Re: CMSUTIL Problem

[Nelson B Bolyard]

 gdrootca.cer
 certutil -A -d ./database -n gdca1 -t CT,C,, -i gdca1.cer
 
 certutil -L -d ./database shows:
 Stephen Moccaldi's U.S. Government ID  u,u,u
 gdca-root  CT,C,
 gdca1  CT,C,

I'm guessing that gdca1 is an intermediate CA, issued by gdca-root.
Assuming that's correct, then it should NOT have any C flags at all.
I suggest you edit those trust flags and remove all the letters.
e.g. certutil -M -d database -n gdca1 -t 
Then repeat the -V step shown below.

The only problem caused by having those flags on the wrong cert(s) is that
the signed files you send will not contain the certs they should contain.

 certutil -K -d ./database shows:
  0 rsab853151eeaf438ea9f55b43bd0a5efedeac8f1a4  Stephen Moccaldi's
 U.S. Government ID
 
 certutil -V -n Stephen Moccaldi's U.S. Government ID -u SR -d
 ./database shows:
 certutil: certificate is valid

So, clearly the cert exists and that nickname is valid. I think the smime
perl script is just doing the wrong thing.

 But, when I type: 
 cat testmsg.txt | smime -S Stephen Moccaldi's U.S. Government ID -p
 passwd -d ./database | mail myemailaddr...@myserver.com

 I get the error: 
 cmsutil: the corresponding cert for key (null) does not exist:
 Certificate key usage inadequate for attempted operation.
 cmsutil: problem signing: Certificate key usage inadequate for attempted
 operation.

Here's another diagnostic step to try.  Write a little script in your
favorite scripting language that writes out the entire command line with
which it was invoked, as well as a copy of all of stdin that it was given,
to some file, and then exits.  Call your script cmsutil and arrange for
it to be in a directory that's first in your PATH.  Then repeat the test
above, and examine the file created by your script.
If the smime program is mangling the command line options, you will be
able to tell from the output of your script.

 cmsutil: NSS_Shutdown failed:  NSS could not shutdown.  Objects are
 still in use.

That's yet ANOTHER problem.  What version of NSS and cmsutil are you
using?  But I expect that will go away when you solve the key usage problem.

 ERROR: signature generation failed.
 No message, no subject; hope that's ok
 
 I get the same error when I type:
 cmsutil -S -N Stephen Moccaldi's U.S. Government ID -i testmsg.txt -o
 testmsg.signed -d ./database -p passwd

OK, so there's a lot of things to try.  Should keep you busy for an hour
or two. :)  Let us know what you find.  If you don't find quick success,
then definitely send us the pretty printed output from pk12util dash ell.

/Nelson the insomniac.  :)
-- 
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto

RE: CMSUTIL Problem

[Stephen.Moccaldi]

Here is some more information.  

I was able to use the cert in outlook to sign and verify email messages.
The command I am using cat testmsg.txt | smime -S Stephen Moccaldi's
U.S. Government ID -p passwd -d ./database | mail
myemailaddr...@myserver.com does use smime but a straight cmsutil
command such as cmsutil -S -N Stephen Moccaldi's U.S. Government ID
-i testmsg.txt -o testmsg.signed -d ./database -p passwd also fails
with the same error so I think the problem is in cmsutil not smime.

Cmsutil command fails using a nickname of MyCert as well.

The file I am trying to sign is just a straight text file with no email
headers in it.  All that is in the file is: This is an S/MIME test
message.  Does it need to have the email headers in it and look like an
email message instead of a straight text file in order to use the cert
and key to sign it for email?  Maybe it's saying key usage is inadequate
because it thinks the file is a different kind of file?

I am using nss version 3.12.3.

Further comments are inline below.

Thanks for your help.

Steve Moccaldi
stephen.mocca...@gdc4s.com


-Original Message-
From:
dev-tech-crypto-bounces+stephen.moccaldi=gdc4s@lists.mozilla.org
[mailto:dev-tech-crypto-bounces+stephen.moccaldi=gdc4s@lists.mozilla
.org] On Behalf Of Nelson B Bolyard
Sent: Thursday, November 11, 2010 8:02 AM
To: mozilla's crypto code discussion list
Subject: Re: CMSUTIL Problem

On 2010-11-10 05:41 PDT, stephen.mocca...@gdc4s.com wrote:
 I am on a Linux system and I am trying to send a signed email message
 using cmsutil and the smime toolkit but it fails with the following
 error:
 
 cmsutil: the corresponding cert for key (null) does not exist:
 Certificate key usage inadequate for attempted operation.

Hi Stephen,
There's so much to say here.
I see at least three different issues there.
- 1) the report cert for key does not exist.
- 2) the string (null).  That's annoying, but I think it's a red
herring.  We should deal with it, but I think it's a symptom, not the
cause, of other problems here.
- 3) the error inadequate key usage.

I suspect that only at most one of those is a real problem, and the
others
are simply side effects of the real problem.  I'm going to suggest a
number of parallel paths for you to explore.

1. The inadequate key usage problem.  I think it's possible that the
cert IS being found (despite all the apparent evidence to the contrary,
but the cert simply has some extension that makes it ineligible to be
used as an email cert.  Fortunately, we have a way to determine that.
We know that the pk12util program is able to read your Email.p12 file
so use pk12util's -l (dash ell) option to list the content of the file.
It will pretty print out the details of all the certs in that file.
It won't print out any details of the private key, except to say if it
found a private key there or not.  If you can show us the pretty printed
output for that email cert, as shown by pk12util, we can tell by
inspection if the cert really has a key usage problem.  If it does,
that's
the real problem, and the solution is for you to get another cert from
your CA.

Here is the output from the pk12util -l command (sorry I had to
sanitize it for public consumption):
This is the .p12 file created when I changed my friendly name to
MyCert (see suggestion 3a below).
Certificate(has private key):
Data:
Version: 3 (0x2)
Serial Number: 3085 (0xc0d)
Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption
Issuer: CN=gdca1,OU=GD,OU=GDC4S,O=Test,C=US
Validity:
Not Before: Tue Oct 05 14:51:33 2010
Not After : Sun Apr 03 14:51:33 2011
Subject: CN=Stephen Moccaldi,OU=GD,OU=GDC4S,O=Test,C=US
Subject Public Key Info:
Public Key Algorithm: PKCS #1 RSA Encryption
RSA Public Key:
Modulus:
  (Some Data)
Exponent: (Some Data)
Signed Extensions:
Name: Certificate Authority Key Identifier
Key ID:
   (Some Data)

Name: Authority Information Access
Method: PKIX CA issuers access method
Location: 
URI: http://some-url.com/gdca1.cer;

Name: Certificate Key Usage
Critical: True
Usages: Digital Signature
Non-Repudiation

Name: Certificate Subject Alt Name
RFC822 Name: moccal...@gdc4s.local

Name: CRL Distribution Points
URI:  http://some-url.com/gdca1.crl;

Name: Certificate Policies
Data: 
Policy Name: OID.2.16.840.1.101.2.1.11.10
Policy Name: OID.2.16.840.1.101.2.1.11.9
Policy Name: OID.2.16.840.1.101.2.1.11.5

Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption
Signature:
(Some Data)
Fingerprint (MD5):
(Some Data)
Fingerprint (SHA1):
(Some

CMSUTIL Problem

[Stephen.Moccaldi]

I am on a Linux system and I am trying to send a signed email message
using cmsutil and the smime toolkit but it fails with the following
error:

cmsutil: the corresponding cert for key (null) does not exist:
Certificate key usage inadequate for attempted operation.

I have a pkcs12 file I loaded into the nss database with the following
command:

pk12util -i Email.p12 -d ./database

I have also loaded the root CA certs using:

certutil -A -d ./database -n gdca-root -t CT,C,, -i gdrootca.cer
certutil -A -d ./database -n gdca1 -t CT,C,, -i gdca1.cer

certutil -L -d ./database shows:
Stephen Moccaldi's U.S. Government ID  u,u,u
gdca-root  CT,C,
gdca1  CT,C,

certutil -K -d ./database shows:
 0 rsab853151eeaf438ea9f55b43bd0a5efedeac8f1a4  Stephen Moccaldi's
U.S. Government ID

certutil -V -n Stephen Moccaldi's U.S. Government ID -u SR -d
./database shows:
certutil: certificate is valid

But, when I type: 
cat testmsg.txt | smime -S Stephen Moccaldi's U.S. Government ID -p
passwd -d ./database | mail myemailaddr...@myserver.com

I get the error: 
cmsutil: the corresponding cert for key (null) does not exist:
Certificate key usage inadequate for attempted operation.
cmsutil: problem signing: Certificate key usage inadequate for attempted
operation.
cmsutil: NSS_Shutdown failed:  NSS could not shutdown.  Objects are
still in use.
ERROR: signature generation failed.
No message, no subject; hope that's ok

I get the same error when I type:
cmsutil -S -N Stephen Moccaldi's U.S. Government ID -i testmsg.txt -o
testmsg.signed -d ./database -p passwd

Does it have anything to do with the length of the nickname?  If I type
the above line with one less character in the nickname it does not show
(null) for the key it shows Stephen Moccaldi's U.S. Government I.
The error is:

cmsutil: the corresponding cert for key Stephen Moccaldi's U.S.
Government I does not exist: Certificate key usage inadequate for
attempted operation.

Since the nickname is set in the Email.p12 file and I can't specify it,
does that mean I need a new cert with a shorter friendly name?
I am using NSS version 3.12.3 and nspr 4.7.6.

Any help will be greatly appreciated.
Thanks.

Steve Moccaldi
stephen.mocca...@gdc4s.com

-- 
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto