Kai Engert wrote:
This is correct, NSS will regenerate the CERTCertificate from a DERCertificate. Note: if the underlying system has changed (the user has editted the trust flags), then deserializing will not produce exactly the same CERTCertificate. On the other hand, I don't think you want the CERTCertificate to be exactly the same. If you modify the trust on a CERTCertificate, that could effect the cert processing in other parts of the browser. You definately do not want this as a side effect of deserializing!Boris Zbarsky schrieb:Kai Engert wrote:nsIX509Cert expects the underlying CERTCertificate to be complete and valid, and serializing/restoring it based on the DER representation will ensure it.The message I got from Nelson's reply is that the DER representation doesn't actually capture everything about the CERTCertificate... did I misunderstand?In my own words, Nelson said, the CERTCertificate contains additional information that a simple dump of the DER representation will not contain.So, a binary representation of the DER cert will have less information than the in-memory representation of the structure.But where did NSS get that additional information from? By combining it with the other information that NSS has available internally (like it's cert database and built in roots certs and their trust).
bob
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ dev-tech-crypto mailing list [email protected] https://lists.mozilla.org/listinfo/dev-tech-crypto
