I want to try to bring some closure to this thread.
"suckerformimi" did ultimately have success, and was finally able to
sign his code with signtool. He was very resourceful. Along the way,
he solved MANY issues, with just a little help from folks on this alias.
I want to report on his journey. I don't think I'll give away any
confidential information.
He started with a pair of files containing a code signing cert and the
corresponding private key, with file names ending in .spc and .pvk.
The spc file was apparently an ordinary DER encoded cert (e.g. .cer file).
The pvk file was (is) apparently an old Microsoft proprietary file format.
The cert imported with Windows' cert manager in the usual way, but the
pvk file was an unknown.
He found a tool to import that pvk into his Windows private key store at
http://www.microsoft.com/downloads/details.aspx?familyid=F9992C94-B129-46BC-B240-414BDFF679A7&displaylang=en
Once his cert and private key were imported into Windows, he was able to
create a PKCS#12 file (.pfx) using Windows' cert manager cert export wizard.
pk12util -l (list) was able to list the content of that pfx file without
trouble. (That's a new feature of pk12util in NSS 3.11). So far, so good.
But pk12util -i (import) always complained that the file had an
"improperly formatted DER-encoded message" (SEC_ERROR_BAD_DER). He had
the right password, and the file had "friendly names" for the certs and
private keys. (Missing or wrong passwords and missing "friendly names"
are the two known causes for failures of pfx file imports with NSS.)
Finally, he got the idea to try importing the pfx file into NSS cert and
key DBs using FireFox instead of pk12util, and that worked (!), which is
mysterious. You see, FireFox and pk12util use the same code in the same
shared library to decode and import PKCS12 files. So I'm a bit mystified
why FireFox worked where pk12util failed. That's the subject of bug
https://bugzilla.mozilla.org/show_bug.cgi?id=338335
Once he successfully imported the pfx file into NSS DBs, all he had to do
was discover the "friendly name" (a.k.a. "nickname") on his cert in the
cert DB (something FireFox doesn't show, but certutil does). Then he was
able to sign his code with signtool, using his FireFox NSS DBs.
So, the issue is resolved for "suckerformimi", but is just beginning for
the NSS development team. I think we're not likely to solve that mystery
of SEC_ERROR_BAD_DER until we get a pfx file with which we can readily
reproduce that problem. I won't ask "suckerformimi" for his pfx file,
since that would obviously compromise his code signing cert.
If you have a pfx file that pk12util can't import, but FireFox can,
and you're willing to let the NSS team have that pfx file (and its
password) for debugging purposes, please contact me.
--
Nelson B
___
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
