On 2009-06-04 02:23 PDT, Néric wrote: > Context: > > I am working on PKI cross certification using a PKI bridge. > To fetch missing certificates, I use the following AIA certificate > extension: > > CA Issuer: URI : http://_...@ftp_server__/.../bundle.p7c > > where bundle.p7c contains the missing certificates (pkcs7 format).
> Mozilla's NSS seems to ignore the AIA extension and doens'nt fetch the > bundle. All version of NSS up to (not including) 3.12 do ignore the AIA extension, and the CRLDP extension, too. NSS 3.12 has a new cert path validation function that will pay attention to those extensions, if you tell it to do so in the function arguments. Any program written to use NSS before 3.12 was released does not use the new feature. The currently release version of NSS is 3.12.3. Version 3.12.4 is undergoing a FIPS 140-2 evaluation, and will be released when it has been accepted for FIPS. > Question: > > I found a library on the internet called "libpathfinder-nss-1" > (http://packages.debian.org/fr/lenny/libpathfinder-nss-1). > +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ > Pathfinder is designed to provide a mechanism for any program to perform > RFC3280-compliant path validation of X.509 certificates, even when some of > the intermediate certificates are not present on the local machine. It will > automatically download any such certificates (and their CRLs) from the > Internet as needed using the AIA and CRL distribution point extensions of > the certificate it is processing. > > This package contains the shared library to allow LibNSS based programs to > use Pathfinder for their Certificate validation. > +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ > > It seems that this package enables a Debian distribution to do exactly what > i want! Yet I have installed this library and nothing changed. > > Would you have any complementary information on this package? No. I have not even heard of it until I read your email. > It says that it allows LibNSS based programs to use PathFinder, It *IS* pathfinder, is it not? I can well imagine that the pathfinder library uses pathfinder. :) > Does NSS is based on LibNSS(is it really the same thing)? In Unix/Linux, there are two separate libraries known as NSS. One of them is the "Name Services Switch" which decides whether to use DNS or NIS or LDAP for host name lookup, and the other is "Network Security Services" which is the crypto libraries used for SSL by Firefox. I am guessing that LibNSS (as used in the text you quoted above) refers to the latter. Below I will use NSS to refer only to the crypto libraries. libNSS may be Debian's name for their version of the NSS crypto libraries. Debian has made numerous changes to NSS. They've changed the names of NSS's shared libraries, and certain other things, such as the directories in which the NSS shared libraries are placed. I believe they've even changed the names of many of the public NSS functions. Consequently, AFAIK, the only code that works with Debian's NSS is code that was specifically written (or modified) to work with that. Code that compiles and runs with Mozilla's NSS will require modification to build and run with Debian's NSS, or so I have been led to believe. Any programs you download directly from Mozilla will not use Debian's version of NSS. If you have downloaded a browser from Mozilla, you probably have two flavors of NSS installed, one that uses the original file and function names, and Debian's modified copy. Debian has its own modified versions of the Mozilla products (with different names), and those use Debian's modified NSS. Since you found this "PathFinder" on a Debian web site, it probably is written to work with Debian's modified NSS and not with unmodified original NSS. So, if your program uses NSS as obtained from Mozilla, it doesn't surprise me that "PathFinder" had no effect on it. > Do i have to change something in my NSS module to allow this library to be > called or recognized?? I have no idea. > My last question would be to know if all other X.509 certificate extensions > were supported (policy mapping, ..) NSS 3.12's new cert path validation function fully processes all standard extensions related to certificate policies, if you tell it to do so. -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
