Re: CMSUTIL Problem
gdrootca.cer certutil -A -d ./database -n gdca1 -t CT,C,, -i gdca1.cer certutil -L -d ./database shows: Stephen Moccaldi's U.S. Government ID u,u,u gdca-root CT,C, gdca1 CT,C, I'm guessing that gdca1 is an intermediate CA, issued by gdca-root. Assuming that's correct, then it should NOT have any C flags at all. I suggest you edit those trust flags and remove all the letters. e.g. certutil -M -d database -n gdca1 -t Then repeat the -V step shown below. The only problem caused by having those flags on the wrong cert(s) is that the signed files you send will not contain the certs they should contain. certutil -K -d ./database shows: 0 rsab853151eeaf438ea9f55b43bd0a5efedeac8f1a4 Stephen Moccaldi's U.S. Government ID certutil -V -n Stephen Moccaldi's U.S. Government ID -u SR -d ./database shows: certutil: certificate is valid So, clearly the cert exists and that nickname is valid. I think the smime perl script is just doing the wrong thing. But, when I type: cat testmsg.txt | smime -S Stephen Moccaldi's U.S. Government ID -p passwd -d ./database | mail myemailaddr...@myserver.com I get the error: cmsutil: the corresponding cert for key (null) does not exist: Certificate key usage inadequate for attempted operation. cmsutil: problem signing: Certificate key usage inadequate for attempted operation. Here's another diagnostic step to try. Write a little script in your favorite scripting language that writes out the entire command line with which it was invoked, as well as a copy of all of stdin that it was given, to some file, and then exits. Call your script cmsutil and arrange for it to be in a directory that's first in your PATH. Then repeat the test above, and examine the file created by your script. If the smime program is mangling the command line options, you will be able to tell from the output of your script. cmsutil: NSS_Shutdown failed: NSS could not shutdown. Objects are still in use. That's yet ANOTHER problem. What version of NSS and cmsutil are you using? But I expect that will go away when you solve the key usage problem. ERROR: signature generation failed. No message, no subject; hope that's ok I get the same error when I type: cmsutil -S -N Stephen Moccaldi's U.S. Government ID -i testmsg.txt -o testmsg.signed -d ./database -p passwd OK, so there's a lot of things to try. Should keep you busy for an hour or two. :) Let us know what you find. If you don't find quick success, then definitely send us the pretty printed output from pk12util dash ell. /Nelson the insomniac. :) -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
RE: CMSUTIL Problem
Here is some more information. I was able to use the cert in outlook to sign and verify email messages. The command I am using cat testmsg.txt | smime -S Stephen Moccaldi's U.S. Government ID -p passwd -d ./database | mail myemailaddr...@myserver.com does use smime but a straight cmsutil command such as cmsutil -S -N Stephen Moccaldi's U.S. Government ID -i testmsg.txt -o testmsg.signed -d ./database -p passwd also fails with the same error so I think the problem is in cmsutil not smime. Cmsutil command fails using a nickname of MyCert as well. The file I am trying to sign is just a straight text file with no email headers in it. All that is in the file is: This is an S/MIME test message. Does it need to have the email headers in it and look like an email message instead of a straight text file in order to use the cert and key to sign it for email? Maybe it's saying key usage is inadequate because it thinks the file is a different kind of file? I am using nss version 3.12.3. Further comments are inline below. Thanks for your help. Steve Moccaldi stephen.mocca...@gdc4s.com -Original Message- From: dev-tech-crypto-bounces+stephen.moccaldi=gdc4s@lists.mozilla.org [mailto:dev-tech-crypto-bounces+stephen.moccaldi=gdc4s@lists.mozilla .org] On Behalf Of Nelson B Bolyard Sent: Thursday, November 11, 2010 8:02 AM To: mozilla's crypto code discussion list Subject: Re: CMSUTIL Problem On 2010-11-10 05:41 PDT, stephen.mocca...@gdc4s.com wrote: I am on a Linux system and I am trying to send a signed email message using cmsutil and the smime toolkit but it fails with the following error: cmsutil: the corresponding cert for key (null) does not exist: Certificate key usage inadequate for attempted operation. Hi Stephen, There's so much to say here. I see at least three different issues there. - 1) the report cert for key does not exist. - 2) the string (null). That's annoying, but I think it's a red herring. We should deal with it, but I think it's a symptom, not the cause, of other problems here. - 3) the error inadequate key usage. I suspect that only at most one of those is a real problem, and the others are simply side effects of the real problem. I'm going to suggest a number of parallel paths for you to explore. 1. The inadequate key usage problem. I think it's possible that the cert IS being found (despite all the apparent evidence to the contrary, but the cert simply has some extension that makes it ineligible to be used as an email cert. Fortunately, we have a way to determine that. We know that the pk12util program is able to read your Email.p12 file so use pk12util's -l (dash ell) option to list the content of the file. It will pretty print out the details of all the certs in that file. It won't print out any details of the private key, except to say if it found a private key there or not. If you can show us the pretty printed output for that email cert, as shown by pk12util, we can tell by inspection if the cert really has a key usage problem. If it does, that's the real problem, and the solution is for you to get another cert from your CA. Here is the output from the pk12util -l command (sorry I had to sanitize it for public consumption): This is the .p12 file created when I changed my friendly name to MyCert (see suggestion 3a below). Certificate(has private key): Data: Version: 3 (0x2) Serial Number: 3085 (0xc0d) Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption Issuer: CN=gdca1,OU=GD,OU=GDC4S,O=Test,C=US Validity: Not Before: Tue Oct 05 14:51:33 2010 Not After : Sun Apr 03 14:51:33 2011 Subject: CN=Stephen Moccaldi,OU=GD,OU=GDC4S,O=Test,C=US Subject Public Key Info: Public Key Algorithm: PKCS #1 RSA Encryption RSA Public Key: Modulus: (Some Data) Exponent: (Some Data) Signed Extensions: Name: Certificate Authority Key Identifier Key ID: (Some Data) Name: Authority Information Access Method: PKIX CA issuers access method Location: URI: http://some-url.com/gdca1.cer; Name: Certificate Key Usage Critical: True Usages: Digital Signature Non-Repudiation Name: Certificate Subject Alt Name RFC822 Name: moccal...@gdc4s.local Name: CRL Distribution Points URI: http://some-url.com/gdca1.crl; Name: Certificate Policies Data: Policy Name: OID.2.16.840.1.101.2.1.11.10 Policy Name: OID.2.16.840.1.101.2.1.11.9 Policy Name: OID.2.16.840.1.101.2.1.11.5 Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption Signature: (Some Data) Fingerprint (MD5): (Some Data) Fingerprint (SHA1): (Some
CMSUTIL Problem
I am on a Linux system and I am trying to send a signed email message using cmsutil and the smime toolkit but it fails with the following error: cmsutil: the corresponding cert for key (null) does not exist: Certificate key usage inadequate for attempted operation. I have a pkcs12 file I loaded into the nss database with the following command: pk12util -i Email.p12 -d ./database I have also loaded the root CA certs using: certutil -A -d ./database -n gdca-root -t CT,C,, -i gdrootca.cer certutil -A -d ./database -n gdca1 -t CT,C,, -i gdca1.cer certutil -L -d ./database shows: Stephen Moccaldi's U.S. Government ID u,u,u gdca-root CT,C, gdca1 CT,C, certutil -K -d ./database shows: 0 rsab853151eeaf438ea9f55b43bd0a5efedeac8f1a4 Stephen Moccaldi's U.S. Government ID certutil -V -n Stephen Moccaldi's U.S. Government ID -u SR -d ./database shows: certutil: certificate is valid But, when I type: cat testmsg.txt | smime -S Stephen Moccaldi's U.S. Government ID -p passwd -d ./database | mail myemailaddr...@myserver.com I get the error: cmsutil: the corresponding cert for key (null) does not exist: Certificate key usage inadequate for attempted operation. cmsutil: problem signing: Certificate key usage inadequate for attempted operation. cmsutil: NSS_Shutdown failed: NSS could not shutdown. Objects are still in use. ERROR: signature generation failed. No message, no subject; hope that's ok I get the same error when I type: cmsutil -S -N Stephen Moccaldi's U.S. Government ID -i testmsg.txt -o testmsg.signed -d ./database -p passwd Does it have anything to do with the length of the nickname? If I type the above line with one less character in the nickname it does not show (null) for the key it shows Stephen Moccaldi's U.S. Government I. The error is: cmsutil: the corresponding cert for key Stephen Moccaldi's U.S. Government I does not exist: Certificate key usage inadequate for attempted operation. Since the nickname is set in the Email.p12 file and I can't specify it, does that mean I need a new cert with a shorter friendly name? I am using NSS version 3.12.3 and nspr 4.7.6. Any help will be greatly appreciated. Thanks. Steve Moccaldi stephen.mocca...@gdc4s.com -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto