Closed Bug 123296 Opened 24 years ago Closed 23 years ago

signtool doesn't like certutil object signing certificates

Categories

(NSS :: Tools, defect, P1)

Product:
NSS
Component:
Tools
Version:
3.3.1
Platform:
x86
Linux
Type:
defect

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: murphye, Assigned: jamie-bugzilla)

Details

(Keywords: crash, testcase)

Attachments

(2 files, 1 obsolete file)

certs.zip
4.24 KB, application/octet-stream
Details
prevent infinite loop with incorrect password
572 bytes, patch
wtc
: review+
Details | Diff | Splinter Review
http://bugzilla.mozilla.org/show_bug.cgi?id=122100 has instructions I have followed, and gotten to work with the latest CVS version of NSS. This creates two object signing certificates in the database. However, once I create these object signing certificates, signtool doesn't like them. It says, "Certificate not approved for this operation". Here is the command I use: signtool -k"certs.mozdev.org" -p"mozdev.org" test/ Getting this working is urgent, because once I get this to work, I can finish my section for the Mozilla Applications book about signed scripts.
Just to note, the password of the database is "mozdev.org". Sorry to make that confusing. Also, I made a temperary object signing certificate and compared it to the ones I had made. Their credentials were identical.
Finally, to state that when I did signtool -L, mozdev.org showed up, and it did not appear to be marked as an object certificate. Then the terminal hanged. -l also has similar problems hanging the terminal for me, but nothing was listed at all.
Attached file certs.zip (obsolete) —
This contains the db files with the certs I mentioned pre-installed. Also contains .cacert representations of them. Password is "mozdev.org"
I want to nominate this for P1. This stuff is going to be in the O'Reilly Mozilla Applications book, and I really hope this can be fixed for 3.4. I need to fully test this stuff before it goes to press. Sooner the better. Thanks.
Keywords: testcase
Signtool doesn't recognize "mozdev.org" as a signing certificate because it doesn't have the object signing flag set in the Netscape Certificate Type extension. It looks like the cert has "object signing CA", but not "object signing". The latter is necessary for signtool to recognize it as an object signing cert. Try generating a new certificate. This time specify both "object signing CA" and "object signing" for the Netscape Certificate Type extension.
This still does not work :-(
OK, please attach the latest databases to the bug report, and I'll see what signtool doesn't like about your new cert.
Assigned the bug to Jamie.
Assignee: wtc → nicolson
Comment on attachment 68238 [details] certs.zip Old database
Attachment #68238 - Attachment is obsolete: true
Attached file certs.zip
Certificate database with object signing and object signing CA
OK, I just tried this with nss-3.4.rc1 Windows version. I did this: C:\Documents and Settings\Administrator\Desktop\nss-3.4.rc1\bin>signtool -k"certs.mozdev.org " -p"certs.mozdev.org" mozdev/ using certificate directory: . Generating mozdev//META-INF/manifest.mf file.. --> test.txt Generating zigbert.sf file.. The CPU went to 100% and hung there. I had to kill the signtool process. Updated certificate database is attached. This database is both object signing and object signing CA, as stated in Comment 5. I have libplc4.dll, libnspr4.dll, and libplds4.dll (all version 4.1.2.0) and the database files in the bin also. -d .
The result here is different that before, when it simply said "Certificate not approved for this operation".
Keywords: crash
The problem is that you provided an incorrect password. Interestingly, signtool will loop indefinitely in that case. I deduced that the correct password was "mozdev". That will avoid the hang. Your cert is still incorrect. You need to set the key usage extension to digital signature. Use "-1" with certutil, and select "Digital Signature" when prompted. Worked for me.
providing incorrect password at command line causes infinite loop, this stops it.
Sorry about the wrong password... :-/ At least that brought one other signtool problem up. It works! Thanks for the help. Now I sort of feel dumb for not noticing the Digital Signature menu option, and figuring out that may be the problem.
Priority: -- → P1
Target Milestone: --- → 3.4.1
Version: 3.4 → 3.3.1
Comment on attachment 76199 [details] [diff] [review] prevent infinite loop with incorrect password r=wtc.
Attachment #76199 - Flags: review+
checked in. Marking fixed since user completed the signing operation with a cert created by certutil.
Status: NEW → RESOLVED
Closed: 23 years ago
Resolution: --- → FIXED
Target Milestone: 3.4.1 → 3.4
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: