Hello, Thank you for your reply. I looked for the function you mentioned and I looked at the usage examples. I edit <http://pastebin.com/4BQsinXM> my previous code to use the function, but I'm getting error invalid_args (-8187). After some trials, I figure out it's caused by the cert_pi_certList type in input parameter. Looking at how these parameters are processed, I got to this function <http://mxr.mozilla.org/security/source/security/nss/lib/certhigh/certvfypkix.c#1509>, which contains a switch on the param type. However, it doesn't exist a case for every types listed here <http://mxr.mozilla.org/security/source/security/nss/lib/certdb/certt.h#898>, and the default case raise invalid_args. Isn't this a bug of this function?
However, I tried also with cert_pi_trustAnchors type (which has a case in the function), but I got the same error. And also if I change the certificate usage parameter, I got this error. So, is there something wrong in the code I have written? Thanks, Nicholas 2016-02-04 1:14 GMT+01:00 Julien Pierre <julien.pie...@oracle.com>: > CERT_VerifyCertNow is a legacy API that does not support the full set of > RFC 3280/5280 features. > To support things like policy checks, you can use libpkix . > Look for CERT_PKIXVerifyCert . There are examples of usage in the NSS test > programs vfychain and tstclnt . > The library supports many more options than may be tested, though. > > Julien > > On 2/3/2016 08:37, Nicholas Mainardi wrote: > >> Hello, >> >> I'm comparing different libraries to verify X509 certificate chains. I had >> some issues to find how to use NSS to perform this task. At the end, I >> managed to get a working code with one certificate chain. You can find the >> code in this question >> < >> http://stackoverflow.com/questions/34982796/how-to-parse-and-validate-certificates-with-nss >> > >> I asked on stack overflow. I would like to know if the code I wrote is the >> correct way to verify a certificate chain using NSS, and if there are >> other >> parameters to customize the verify algorithm which can be set (i.e. a flag >> to enable policy check etc.). If the code is correct, I suggest it could >> be >> added to NSS examples on the documentation. >> >> Thank You, >> >> Nicholas >> > > -- > dev-tech-crypto mailing list > dev-tech-crypto@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-tech-crypto > -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto