Hello,
On 12-08-2012 00:13, Wan-Teh Chang wrote:
On Sat, Aug 11, 2012 at 5:37 AM, Gökçen Eraslan
gokcen.eras...@gmail.com wrote:
When I traced the code I see that sec_pkcs7_create_signed_data call
returns successfully but sec_pkcs7_add_signer fails.
Trace is like that:
sec_pkcs7_add_signer - CERT_VerifyCertificate - CERT_VerifyCertChain
- CERT_FindBasicConstraintExten - cert_FindExtension
and finally cert_FindExtensionByOID function returns
SEC_ERROR_EXTENSION_NOT_FOUND.
My full patch is here: http://pastebin.ca/2179231
Can anybody help me about that error? I need to create a PKCS7 object
and encoded it via SEC_PKCS7Encode. May my certificate be the problem?
Perhaps the CA certificate of your signing certificate does not have
the basic constraint extension? That's what I concluded from the call
stack you provided and the SEC_ERROR_EXTENSION_NOT_FOUND error code.
Actually, what I do is to create a self-signed CA certificate and sign
my certificate with my fake CA certificate. Then I try to create a
detached SignedData structure with NSS. But, before signing PKCS7
object, NSS checks if the certificate is valid. Since my CA is not a
trusted CA and therefore my cert is invalid, it fails.
Now, I can create a PKCS7 object after marking my CA certificate as
trusted in Firefox. I don't get any error anymore, but I still need to
find a way to create a SignedData structure with an invalid certificate.
How can I do that? Do new CMS functions permit that?
Also, it's better to use the new CMS functions in
mozilla/security/nss/lib/smime instead of the old PKCS7 functions.
Thank you for your attention. I'll try new CMS functions, and write the
result.
Wan-Teh
--
Gökçen Eraslan
signature.asc
Description: OpenPGP digital signature
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
