:61:6e:ae:8c:9b:
ad:34:79:62:8b:1c:a0:b4:cd:c1:2b:b3:5f:94:52:43:33:e6:
da:cd:a2:03:ca:be:93:9b:ff:e0:07:96:d9:40:fe:d2:7c:50:
cf:a9:a9:7b:e4:47:37:f0:3f:00:9d:dc:30:f4:59:65:34:3b:
90:fb
Certificate Trust Flags:
SSL Flags:
Valid CA
Email Flags:
Valid CA
Object Signing Flags:
Valid CA
Trusted CA
======================================================================
object signing client cert:
======================================================================
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 2 (0x2)
Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption
Issuer: [EMAIL PROTECTED], CN=Test Root CA, O=Test Company,
L=Taipei, ST=Taiwan, C=TW
Validity:
Not Before: Tue Oct 29 07:46:12 2002
Not After: Wed Oct 29 07:46:12 2003
Subject: [EMAIL PROTECTED], CN=Test User One, O=Test Company,
ST=Taiwan, C=TW
Subject Public Key Info:
Public Key Algorithm: PKCS #1 RSA Encryption
RSA Public Key:
Modulus:
00:e2:f0:cf:fd:48:30:fa:96:82:a4:61:4f:c8:ac:
c4:7d:62:c8:88:15:eb:70:44:ad:3f:a2:b7:c6:43:
b6:3e:c3:b2:c5:6a:99:b1:76:28:3b:f2:10:d5:04:
fa:fc:dd:db:a8:d7:06:64:4b:af:58:6c:c1:17:04:
d6:24:4c:c6:0c:c5:2e:6e:25:05:c5:27:03:7b:a4:
de:9b:fd:6d:b2:d6:8d:3e:e1:85:cd:c2:bc:5c:6a:
7c:a0:61:c3:2d:04:f4:08:c8:8b:55:bc:13:14:45:
7c:0f:e7:70:a4:f5:fb:12:fc:20:8a:2b:92:3c:e3:
03:1a:68:b5:3b:3a:6c:63:99
Exponent: 65537 (0x10001)
Signed Extensions:
Name:
Certificate Basic Constraints
Data: Is not a CA.
Name:
Certificate Type
Data: <Object Signing>
Name:
Certificate Comment
Comment: "Not valid for anything other than testing
purposes"
Name:
Certificate Subject Key ID
Data:
04:14:4e:a2:7a:03:da:4d:8c:86:5c:38:5d:93:3b:d2:
55:0e:8d:b8:11:90
Name:
Certificate Authority Key Identifier
Data: Sequence {
Option 0
18:9f:6e:62:1e:f2:31:2d:e4:1b:74:f3:a3:35:63:
3e:84:43:df:42
Option 1
84:a4:81:81:30:7f:31:0b:30:09:06:03:55:04:06:
13:02:54:57:31:0f:30:0d:06:03:55:04:08:13:06:
54:61:69:77:61:6e:31:0f:30:0d:06:03:55:04:07:
13:06:54:61:69:70:65:69:31:15:30:13:06:03:55:
04:0a:13:0c:54:65:73:74:20:43:6f:6d:70:61:6e:
79:31:15:30:13:06:03:55:04:03:13:0c:54:65:73:
74:20:52:6f:6f:74:20:43:41:31:20:30:1e:06:09:
2a:86:48:86:f7:0d:01:09:01:16:11:74:65:73:74:
52:6f:6f:74:40:74:65:73:74:2e:63:6f
6d:82:01:01
}
Fingerprint (MD5):
D4:1D:8C:D9:8F:00:B2:04:E9:80:09:98:EC:F8:42:7E
Fingerprint (SHA1):
DA:39:A3:EE:5E:6B:4B:0D:32:55:BF:EF:95:60:18:90:AF:D8:07:09
Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption
Signature:
0d:f3:e8:cc:40:90:26:db:0c:2c:1d:aa:75:2b:19:bd:07:b6:
9a:40:30:db:ec:2d:ed:c6:b3:46:da:14:80:ed:be:15:c5:9e:
59:22:77:35:8b:18:b6:a2:c6:52:92:6d:64:df:8b:d1:51:99:
3d:3b:ca:5f:f8:65:a0:61:1e:0e:92:a0:49:a4:d3:c2:87:c0:
d6:ee:b1:a2:0c:81:f7:ad:7a:9d:75:a5:a0:0d:de:3b:30:f3:
e0:f9:a8:b8:87:a9:1a:4b:02:b0:ab:9c:94:31:3a:d8:ed:ab:
86:7d:9a:5a:89:bb:3c:1a:68:2d:6c:b0:97:2e:75:ab:34:b3:
5a:ef
Certificate Trust Flags:
SSL Flags:
User
Email Flags:
User
Object Signing Flags:
User
======================================================================
