alex21 wrote:
I'm verifying certificates in the chain. I found that I cannot reinitilize NSS after calling CERT_VerifyCertificate, because at some point it increments Pk11 slot reference counter. Here's the sequence:Well here's one problem... CERT_DecodeDERCertificate does not return a full cert pointer... It's meant to be a private, internal function, which got exported for historical reasons. It certainaly is not one you can safely use with 'CERT_VerifyCertificate()'. Try using one of the Import Cert functions (preferred), or CERT_NewTempCert().PK11SlotInfo *slot = PK11_GetInternalKeySlot(); // just for tracking purposes// slot->refCount = 2 at this point // ... import PKCS12 into NSS storage - too long to be mentioned here // slot->refCount = 2 at this pointCERTCertificateList *chain = CERT_CertChainFromCert(pct, certUsageObjectSigner, PR_TRUE); // pct is signers certifcate// in the loop for each certificate:CERTCertificate *cert = CERT_DecodeDERCertificate (&chain->certs[i], PR_TRUE, NULL);
Be sure to destroy the cert when you are done.
// slot->refCount = 2 at this pointres = CERT_VerifyCertificate(handle,cert,PR_TRUE,0,pTime,myStruc,&log,&returnedUsages);// slot->refCount = 3 at this point for the signer certificate.So, the question is what to release/destroy in order to decrement "refCount" back to original... Or how to avoid this increment. Otherwise I'm not able to properly shutdown NSS and therefore NSS_Initialize fails as well.Thanks,Alex_______________________________________________ mozilla-crypto mailing list [email protected] http://mail.mozilla.org/listinfo/mozilla-crypto
smime.p7s
Description: S/MIME Cryptographic Signature
