questions about PKCS7 verification when porting from OpenSSL/libcrypto to NSS3

Fri, 29 Aug 2008 19:23:39 -0700 

I'm porting a C++ app from OpenSSL/libcrypto to NSS. My app uses
libcrypto to verify and decode a PKCS7 blob (signed by a cert issued
my own self-signed root cert). With libcrypto, this is quite
straightforward. With NSS, however, I'm having trouble verifying the
PKCS7.

CERT_ImportCerts() and CERT_CheckCertUsage() return
SEC_ERROR_EXTENSION_NOT_FOUND for my root cert, regardless of the
SECCertUsage I specify. Is NSS more strict about cert usages and
extensions than libcrypto?

To verify my PKCS7 with libcrypto, I create an in-memory cert store
containing my root cert and then ask PKCS7_verify() to look in my cert
store. Something like:

       // create root cert
       BIO* rootCertBIO = BIO_new_mem_buf(rootCertDER, rootCertDERLength);
       X509* rootCert = d2i_X509_bio(rootCertBIO);

       // create cert store containing my root cert
       X509_STORE* certStore = X509_STORE_new();
       X509_STORE_add_cert(certStore, rootCert);

       // create PKCS7
       BIO* input = BIO_new_mem_buf(src, lenSrc);
       PKCS7* pkcs7 = d2i_PKCS7_bio(input, NULL);

       // verify and decode PKCS7
       BIO* output = BIO_new(BIO_s_mem());
       bool trusted = PKCS7_verify(pkcs7, NULL, certStore, NULL,
output, PKCS7_BINARY);

NSS's CMS functions don't seem quite as straightforward.
SEC_PKCS7VerifySignature() or NSS_CMSSignedData_VerifySignerInfo()
return errors when I try to verify that my PKCS7's cert chain is
trusted by my root cert.

On the other hand, I can successfully use NSS's PKCS7 or CMS functions
to DER-decode the PKCS7 and look at its certs. I can even manually
walk the cert chain and use CERT_VerifySignedData() to verify each
cert is signed by the next cert. I just can't figure out how to verify
that the PKCS7's contents were signed by this cert chain.

Also, what is the scope of NSS's default cert DB, the handle returned
by CERT_GetDefaultCertDB()? If I import certs into the default cert
DB, would other processes (e.g. Firefox) see them? Would they remain
in the cert db after my app exits? If I try to CERT_ImportCerts() with
keepCerts=PR_TRUE, I get a SEC_ERROR_BAD_DATABASE error.


thanks,
chris
_______________________________________________
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto

Reply via email to