我正在通过 NSS/NSPR C++ API 添加自签名根证书。
这需要一个 x509v3 扩展,主题 alt 名称。但是,添加此扩展或任何 x509v3 扩展会导致 firefox 失败并显示 错误代码:sec_error_extension_value_invalid。
// Add subjectAltName x509v3 extension containing our localhost IPv4
// address of 127.0.0.1. The subjectAltName entry takes precedence over
// the CommonName (CN) entry, thus we are allowed to have a more
// descriptive name there. In addition, this is needed by Safari on Mac in
// order to properly trust the certificate.
X509V3_CTX ctx;
X509V3_set_ctx_nodb(&ctx);
X509V3_set_ctx(&ctx, m_x509, m_x509, nullptr, nullptr, 0);
// Removing this line causes the cert to be accepted by firefox:
X509_EXTENSION* ext = X509V3_EXT_conf_nid(nullptr, &ctx, NID_subject_alt_name, (char*)"DNS:127.0.0.1,IP:127.0.0.1");
if (ext) {
X509_add_ext(m_x509, ext , -1);
X509_EXTENSION_free(ext);
}
// Sign the certificate
X509_sign(m_x509, m_key->m_pkey, EVP_sha1());
这似乎是一个 pkix 错误,因为在 about:config 中设置 use_mozillapkix_verification = false,或使用 ff < 31,导致证书被接受。
这是 pkix 错误吗?还是这里忽略了什么?
最佳答案
通过https://bugzilla.mozilla.org/show_bug.cgi?id=1045973
NSS accepts v1/v2 ceritificates with v3 extensions, mozilla::pkix does not
修复:
X509_set_version(m_x509, 2L);
关于c++ - 添加 x509v3 扩展导致 Mozilla pkix 不信任,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/25028136/