[EMAIL PROTECTED] wrote:
I'm trying to get the Firefox browser to check client certificates via
OCSP to a Tumbleweed OCSP Responder. I can see the browser make a query
to the Responder, and see that the Responder accepts the request and
issue a response (with the proper status). Firefox, however, is not
happy with the response, and spits out a generic "8182" error which
seems to indicate that it could not verify the signature on the
response.
That's error -8182, and it's a very specific error code. It means that
it attempted to validate a signature using a public key (presumably
the signature in the OCSP response, using the public key in the
responder's or issuer's cert), and the signature check failed.
I have tried directly adding the responder's signing
certificate into Firefox's certificate stores, as well as just having
the browser trust the issuing CA of the responder cert - without any
change in behavior.
This particular error code has nothing to do with cert extensions, trust
flags, built-in roots, expired certs or anything but the signature itself.
Anybody know what I could be missing?
It is conceivable that the signature is being reported as bad because
NSS thinks the public key being used to verify the signature is invalid.
For DSA keys in particular, if the Prime P doesn't meet the requirements
of FIPS 186, NSS will deem the key to be bad. Similarly, RSA public
keys can be too big or too small or have invalid public exponents.
Thanks in advance.
--
Nelson B
_______________________________________________
mozilla-crypto mailing list
[email protected]
http://mail.mozilla.org/listinfo/mozilla-crypto
