note that this would also explain the problem described in thread "Trust certificates in HW-Tokens".
-- Andreas
melton wrote:
To list certificate found in the internal token, I enter the command:
C:\.mozilla>certutil -L -d . Certificate Manager CT,C,C
"Certificate Manager" is the self-signed public key certificate from my CA. To verify the CA's self-signed public key cert (including signature verification), I enter the command:
C:\.mozilla>certutil -V -u C -e -n "Certificate Manager" -d . Enter Password or Pin for "NSS Certificate DB": certutil: certificate is valid
I now insert a smart card (the PKCS#11 module was previously installed).
The smart card contains the public key certificate (signed by the same CA) corresponding to the private/public key pair which is also contained on the smart card. Here are all of the certificates in my database:
C:\.mozilla>certutil -L -h internal -d . Certificate Manager CT,C,C
C:\.mozilla>certutil -L -h "IID RA1" -d . Enter Password or Pin for "IID RA1": IID RA1:RA11's ID u,u,u
I again enter the same command to verify the CA's self-signed public key cert:
C:\.mozilla>certutil -V -u C -e -n "Certificate Manager" -d .
Enter Password or Pin for "NSS Certificate DB":
Enter Password or Pin for "IID RA1":
certutil: certificate is invalid: Peer's certificate has an invalid signature.
Suddenly the signature verification fails (it will verify without the "-e" argument). Specifying "-h internal" with the "-V" command has no effect. If I remove the smart card, the CA's certificate will successfully verify again.
BTW, I wrote a utility in Java using Java's signature verification routines, and the signatures on both the self-signed public key cert and the public key cert on the smart card verify as valid.
Why is it doing this, and how do I make it stop?
TIA
_______________________________________________ mozilla-crypto mailing list [EMAIL PROTECTED] http://mail.mozilla.org/listinfo/mozilla-crypto
