Two new notes:
1) Extracting the root CA cert DB from FF3 manually (GUI + Select all)
to PEM works fine with c_rehas.pl
$ openssl s_client -verify 4 -connect www.gmail.com:443 2>& 1 | egrep \
"Verify\ return\ code"
Verify return code: 0 (ok)
2) I'm unable to find the file system database that contains the root
CA, otherwise the process could be automated:
$ for a in $(certutil -L -d ~/.mozilla/firefox/3u995ypq.default/ |
egrep -v "Nickname" | cut -f1 -d ' ' -s ); do certutil -L -d
~/.mozilla/firefox/3u995ypq.default/ -a -n "$a" > /tmp/"$a".pem; done
However:
1) certutil(8) is awful and doesn't escape the DB "nick" column with
quotes, making it impossible to regex out the cert name.
2) In FC9 and FBSD7, neither /etc/pki/nssdb/ or
/usr/{local/share|lib64)/firefox-3.0.1 has the the certutil
format'd DB to automate the extract process from.
Anyway, the root CA DB doesn't change very often, so code can be written
around this for now.
~BAS
On Wed, 11 Apr 2007, Brian A. Seklecki wrote:
These scripts are great thank you very much to all involved who contributed
(no e-mail address for 'mastrboy'). . I'm considering spending some time
adding additional functionality:
--
In addition to simply parsing the date and comparing the date/time, I'd like
to test the validity of the X.509 Cert against it's PKI infrastructure using
the OpenSSL routines.
I'm pretty sure that this can be accomplished by checking the result code of
openssl 's_client' or 'verify'; both permit for -CApath and -CAfile.
For internal PKI, this is pretty straightforward; just specify your
organization's Root CA Cert.
For public cert verification; it gets tricky because you have to take a
certificate store like the Mozilla NSS/NSPR default and convert it into
OpenSSL c_rehash format -- taking ideas on that here.
http://lxr.mozilla.org/mozilla/source/security/nss/lib/ckfw/builtins/certdata.txt
Thoughts?
l8*
-lava (Brian A. Seklecki - Pittsburgh, PA, USA)
http://www.spiritual-machines.org/
l8*
-lava (Brian A. Seklecki - Pittsburgh, PA, USA)
http://www.spiritual-machines.org/
"Guilty? Yeah. But he knows it. I mean, you're guilty.
You just don't know it. So who's really in jail?"
~Maynard James Keenan
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
