On 11/04/2015 08:57 AM, JBarry wrote:
Hello,I'll apologize in advance if this question has already been asked/answered (I did look and found nothing that helped me out) or if the question seems trivial. I am a college intern currently working with NSS for the first time, so please forgive me if I state anything incorrectly or in a confusing manner.So I have created a key/certificate using OpenSSL and am trying to import itinto the NSS database. However, this is failing because we are using a local algorithm that NSS (and pk12util) does not recognize. I need to add the OID to NSS in order for it to recognize the algorithm we are using, but I am unsure of where to do this. I have scoured the code and have looked in a bunch of files (some of which contain OID "definitions"), but I cannot figure out how to add the OID to make the import process work. Any help would be greatly appreciated, Jim
The oids are in the oid table found in secoid.c, and defines are in secoidt.h. The table is a static array of SECOidData called 'oids'.
You'll need to add new entries at the bottom. with the OD() macro. The parameters of the OD macro are:1) CONST_OID (basically an array of bytes) of the encoded oid representation. (so '2.16.1.101' is 0x60, 0x86, 0x48, 0x01, 0x65). You declare a CONST_OID in the block above the table with a name representing your new oid (this value is private to this function. There are already macros for several common spaces (like PKCS5 or ANSI_X962). 2) The NSS OIDTag. This is the name NSS applications use to reference the tag. You also need to add this to the SECOidTag enum in secoidt.h. The oid tag value should equal the index into the oids[] table. NSS checks this at runtime.
3) A string decryption of what the oid represents.4) The PKCS #11 mechanism value that this oid maps to. If there isn't a PKCS #11 mechanism, then this value should be CKM_INVALID_MECHANISM. For pkcs12 there should be a corresponding PKCS #11 mechanism.
5) The Certificate extension value. It should be one of the following:SUPPORTED_CERT_EXTENSION - this oid is a certificate extension that is recognized an parsed by the NSS chain validation code. FAKE_SUPPORTED_CERT_EXTENSION - treat the extension represented by this oid as a recognized extension if NSS_ALLOW_UNSUPPORTED_CRITITCAL is set. If NSS_ALLOW_UNSUPPORTED_CRITICAL is not set, then it is treated as UNSUPPORTED. UNSUPPORTED_CERT_EXTENSION - this oid represents an extension which is not recognized. certs with this extension that are marked critical should fail certificate validation. INVALID_CERT_EXTENSION - this oid is not a certificate extension oid, don't treat is at one.
This will make the oid recognizable, it does not mean that the oid will be properly handled by the underlying code.
What is the actual oid you want to add and what does it represent? bob
-- View this message in context: http://mozilla.6506.n7.nabble.com/Add-New-OID-to-NSS-tp346875.html Sent from the Mozilla - Cryptography mailing list archive at Nabble.com.
smime.p7s
Description: S/MIME Cryptographic Signature
-- dev-tech-crypto mailing list [email protected] https://lists.mozilla.org/listinfo/dev-tech-crypto
