Christian <[EMAIL PROTECTED]> wrote: > Hello all, I am trying to sign javascript files and running into some > issues. Hopefully someone can point me into the right direction. > > I did obtain a code signing certificate from Certum. > They issue the certificate as part of a chain: > certum root CA -> certum level I -> mycert.
I presume you obtained that cert with your browser. That is, you visited a certum web site that caused your browser to generate a pair of keys, a private key and a public key. The public key went into the certificate that Certum issued to you. The private key remained in your browser's key3.db file. Or perhaps you generated your key pair using using other program, such as OpenSSL, in which case your private key is in whatever file OpenSSL put it in. Either way, you'll need that private key, in addition to your certificate chain, when you go to sign your files. > I created a cert db with the certutils prg: > 1. certutil.exe -N -d That created 3 files, cert8.db, key3.db and secmod.db, all effectively empty. > I have three cer files: one for each cert in the chain. Since certum > root ca is already contained in the list of root certs, I do not bother > to import this one. However, I do import certum level I and mysert: > 2. certutil.exe -A -t Cu -n "Certum Level I" -i certum1.cer -d . > 3. certutil.exe -A -t u -n "mycert" -i mycert.cer -d . You're planning on relying on the browsers' built-in list of root CA certs. That's fine. But the signing program will need access to that list to do its job. It will want to recreate the entire cert chain. To do that, it will need access to that root CA cert. You can either import that cert too, or else make a copy of the built-in root certs module available to the signing program. Also, the sequence of commands you showed above have put your cert and the intermediate CA cert into your new cert8.db file, but have not put your private key into the corresponding key3.db file. You'll need to do that. I can't advise you how to do that until we know where that private key is (e.g. Windows key store, OpenSSL file, mozilla key3.db file, etc.) > I attempt to sign a javascript file and it fails. A check with signtool > -l -d . reveals that the cert is not valid: > > H:\keys\code sign>c:signtool -l -d . > using certificate directory: . > > Object signing certificates > --------------------------------------- > mycert > Issued by: Certum Level I (Certum Level I) > Expires: Thu Oct 26, 2006 > ++ Error ++ THIS CERTIFICATE IS NOT VALID (Certificate Authority > certificate invalid) > --------------------------------------- > For a list including CA's, use "signtool -L" > I assume I am doing something wrong on the import since these certs are > chained. I know that the certs are good as they seem to be accepted by > the microsoft certificate manager. I am banging my head against my > keyboard. Any help would be greatly appreciated. Your poor keyboard! :) Your signing program probably can't validate that cert because it cannot find the trusted Certum root certificate that issued it. You could import the certum root and mark it trusted for object signing, or you could copy the browser's list of trusted root CA certs into your signing directory and tell the signing tool to use it. To mark a root CA cert trusted for object signing, you need to set the trust arguments as ",,C" (not "C"). To use the browser's list of trusted root CA certs, find the file nssckbi.dll among your (mozilla family) browser's files, and copy it to the directory where you put your new cert8.db file. Then run a command to configure the NSS tools to know about that nssckbi.dll file. I think you can do that with the command: certutil -L -d . -X -h all If it succeeds, it will list all the certs found in the nssckbi.dll file. Afterwords, your signtool will (er, should) be happier with your Certum Level 1 intermediate CA cert. > > Thanks- > Christian Later, Christian wrote: > Well, I got a bit further on this. > > I was able to get the javascript signed, but the certificate (since it > is in a chain of which the middle cert is unknown to mozilla) was not > recognized since it was in a chain. If the certum 1 intermediate CA cert was in the cert8.db file when you ran signtool, it should have been copied into the signed file. > Here the steps: > 1. I converted my spc and pvk into pfx using the pvkimprt tool (on Win > 2K since this tool doesnt work on Win XP) > 2. Imported the pfx into the cert management of mozilla browser OK, so you got your cert and your private key into the browser's cert and key DB files. If the pfx file also contained the certum level 1 intermediate CA, that cert would also have been imported into your cert DB file, but based on the results you got, I think it was not in that pfx file. > 3. used the signtool to sign the javascript pointing the signtool to > the mozilla cert db (its in the users directory under > mozilla/profiles). Yes, that should have worked. Using the cert, key and secmod.db files from the browser should work, AS LONG AS the browser is not running when the other tools are running. You should be able to see your cert in the browser's cert manager, and should be able to verify that its chain is complete, no missing certs. If the chain is incomplete, you should import the missing certs into your cert DB before doing the signing (using either the browser itself or using certutil). Remember to have only one program using the DBs at a time. The browser should not be running when you're using certutil or signtool on your browser's cert and key DB files. > Once I generated my signed jar, I removed all added certs from mozilla > and opened the javascript in the jar. Result was that the cert was not > recognized: > certum root CA -> certum level I -> mycert and certum level I is not a > cert that is delivered with mozilla. HOwever, certum root CA is... > Once I import certum level I, it works fine, however that is of no use > to the users on the net as I cant ask them to import some cert. I > wonder, however, whether it is possilbe to deliver the missing cert as > part of the signed jar file? When you sign the jar file, signtool will put as much of the cert chain into the JAR file as it can find. If signtool can't find the complete chain, it will put an incomplete chain into the JAR. If your JAR file doesn't have the complete chain, then signtool couldn't find the complete chain in the cert DB and nssckbi.dll files to which it had access. The implication is that the Certum 1 intermediate CA cert was not in the browser's cert8.db file when you used it to run signtool. > Any pointers on whether this is possible and how to do so? Make sure that the complete chain is available to signtool, then try signing again. -- Nelson B _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
