bob,
Bob is away.
some changes has been made in opensc pkcs11 module.
But before commenting that, we would like to ask you a thing:
NSS_CMSEncoder_Finish fails now under weird circunstances: we have added
some log in that function. Before the call to
'SEC_ASN1EncoderUpdate(p7ecx->exc)' we check the value of 'p7ecx->error'.
It is 0. Then we check the same value after that function call and is not
0, but -12285. The weird thing is that we also log in
'SEC_ASN1EncoderUpdate' function and it returns with SECSuccess. How can
this situation be possible? I mean, that the encoding is ok, but
p7ecx->error is set != 0 ?
The PKCS7 decoder and the ASN.1 decoder work together. The PKCS7 decoder registers callback functions that are called by the ASN.1 decoder to process portions of the message. It is possible for a message to be correctly ASN.1 encoded but not correctly PKCS7 encoded, or vice versa. So, it is possible to call the ASN.1 decoder, and get a PKCS7 error as a result, even though there was no ASN.1 error.
> Also, I tried to find the definition of error 12285 without success.
http://www.mozilla.org/projects/security/pki/nss/ref/ssl/sslerr.html#1040292
Although this is an SSL error code, it is also used by NSS in non-SSL functions. It seems to mean "certificate not found", such as when trying to find a certificate on a token that goes with a private key.
Thanks in advance, rf
