Re: [NSS] X509 Certificate Chain Verification Example

Nicholas, Your root certificate needs to be trusted. Self-signed is fine, but you still need to trust it. It would either need to be present in your cert DB, with the proper trust flag, or you would need to dynamically set the trust on that root certificate using the API . You can use

Re: [NSS] X509 Certificate Chain Verification Example

As an aside, I would strongly advise you to use the first method - put the root CA in your cert DB, ahead of time, prior to starting your applications. Dynamically and blindly trusting a root CA, especially one received over a network, is asking for trouble and a big security no-no. You should

Re: [NSS] X509 Certificate Chain Verification Example

I'm quite sure that the certificate should be trusted. I forgot to write it, but i actually found it using certutil in the CERT DB provided by "roots cert" module: certutil -L -d DB_dir -h all | grep 'root_cn' Returns the certificate with trusted flags C,C,C. So i think it means it's already

Re: [NSS] X509 Certificate Chain Verification Example

Anyone up for a possible solution? 2016-02-06 14:51 GMT+01:00 Nicholas Mainardi : > If I remove cert_pi_certList from the array, invalid_args error turns into > untrusted_issuer error (-8172). So, it seems that even if I don't add the > intermediate CA certificate in

Re: [NSS] X509 Certificate Chain Verification Example

About error -8101 with Facebook CA certificate, I found it should be related with this bug , so it's a certificate issue. However, with Apple's certificate chain, I got error -8102 when I try to validate only the CA certificate, while error

Re: [NSS] X509 Certificate Chain Verification Example

Hello, Thank you for your reply. I looked for the function you mentioned and I looked at the usage examples. I edit my previous code to use the function, but I'm getting error invalid_args (-8187). After some trials, I figure out it's caused by the cert_pi_certList

Re: [NSS] X509 Certificate Chain Verification Example

Nicholas, It looks like cert_pi_certList is indeed never processed. So that seems to be unimplemented. I'm not quite sure why that is. It's been a long type since I worked on NSS/libpkix. What happens if you remove that parameter from your list ? Once the certs are decoded, presumably in

[NSS] X509 Certificate Chain Verification Example

Hello, I'm comparing different libraries to verify X509 certificate chains. I had some issues to find how to use NSS to perform this task. At the end, I managed to get a working code with one certificate chain. You can find the code in this question