I would like to know the rough workflow to verify a certificate
against a user-supplied root store. Specifically, what NSS functions
would one use for that purpose? I have looked at various headers
(nss.h, cert.h, pk11pub.h, etc.) and searched the web for usage
examples, but could not stich together a correct workflow of NSS 3.x
functions to use for this task.
The application I am writing essentially operates in two steps:
1) Load a root store of certificates in memory
2) Take a user-supplied certificate and verify it against the root
store
There is no persistence requirement, i.e., each new start of the
application performs (1) and (2) from scratch. That said, I tried the
code sequence shown below (C++11), which does not seem to work (a
valid cert does not seem to verify due to a missing issuer;
SEC_ERROR_UNTRUSTED_ISSUER). I'd be thankful for guidance of any form.
Matthias
// Initialize database.
NSS_NoDB_Init(".");
// Load the root store in memory.
for (certificate const& cert : root_certs_in_DER_format)
{
SECItem secitem{siDERCertBuffer, cert.data(), cert.size()};
CERTCertificate* cert = CERT_NewTempCertificate(
CERT_GetDefaultCertDB(),
&secitem,
nullptr,
PR_TRUE, /* Add cert to root store?! */
PR_FALSE);
CERT_DestroyCertificate(cert);
}
// User provides certificate.
SECItem secitem{siDERCertBuffer, user_cert.data(), user_cert.size()};
CERTCertificate* user_cert = CERT_NewTempCertificate(
CERT_GetDefaultCertDB(),
&secitem,
nullptr,
PR_FALSE, /* Do NOT add user cert to root store?! */
PR_FALSE);
// Verify the certificate.
SECCertificateUsage use = get_usage();
SECCertificateUsage verified_uses;
SECStatus rc = CERT_VerifyCertificate(
CERT_GetDefaultCertDB(),
user_cert,
PR_TRUE,
use,
get_timestamp_from_user(),
nullptr,
nullptr,
&verified_uses);
// Here I get: PR_GetError() == SEC_ERROR_UNTRUSTED_ISSUER
if (rc == SECFailure)
extract_failure_and_report();
CERT_DestroyCertificate(user_cert);
// Clean up.
NSS_Shutdown();
--
dev-tech-crypto mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-tech-crypto
