Loren wrote:
Hi List, When I try to sign script with signtool (NSS 3.6) and my test certs, I
found it failed on verifying the signing cert, and certutil -O can't
construct the chain either.
When tracing down the problem, it appears that the culprit lives in
the function nss3certificate_matchIdentifier(), at pki3hack.c:277,
when building up the chain, it checks if the caName/caSN of the
authKeyId ext of client cert is equal to the *subjectName*/serial
number of its issuer cert, which should have been the
issuerName/serial number.
Hi Loren,
Thank you for reporting this bug and tracking it down. This is a known bug in NSS 3.6: http://bugzilla.mozilla.org/show_bug.cgi?id=174634. It has been fixed in NSS 3.6.1 Beta3. If you have cvs access you can check out NSS sources with the cvs tag NSS_3_6_1_BETA3 instead of NSS_3_6_RTM. We plan to release NSS 3.6.1 on Wednesday, Dec. 4. You can also apply the simple patch in the bug report to NSS 3.6 sources. Wan-Teh
