Hello. I have a problem with NSS. Here's what I'm trying to achieve: I have systems A and B which have a connection established. Then system C connects to system A through SSL, identifying itself with a client certificate. System C is then also expeted to connect to system B, and in doing so, it must identify with the same client certificate as it did to A. So, I made A encode C's certificate to DER format and send it to system B, before ordering C to connect to B. Once C connects to B, B byte-compares the peer provided ant the server provided certificates to make sure they match.
Here's how I encoded the certificate (on system A once handshake is done, and on B inside the SSL_AuthCertificateHook callback): CERTCertificate *cert = SSL_PeerCertificate(client->ssl_prfd); ... PRArenaPool *arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); ... SECItem der; der.len = 0; der.data = NULL; SEC_ASN1EncodeItem(arena, &der, cert, SEC_ASN1_GET(CERT_CertificateTemplate) ... It worked, the two DER encoded certificates matched on system B. However, now I decided that B needs to know the common name of C before C actually connects to B, for logging purposes. It could determine that by parsing the DER cerificate provided by system A. I tried several functions which appear to be for parsing a certificate into a CERTCertificate object (CERT_DecodeCertFromPackage, CERT_NewTempCertificate, CERT_DecodeDERCertificate). However it always failed. CERT_DecodeCertFromPackage fails with error SEC_ERROR_LIBRARY_FAILURE, which was translated from NSS_ERROR_NOT_FOUND. I tried parsing the DER certificate (as encoded by SEC_ASN1EncodeItem) with openssl, and it too has problems: $ openssl x509 -inform der -in cert.der unable to load certificate 139697169598120:error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag:tasn_dec.c:1319: 139697169598120:error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error:tasn_dec.c: 381:Type=X509_CINF 139697169598120:error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 error:tasn_dec.c: 751:Field=cert_info, Type=X509 $ openssl asn1parse -in cert.der -inform DER 0:d=0 hl=4 l= 311 cons: SEQUENCE 4:d=1 hl=2 l= 3 cons: cont [ 0 ] 6:d=2 hl=2 l= 1 prim: INTEGER :02 9:d=1 hl=2 l= 5 prim: INTEGER :913ED80F 16:d=1 hl=2 l= 13 cons: SEQUENCE 18:d=2 hl=2 l= 9 prim: OBJECT :sha1WithRSAEncryption 29:d=2 hl=2 l= 0 prim: NULL 31:d=1 hl=2 l= 19 cons: SEQUENCE 33:d=2 hl=2 l= 17 cons: SET 35:d=3 hl=2 l= 15 cons: SEQUENCE 37:d=4 hl=2 l= 3 prim: OBJECT :commonName 42:d=4 hl=2 l= 8 prim: PRINTABLESTRING :ca-local 52:d=1 hl=2 l= 30 cons: SEQUENCE 54:d=2 hl=2 l= 13 prim: UTCTIME :100626225323Z 69:d=2 hl=2 l= 13 prim: UTCTIME :110626225323Z 84:d=1 hl=2 l= 21 cons: SEQUENCE 86:d=2 hl=2 l= 19 cons: SET 88:d=3 hl=2 l= 17 cons: SEQUENCE 90:d=4 hl=2 l= 3 prim: OBJECT :commonName 95:d=4 hl=2 l= 10 prim: PRINTABLESTRING :peer-plata 107:d=1 hl=3 l= 159 cons: SEQUENCE 110:d=2 hl=2 l= 13 cons: SEQUENCE 112:d=3 hl=2 l= 9 prim: OBJECT :rsaEncryption 123:d=3 hl=2 l= 0 prim: NULL 125:d=2 hl=3 l= 141 prim: BIT STRING 269:d=1 hl=2 l= 44 cons: cont [ 3 ] 271:d=2 hl=2 l= 42 cons: SEQUENCE 273:d=3 hl=2 l= 9 cons: SEQUENCE 275:d=4 hl=2 l= 3 prim: OBJECT :X509v3 Basic Constraints 280:d=4 hl=2 l= 2 prim: OCTET STRING [HEX DUMP]:3000 284:d=3 hl=2 l= 29 cons: SEQUENCE 286:d=4 hl=2 l= 3 prim: OBJECT :X509v3 Extended Key Usage 291:d=4 hl=2 l= 22 prim: OCTET STRING [HEX DUMP]: 301406082B0601050507030106082B06010505070302 So, why is the certificate being encoded incorrectly? Also, is this a portable way of comparing cetificates (e.g. can I be sure that another SSL library will produce the same data)? I read that the DER format is specifically designed so that there is only one way to encode a given input. Is there some function that provides me with the raw certificate as provided by the peer (rather than NSS deconding it and my program encoding it back)? Or, should I be comparing only specific parts of the certificate (common name, public key)? -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto