Christian <cs5b (AT) yahoo (DOT) comwrote:
Hello all, I am trying to sign javascript files and running into some
issues. Hopefully someone can point me into the right direction.

I did obtain a code signing certificate from Certum.
They issue the certificate as part of a chain:
certum root CA -certum level I -mycert.

I presume you obtained that cert with your browser. That is,
you visited a certum web site that caused your browser to generate a
pair of keys, a private key and a public key. The public key went
into the certificate that Certum issued to you. The private key
remained in your browser's key3.db file.

perhaps you generated your key pair using using other program,
such as SSL, in which case your private key is in whatever file
SSL put it in.

Either way, you'll need that private key, in addition to your certificate
chain, when you go to sign your files.

I created a cert db with the certutils prg:
1. certutil.exe -N -d

That created 3 files, cert8.db, key3.db and secmod.db, all effectively
empty.

I have three cer files: one for each cert in the chain. Since certum
root ca is already contained in the list of root certs, I do not bother
to import this one. However, I do import certum level I and mysert:
2. certutil.exe -A -t Cu -n "Certum Level I" -i certum1.cer -d .
3. certutil.exe -A -t u -n "mycert" -i mycert.cer -d .

You're planning on relying on the browsers' built-in list of root CA certs.
That's fine. But the signing program will need access to that list to do
its job. It will want to recreate the entire cert chain. To do that, it
will need access to that root CA cert. You can either import that cert
too, or else make a copy of the built-in root certs module available to
the signing program.

Also, the sequence of commands you showed above have put your cert and
the intermediate CA cert into your new cert8.db file, but have not put
your private key into the corresponding key3.db file. You'll need to
do that. I can't advise you how to do that until we know where that
private key is (e.g. Windows key store, SSL file, mozilla key3.db file,
etc.)

I attempt to sign a javascript file and it fails. A check with signtool
-l -d . reveals that the cert is not valid:

H:\keys\code sign>c:signtool -l -d .
using certificate directory: .

signing certificates

mycert
Issued by: Certum Level I (Certum Level I)
Expires: Thu 26, 2006
++ Error ++ THIS CERTIFICATE IS NT VALID (Certificate Authority
certificate invalid)

For a list including CA's, use "signtool -L"

I assume I am doing something wrong on the import since these certs are
chained. I know that the certs are good as they seem to be accepted by
the microsoft certificate manager. I am banging my head against my
keyboard. Any help would be greatly appreciated.

Your poor keyboard! :)

Your signing program probably can't validate that cert because it cannot
find the trusted Certum root certificate that issued it.

You could import the certum root and mark it trusted for object signing,
or you could copy the browser's list of trusted root CA certs into your
signing directory and tell the signing tool to use it.

To mark a root CA cert trusted for object signing, you need to set the
trust arguments as ",,C" (not "C").

To use the browser's list of trusted root CA certs, find the file
nssckbi.dll among your (mozilla family) browser's files, and copy it to
the directory where you put your new cert8.db file. Then run a command
to configure the NSS tools to know about that nssckbi.dll file.
I think you can do that with the command:
certutil -L -d . -X -h all
If it succeeds, it will list all the certs found in the nssckbi.dll file.
Afterwords, your signtool will (er, should) be happier with your
Certum Level 1 intermediate CA cert.

Thanks-
Christian

Later, Christian wrote:

Well, I got a bit further on this.

I was able to get the javascript signed, but the certificate (since it
is in a chain of which the middle cert is unknown to mozilla) was not
recognized since it was in a chain.

If the certum 1 intermediate CA cert was in the cert8.db file when you
ran signtool, it should have been copied into the signed file.

Here the steps:
1. I converted my spc and pvk into pfx using the pvkimprt tool (on Win
2K since this tool doesnt work on Win XP)
2. Imported the pfx into the cert management of mozilla browser

K, so you got your cert and your private key into the browser's cert
and key DB files. If the pfx file also contained the certum level 1
intermediate CA, that cert would also have been imported into your cert
DB file, but based on the results you got, I think it was not in that
pfx file.

3. used the signtool to sign the javascript pointing the signtool to
the mozilla cert db (its in the users directory under
mozilla/profiles).

Yes, that should have worked. Using the cert, key and secmod.db files
from the browser should work, AS LNG AS the browser is not running when
the other tools are running.

You should be able to see your cert in the browser's cert manager, and
should be able to verify that its chain is complete, no missing certs.
If the chain is incomplete, you should import the missing certs into
your cert DB before doing the signing (using either the browser itself
or using certutil). Remember to have only one program using the DBs at
a time. The browser should not be running when you're using certutil or
signtool on your browser's cert and key DB files.

I generated my signed jar, I removed all added certs from mozilla
and opened the javascript in the jar. Result was that the cert was not
recognized:

certum root CA -certum level I -mycert and certum level I is not a
cert that is delivered with mozilla. H, certum root CA is

I import certum level I, it works fine, however that is of no use
to the users on the net as I cant ask them to import some cert. I
wonder, however, whether it is possilbe to deliver the missing cert as
part of the signed jar file?

When you sign the jar file, signtool will put as much of the cert chain
into the JAR file as it can find. If signtool can't find the complete
chain, it will put an incomplete chain into the JAR. If your JAR file
doesn't have the complete chain, then signtool couldn't find the complete
chain in the cert DB and nssckbi.dll files to which it had access.
The implication is that the Certum 1 intermediate CA cert was not in the
browser's cert8.db file when you used it to run signtool.

Any pointers on whether this is possible and how to do so?

Make sure that the complete chain is available to signtool, then try
signing again.

Nelson, thank you very much for your reply. I have attempted to sign
the jar file again watching out for the steps you mentioned along the
way. Here some information:
1. after I import the p12/pfx file into mozilla via its cert manager,
mycert shows up as well as a new intermediate cert in the authorities
tab.
2. I close the browser and attempt to sign. This does not work stating
"the issuer cert is invalid"
3. I reopen browser and check the intermediate cert. It is there:
intermediatecert "software security device". It is verified for ssl
server cert, email signer cert, email recepient cert, ssl cert
authority, and status responder cert.
4. I click on edit and none of the three trust options are set. I set
"cert can identify software makers". I close the browser.
5. I attempt to sign again. This time it work and I upload my jar to my
web server.
6. I open my browser and remove the intermediate cert as well as my
cert and close my browser.
7. I open the signed file in a newly opened browser it doesnt seem
to recognize the signed file.

I suspect there that either the intermediate cert was not included
while signing or there is an issue with recognizing what the
intermediate cert is entrusted with (similar issue as step 2-4 above.

Is there any way I can check what certs are included in the jar file
and what they are entrusted with?

Thanks again for your help -
Christian

Nelson B wrote:
Christian <cs5b (AT) yahoo (DOT) comwrote:
Hello all, I am trying to sign javascript files and running into some
issues. Hopefully someone can point me into the right direction.

I did obtain a code signing certificate from Certum.
They issue the certificate as part of a chain:
certum root CA -certum level I -mycert.

I presume you obtained that cert with your browser. That is,
you visited a certum web site that caused your browser to generate a
pair of keys, a private key and a public key. The public key went
into the certificate that Certum issued to you. The private key
remained in your browser's key3.db file.

perhaps you generated your key pair using using other program,
such as SSL, in which case your private key is in whatever file
SSL put it in.

Either way, you'll need that private key, in addition to your certificate
chain, when you go to sign your files.

I created a cert db with the certutils prg:
1. certutil.exe -N -d

That created 3 files, cert8.db, key3.db and secmod.db, all effectively
empty.

I have three cer files: one for each cert in the chain. Since certum
root ca is already contained in the list of root certs, I do not bother
to import this one. However, I do import certum level I and mysert:
2. certutil.exe -A -t Cu -n "Certum Level I" -i certum1.cer -d .
3. certutil.exe -A -t u -n "mycert" -i mycert.cer -d .

You're planning on relying on the browsers' built-in list of root CA certs.
That's fine. But the signing program will need access to that list to do
its job. It will want to recreate the entire cert chain. To do that, it
will need access to that root CA cert. You can either import that cert
too, or else make a copy of the built-in root certs module available to
the signing program.

Also, the sequence of commands you showed above have put your cert and
the intermediate CA cert into your new cert8.db file, but have not put
your private key into the corresponding key3.db file. You'll need to
do that. I can't advise you how to do that until we know where that
private key is (e.g. Windows key store, SSL file, mozilla key3.db file,
etc.)

I attempt to sign a javascript file and it fails. A check with signtool
-l -d . reveals that the cert is not valid:

H:\keys\code sign>c:signtool -l -d .
using certificate directory: .

signing certificates

mycert
Issued by: Certum Level I (Certum Level I)
Expires: Thu 26, 2006
++ Error ++ THIS CERTIFICATE IS NT VALID (Certificate Authority
certificate invalid)

For a list including CA's, use "signtool -L"

I assume I am doing something wrong on the import since these certs are
chained. I know that the certs are good as they seem to be accepted by
the microsoft certificate manager. I am banging my head against my
keyboard. Any help would be greatly appreciated.

Your poor keyboard! :)

Your signing program probably can't validate that cert because it cannot
find the trusted Certum root certificate that issued it.

You could import the certum root and mark it trusted for object signing,
or you could copy the browser's list of trusted root CA certs into your
signing directory and tell the signing tool to use it.

To mark a root CA cert trusted for object signing, you need to set the
trust arguments as ",,C" (not "C").

To use the browser's list of trusted root CA certs, find the file
nssckbi.dll among your (mozilla family) browser's files, and copy it to
the directory where you put your new cert8.db file. Then run a command
to configure the NSS tools to know about that nssckbi.dll file.
I think you can do that with the command:
certutil -L -d . -X -h all
If it succeeds, it will list all the certs found in the nssckbi.dll file.
Afterwords, your signtool will (er, should) be happier with your
Certum Level 1 intermediate CA cert.
--
Thanks-
Christian

Later, Christian wrote:

Well, I got a bit further on this.

I was able to get the javascript signed, but the certificate (since it
is in a chain of which the middle cert is unknown to mozilla) was not
recognized since it was in a chain.

If the certum 1 intermediate CA cert was in the cert8.db file when you
ran signtool, it should have been copied into the signed file.

Here the steps:
1. I converted my spc and pvk into pfx using the pvkimprt tool (on Win
2K since this tool doesnt work on Win XP)
2. Imported the pfx into the cert management of mozilla browser

K, so you got your cert and your private key into the browser's cert
and key DB files. If the pfx file also contained the certum level 1
intermediate CA, that cert would also have been imported into your cert
DB file, but based on the results you got, I think it was not in that
pfx file.

3. used the signtool to sign the javascript pointing the signtool to
the mozilla cert db (its in the users directory under
mozilla/profiles).

Yes, that should have worked. Using the cert, key and secmod.db files
from the browser should work, AS LNG AS the browser is not running when
the other tools are running.

You should be able to see your cert in the browser's cert manager, and
should be able to verify that its chain is complete, no missing certs.
If the chain is incomplete, you should import the missing certs into
your cert DB before doing the signing (using either the browser itself
or using certutil). Remember to have only one program using the DBs at
a time. The browser should not be running when you're using certutil or
signtool on your browser's cert and key DB files.

I generated my signed jar, I removed all added certs from mozilla
and opened the javascript in the jar. Result was that the cert was not
recognized:

certum root CA -certum level I -mycert and certum level I is not a
cert that is delivered with mozilla. H, certum root CA is

I import certum level I, it works fine, however that is of no use
to the users on the net as I cant ask them to import some cert. I
wonder, however, whether it is possilbe to deliver the missing cert as
part of the signed jar file?

When you sign the jar file, signtool will put as much of the cert chain
into the JAR file as it can find. If signtool can't find the complete
chain, it will put an incomplete chain into the JAR. If your JAR file
doesn't have the complete chain, then signtool couldn't find the complete
chain in the cert DB and nssckbi.dll files to which it had access.
The implication is that the Certum 1 intermediate CA cert was not in the
browser's cert8.db file when you used it to run signtool.

Any pointers on whether this is possible and how to do so?

Make sure that the complete chain is available to signtool, then try
signing again.