[EMAIL PROTECTED] (Loren) wrote in message
news:<[EMAIL PROTECTED]>...
> After digging more into this problem, I found the old subject is
> misleading, so I change it, please refer to "incompatible cert7.db and
> key3.db for Mozilla and Communicator" thread for the history.
>
>
> OK, I got to tackle this since there is no other way out for me :(
>
>
> environment:
> Red Hat Linux 7.3 Kernel 2.4.18
> nss-3.6
> nspr-4.2.2
> openssl 0.9.6g
>
>
> This is the output of signtool -L
> loren@home:~/nss/nss-3.6/bin$ ./signtool -d . -L
> using certificate directory: .
>
> S Certificates
> - ------------
> Test Root CA - Test Company
> * Test User One
> - ------------
> Certificates that can be used to sign objects have *'s to their left.
>
>
> The -l gave following output:
>
> loren@home:~/nss/nss-3.6/bin$ ./signtool -d . -l
> using certificate directory: .
>
> Object signing certificates
> ---------------------------------------
> Test User One
> Issued by: Test Root CA - Test Company (Test Root CA)
> Expires: Tue Oct 28, 2003
> Assertion failure: 0, at certvfy.c:1483
> Aborted
>
> using gdb, and run signtool -l again, its stack trace shows that the
> PORT_Assertion is failed at the default clause of the switch
> (certUsage) block of the function CERT_VerifyCert(), where the value
> of certUsage is certUsageAnyCA, however, I did add an object signing
> CA extension as nsCertType for the CA cert, and check the trust
> settings for identifying software makers only in Mozilla, but I don't
> know where the certUsageAnyCA in the trust flag comes from. So, the
> problem is, why the certUsageAnyCA and how can I get over the
> PORT_Assertion?
>
> Any hint is greatly appreciated.
>
>
>
> PS. Using certutil -L -n to dump the certs:
>
> Root cert:
> =====================================================================
> Certificate:
> Data:
> Version: 3 (0x2)
> Serial Number: 1 (0x1)
> Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption
> Issuer: [EMAIL PROTECTED], CN=Test Root CA, O=Test Company,
> L=Taipei, ST=Taiwan, C=TW
> Validity:
> Not Before: Tue Oct 29 07:42:47 2002
> Not After: Mon Oct 29 07:42:47 2007
> Subject: [EMAIL PROTECTED], CN=Test Root CA, O=Test Company,
> L=Taipei, ST=Taiwan, C=TW
> Subject Public Key Info:
> Public Key Algorithm: PKCS #1 RSA Encryption
> RSA Public Key:
> Modulus:
> 00:c4:7a:a9:fa:0f:d5:b5:0d:32:ab:09:6d:b6:f0:
> 69:a3:b6:30:d6:54:c4:2b:6d:52:68:db:7e:7d:ba:
> bb:ea:5d:76:ce:df:74:61:68:f0:6a:09:f7:13:c8:
> a2:83:cc:fc:5f:22:ca:a8:b1:b9:a0:a1:aa:1c:fc:
> 91:8f:8e:61:81:06:93:69:11:df:d4:60:31:f4:3a:
> e9:63:10:1f:a2:79:19:9b:0c:08:df:78:42:86:ac:
> 8b:4a:c0:29:7d:dc:57:75:b7:7a:eb:cf:44:87:00:
> 5a:f1:91:46:d0:c7:f1:5b:f1:9c:20:8c:cb:63:3f:
> 95:d3:de:c3:26:96:1d:63:67
> Exponent: 65537 (0x10001)
> Signed Extensions:
> Name:
> Certificate Subject Key ID
> Data:
> 04:14:18:9f:6e:62:1e:f2:31:2d:e4:1b:74:f3:a3:35:
> 63:3e:84:43:df:42
>
> Name:
> Certificate Authority Key Identifier
> Data: Sequence {
> Option 0
> 18:9f:6e:62:1e:f2:31:2d:e4:1b:74:f3:a3:35:63:
> 3e:84:43:df:42
> Option 1
> 84:a4:81:81:30:7f:31:0b:30:09:06:03:55:04:06:
> 13:02:54:57:31:0f:30:0d:06:03:55:04:08:13:06:
> 54:61:69:77:61:6e:31:0f:30:0d:06:03:55:04:07:
> 13:06:54:61:69:70:65:69:31:15:30:13:06:03:55:
> 04:0a:13:0c:54:65:73:74:20:43:6f:6d:70:61:6e:
> 79:31:15:30:13:06:03:55:04:03:13:0c:54:65:73:
> 74:20:52:6f:6f:74:20:43:41:31:20:30:1e:06:09:
> 2a:86:48:86:f7:0d:01:09:01:16:11:74:65:73:74:
> 52:6f:6f:74:40:74:65:73:74:2e:63:6f
> 6d:82:01:01
> }
>
> Name:
> Certificate Basic Constraints
> Data: Is a CA with a maximum path length of -2.
>
> Name:
> Certificate Key Usage
> Data:
> 03:02:01:06
>
> Name:
> Certificate Type
> Data: <ObjectSigning CA>
>
> Fingerprint (MD5):
> D4:1D:8C:D9:8F:00:B2:04:E9:80:09:98:EC:F8:42:7E
> Fingerprint (SHA1):
> DA:39:A3:EE:5E:6B:4B:0D:32:55:BF:EF:95:60:18:90:AF:D8:07:09
>
> Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption
> Signature:
> 67:c4:a5:66:c9:ae:52:eb:d2:ff:74:04:59:b6:af:a4:a8:98:
> 8e:ee:ce:28:16:bf:20:a0:64:2f:a0:e7:95:3c:35:9c:04:0e:
> d7:44:1c:fa:8b:72:7e:cf:bd:b1:94:56:5f:23:72:83:37:28:
> 00:d6:08:4e:22:56:de:19:5f:e3:d2:3e:37:61:6e:ae:8c:9b:
> ad:34:79:62:8b:1c:a0:b4:cd:c1:2b:b3:5f:94:52:43:33:e6:
> da:cd:a2:03:ca:be:93:9b:ff:e0:07:96:d9:40:fe:d2:7c:50:
> cf:a9:a9:7b:e4:47:37:f0:3f:00:9d:dc:30:f4:59:65:34:3b:
> 90:fb
> Certificate Trust Flags:
> SSL Flags:
> Valid CA
> Email Flags:
> Valid CA
> Object Signing Flags:
> Valid CA
> Trusted CA
>
> ======================================================================
>
>
> object signing client cert:
>
> ======================================================================
> Certificate:
> Data:
> Version: 3 (0x2)
> Serial Number: 2 (0x2)
> Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption
> Issuer: [EMAIL PROTECTED], CN=Test Root CA, O=Test Company,
> L=Taipei, ST=Taiwan, C=TW
> Validity:
> Not Before: Tue Oct 29 07:46:12 2002
> Not After: Wed Oct 29 07:46:12 2003
> Subject: [EMAIL PROTECTED], CN=Test User One, O=Test Company,
> ST=Taiwan, C=TW
> Subject Public Key Info:
> Public Key Algorithm: PKCS #1 RSA Encryption
> RSA Public Key:
> Modulus:
> 00:e2:f0:cf:fd:48:30:fa:96:82:a4:61:4f:c8:ac:
> c4:7d:62:c8:88:15:eb:70:44:ad:3f:a2:b7:c6:43:
> b6:3e:c3:b2:c5:6a:99:b1:76:28:3b:f2:10:d5:04:
> fa:fc:dd:db:a8:d7:06:64:4b:af:58:6c:c1:17:04:
> d6:24:4c:c6:0c:c5:2e:6e:25:05:c5:27:03:7b:a4:
> de:9b:fd:6d:b2:d6:8d:3e:e1:85:cd:c2:bc:5c:6a:
> 7c:a0:61:c3:2d:04:f4:08:c8:8b:55:bc:13:14:45:
> 7c:0f:e7:70:a4:f5:fb:12:fc:20:8a:2b:92:3c:e3:
> 03:1a:68:b5:3b:3a:6c:63:99
> Exponent: 65537 (0x10001)
> Signed Extensions:
> Name:
> Certificate Basic Constraints
> Data: Is not a CA.
>
> Name:
> Certificate Type
> Data: <Object Signing>
>
> Name:
> Certificate Comment
> Comment: "Not valid for anything other than testing
> purposes"
>
> Name:
> Certificate Subject Key ID
> Data:
> 04:14:4e:a2:7a:03:da:4d:8c:86:5c:38:5d:93:3b:d2:
> 55:0e:8d:b8:11:90
>
> Name:
> Certificate Authority Key Identifier
> Data: Sequence {
> Option 0
> 18:9f:6e:62:1e:f2:31:2d:e4:1b:74:f3:a3:35:63:
> 3e:84:43:df:42
> Option 1
> 84:a4:81:81:30:7f:31:0b:30:09:06:03:55:04:06:
> 13:02:54:57:31:0f:30:0d:06:03:55:04:08:13:06:
> 54:61:69:77:61:6e:31:0f:30:0d:06:03:55:04:07:
> 13:06:54:61:69:70:65:69:31:15:30:13:06:03:55:
> 04:0a:13:0c:54:65:73:74:20:43:6f:6d:70:61:6e:
> 79:31:15:30:13:06:03:55:04:03:13:0c:54:65:73:
> 74:20:52:6f:6f:74:20:43:41:31:20:30:1e:06:09:
> 2a:86:48:86:f7:0d:01:09:01:16:11:74:65:73:74:
> 52:6f:6f:74:40:74:65:73:74:2e:63:6f
> 6d:82:01:01
> }
>
> Fingerprint (MD5):
> D4:1D:8C:D9:8F:00:B2:04:E9:80:09:98:EC:F8:42:7E
> Fingerprint (SHA1):
> DA:39:A3:EE:5E:6B:4B:0D:32:55:BF:EF:95:60:18:90:AF:D8:07:09
>
> Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption
> Signature:
> 0d:f3:e8:cc:40:90:26:db:0c:2c:1d:aa:75:2b:19:bd:07:b6:
> 9a:40:30:db:ec:2d:ed:c6:b3:46:da:14:80:ed:be:15:c5:9e:
> 59:22:77:35:8b:18:b6:a2:c6:52:92:6d:64:df:8b:d1:51:99:
> 3d:3b:ca:5f:f8:65:a0:61:1e:0e:92:a0:49:a4:d3:c2:87:c0:
> d6:ee:b1:a2:0c:81:f7:ad:7a:9d:75:a5:a0:0d:de:3b:30:f3:
> e0:f9:a8:b8:87:a9:1a:4b:02:b0:ab:9c:94:31:3a:d8:ed:ab:
> 86:7d:9a:5a:89:bb:3c:1a:68:2d:6c:b0:97:2e:75:ab:34:b3:
> 5a:ef
> Certificate Trust Flags:
> SSL Flags:
> User
> Email Flags:
> User
> Object Signing Flags:
> User
>
> =====================================================================
Furthur more, I comment out the PORT_Assert(0), rebuild nss and run
signtool -l,
the output is:
loren@home:~/nss/nss-3.6/bin$ ./signtool -d . -l
using certificate directory: /home/loren/.mozilla/loren/q42jd4is.slt/
Object signing certificates
---------------------------------------
Test User One
Issued by: Test Root CA - Test Company (Test Root CA)
Expires: Wed Oct 29, 2003
++ Error ++ ISSUER CERT "Test Root CA - Test Company" IS NOT VALID
(extension not found)
---------------------------------------
For a list including CA's, use "signtool -L"
What the extension signtool is looking for?
