Two new notes:


1) Extracting the root CA cert DB from FF3 manually (GUI + Select all)
to PEM works fine with c_rehas.pl
$ openssl s_client -verify 4 -connect www.gmail.com:443 2>& 1 | egrep \
"Verify\ return\ code"
Verify return code: 0 (ok)


2) I'm unable to find the file system database that contains the root
CA, otherwise the process could be automated:

$ for a in $(certutil -L -d ~/.mozilla/firefox/3u995ypq.default/ |
egrep -v "Nickname" | cut -f1 -d ' ' -s ); do certutil -L -d
~/.mozilla/firefox/3u995ypq.default/ -a -n "$a" > /tmp/"$a".pem; done


However:

1) certutil(8) is awful and doesn't escape the DB "nick" column with
quotes, making it impossible to regex out the cert name.
2) In FC9 and FBSD7, neither /etc/pki/nssdb/ or
/usr/{local/share|lib64)/firefox-3.0.1 has the the certutil
format'd DB to automate the extract process from.

Anyway, the root CA DB doesn't change very often, so code can be written
around this for now.

~BAS



On Wed, 11 Apr 2007, Brian A. Seklecki wrote:

>
> These scripts are great thank you very much to all involved who contributed
> (no e-mail address for 'mastrboy'). . I'm considering spending some time
> adding additional functionality:
>
> --
>
> In addition to simply parsing the date and comparing the date/time, I'd like
> to test the validity of the X.509 Cert against it's PKI infrastructure using
> the OpenSSL routines.
>
> I'm pretty sure that this can be accomplished by checking the result code of
> openssl 's_client' or 'verify'; both permit for -CApath and -CAfile.
>
> For internal PKI, this is pretty straightforward; just specify your
> organization's Root CA Cert.
>
> For public cert verification; it gets tricky because you have to take a
> certificate store like the Mozilla NSS/NSPR default and convert it into
> OpenSSL c_rehash format -- taking ideas on that here.
>
> http://lxr.mozilla.org/mozilla/sourc...s/certdata.txt
>
> Thoughts?
>
> l8*
> -lava (Brian A. Seklecki - Pittsburgh, PA, USA)
> http://www.spiritual-machines.org/
>


l8*
-lava (Brian A. Seklecki - Pittsburgh, PA, USA)
http://www.spiritual-machines.org/

"Guilty? Yeah. But he knows it. I mean, you're guilty.
You just don't know it. So who's really in jail?"
~Maynard James Keenan

__________________________________________________ ____________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majordomo@openssl.org