NSS seems to be more promising as I've found example code for PKCS#7 validation in its source tarball: mozilla/security/nss/cmd/p7verify/p7verify.c
The disadvantage I see with nss is that we won't be able to reuse the system certificate store usually in /etc/ssl/certs because it will need to use a particular Berkeley DB cert store as you can find in your Firefox/Thunderbird Profile. So we'd have an implicit dependency on .mozilla/... being present or worse we'll need to introduce our own cert store.
I have no experience with gnutls or nss so if anyone can correct me or add something, feel free.
@Albert
OK, I can see the problem for poppler in terms of licensing.
A quick evaluation of the alternatives: www.gnu. org/software/ gnutls/ manual/ html_node/ X509-certificat e-API.html# X509-certificat e-API
gnutls seems to be unsuited for this because it doesn't have a decent PKCS7 API that would allow me to parse the signature and access each component.
I've only found this in the docs: http://
NSS seems to be more promising as I've found example code for PKCS#7 validation in its source tarball: mozilla/ security/ nss/cmd/ p7verify/ p7verify. c
The disadvantage I see with nss is that we won't be able to reuse the system certificate store usually in /etc/ssl/certs because it will need to use a particular Berkeley DB cert store as you can find in your Firefox/Thunderbird Profile. So we'd have an implicit dependency on .mozilla/... being present or worse we'll need to introduce our own cert store.
I have no experience with gnutls or nss so if anyone can correct me or add something, feel free.