I'm porting a C++ app from OpenSSL/libcrypto to NSS. My app uses libcrypto to verify and decode a PKCS7 blob (signed by a cert issued my own self-signed root cert). With libcrypto, this is quite straightforward. With NSS, however, I'm having trouble verifying the PKCS7.
CERT_ImportCerts() and CERT_CheckCertUsage() return SEC_ERROR_EXTENSION_NOT_FOUND for my root cert, regardless of the SECCertUsage I specify. Is NSS more strict about cert usages and extensions than libcrypto? To verify my PKCS7 with libcrypto, I create an in-memory cert store containing my root cert and then ask PKCS7_verify() to look in my cert store. Something like: // create root cert BIO* rootCertBIO = BIO_new_mem_buf(rootCertDER, rootCertDERLength); X509* rootCert = d2i_X509_bio(rootCertBIO); // create cert store containing my root cert X509_STORE* certStore = X509_STORE_new(); X509_STORE_add_cert(certStore, rootCert); // create PKCS7 BIO* input = BIO_new_mem_buf(src, lenSrc); PKCS7* pkcs7 = d2i_PKCS7_bio(input, NULL); // verify and decode PKCS7 BIO* output = BIO_new(BIO_s_mem()); bool trusted = PKCS7_verify(pkcs7, NULL, certStore, NULL, output, PKCS7_BINARY); NSS's CMS functions don't seem quite as straightforward. SEC_PKCS7VerifySignature() or NSS_CMSSignedData_VerifySignerInfo() return errors when I try to verify that my PKCS7's cert chain is trusted by my root cert. On the other hand, I can successfully use NSS's PKCS7 or CMS functions to DER-decode the PKCS7 and look at its certs. I can even manually walk the cert chain and use CERT_VerifySignedData() to verify each cert is signed by the next cert. I just can't figure out how to verify that the PKCS7's contents were signed by this cert chain. Also, what is the scope of NSS's default cert DB, the handle returned by CERT_GetDefaultCertDB()? If I import certs into the default cert DB, would other processes (e.g. Firefox) see them? Would they remain in the cert db after my app exits? If I try to CERT_ImportCerts() with keepCerts=PR_TRUE, I get a SEC_ERROR_BAD_DATABASE error. thanks, chris _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto