I want to try to bring some closure to this thread. "suckerformimi" did ultimately have success, and was finally able to sign his code with signtool. He was very resourceful. Along the way, he solved MANY issues, with just a little help from folks on this alias. I want to report on his journey. I don't think I'll give away any confidential information.
He started with a pair of files containing a code signing cert and the corresponding private key, with file names ending in .spc and .pvk. The spc file was apparently an ordinary DER encoded cert (e.g. .cer file). The pvk file was (is) apparently an old Microsoft proprietary file format. The cert imported with Windows' cert manager in the usual way, but the pvk file was an unknown. He found a tool to import that pvk into his Windows private key store at http://www.microsoft.com/downloads/details.aspx?familyid=F9992C94-B129-46BC-B240-414BDFF679A7&displaylang=en Once his cert and private key were imported into Windows, he was able to create a PKCS#12 file (.pfx) using Windows' cert manager cert export wizard. pk12util -l (list) was able to list the content of that pfx file without trouble. (That's a new feature of pk12util in NSS 3.11). So far, so good. But pk12util -i (import) always complained that the file had an "improperly formatted DER-encoded message" (SEC_ERROR_BAD_DER). He had the right password, and the file had "friendly names" for the certs and private keys. (Missing or wrong passwords and missing "friendly names" are the two known causes for failures of pfx file imports with NSS.) Finally, he got the idea to try importing the pfx file into NSS cert and key DBs using FireFox instead of pk12util, and that worked (!), which is mysterious. You see, FireFox and pk12util use the same code in the same shared library to decode and import PKCS12 files. So I'm a bit mystified why FireFox worked where pk12util failed. That's the subject of bug https://bugzilla.mozilla.org/show_bug.cgi?id=338335 Once he successfully imported the pfx file into NSS DBs, all he had to do was discover the "friendly name" (a.k.a. "nickname") on his cert in the cert DB (something FireFox doesn't show, but certutil does). Then he was able to sign his code with signtool, using his FireFox NSS DBs. So, the issue is resolved for "suckerformimi", but is just beginning for the NSS development team. I think we're not likely to solve that mystery of SEC_ERROR_BAD_DER until we get a pfx file with which we can readily reproduce that problem. I won't ask "suckerformimi" for his pfx file, since that would obviously compromise his code signing cert. If you have a pfx file that pk12util can't import, but FireFox can, and you're willing to let the NSS team have that pfx file (and its password) for debugging purposes, please contact me. -- Nelson B _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
