Hi List,
When I try to sign script with signtool (NSS 3.6) and my test certs, I
found it failed on verifying the signing cert, and certutil -O can't
construct the chain either.
When tracing down the problem, it appears that the culprit lives in
the function nss3certificate_matchIdentifier(), at pki3hack.c:277,
when building up the chain, it checks if the caName/caSN of the
authKeyId ext of client cert is equal to the *subjectName*/serial
number of its issuer cert, which should have been the
issuerName/serial number. The stack dump of signtool -Z follows. For
now, the workaround seems to be leaving out the caName/caSN of
authKeyId(the keyId alone will do), or just leave out the authKeyId
entirely.
Loren
(gdb) bt
#0 nss3certificate_matchIdentifier (dc=0x81980d8, id=0x81948b8)
at pki3hack.c:273
#1 0x080b56bd in filter_subject_certs_for_id (subjectCerts=0x819cbf8,
id=0x81948b8) at certificate.c:300
#2 0x080b5999 in find_cert_issuer (c=0x8196d40, timeOpt=0x8197578,
usage=0xbfffdfb0, policiesOpt=0x0) at certificate.c:402
#3 0x080b5aec in nssCertificate_BuildChain (c=0x8196d40,
timeOpt=0x8197578,
usage=0xbfffe060, policiesOpt=0x0, rvOpt=0xbfffe050, rvLimit=2,
arenaOpt=0x0, statusOpt=0xbfffe04c) at certificate.c:473
#4 0x080b5bc4 in NSSCertificate_BuildChain (c=0x8196d40,
timeOpt=0x8197578,
usage=0xbfffe060, policiesOpt=0x0, rvOpt=0xbfffe050, rvLimit=2,
arenaOpt=0x0, statusOpt=0xbfffe04c) at certificate.c:510
#5 0x08081c39 in CERT_FindCertIssuer (cert=0x8196340,
validTime=1038299140138892, usage=certUsageObjectSigner) at
certvfy.c:378
#6 0x080824a3 in cert_VerifyCertChain (handle=0x818cf28,
cert=0x8196340,
checkSig=1, sigerror=0x0, certUsage=certUsageObjectSigner,
t=1038299140138892, wincx=0x0, log=0x0, doCRL=1, revoked=0x0)
at certvfy.c:734
#7 0x08082bec in CERT_VerifyCertChain (handle=0x818cf28,
cert=0x8196340,
checkSig=1, certUsage=certUsageObjectSigner, t=1038299140138892,
wincx=0x0, log=0x0) at certvfy.c:965
#8 0x08083e11 in CERT_VerifyCert (handle=0x818cf28, cert=0x8196340,
checkSig=1, certUsage=certUsageObjectSigner, t=1038299140138892,
---Type <return> to continue, or q <return> to quit---
wincx=0x0, log=0x0) at certvfy.c:1573
#9 0x080728c9 in sec_pkcs7_add_signer (cinfo=0x81985f8,
cert=0x8196340,
certusage=certUsageObjectSigner, certdb=0x818cf28,
digestalgtag=SEC_OID_SHA1, digestdata=0xbfffe2c0) at
p7create.c:229
#10 0x08072da2 in SEC_PKCS7CreateSignedData (cert=0x8196340,
certusage=certUsageObjectSigner, certdb=0x0,
digestalg=SEC_OID_SHA1,
digest=0xbfffe2c0, pwfn=0, pwfn_arg=0x0) at p7create.c:423
#11 0x08056bf9 in SignFile (outFile=0x81983e8, inFile=0x8198278,
cert=0x8196340) at sign.c:622
#12 0x08055fc5 in create_pk7 (dir=0x8176a78 "empty",
keyName=0x8176a28 "Generic Plugin A:Test Obj Sign User Two",
keyType=0xbffff58c) at sign.c:268
#13 0x0805599b in SignArchive (tree=0x8176a78 "empty",
keyName=0x8176a28 "Generic Plugin A:Test Obj Sign User Two",
zip_file=0x8176a58 "sign.jar", javascript=0, meta_file=0x0,
install_script=0x0, _optimize=0, recurse=1) at sign.c:84
#14 0x08050d2c in main (argc=10, argv=0xbffff864) at signtool.c:1034
#15 0x42017499 in __libc_start_main () from /lib/i686/libc.so.6
(gdb)
