Closed
Bug 215214
Opened 22 years ago
Closed 21 years ago
certutil only lists one instance of duplicate certs when using -L -h all
Categories
(NSS :: Tools, defect)
Tracking
(Not tracked)
RESOLVED
FIXED
People
(Reporter: julien.pierre, Assigned: julien.pierre)
References
Details
Attachments
(1 file)
|
597 bytes,
patch
|
wtc
:
review+
nelson
:
superreview+
|
Details | Diff | Splinter Review |
When using certutil -h all -L, one would expect to get all instances of every
certificate listed. Instead, only a single certificate is listed.
This is because certutil uses PK11_ListCerts with the PK11CertListUnique
argument. This causes all instances of a certificate to be collapsed into one.
For example, if a certificate exists in both a softoken and a smartcard, only
one certificate will be listed, with the prefix of the hardware token name.
The fix requires using a new argument to PK11_ListCerts. See bug # 215186 .
|
Assignee | |
Comment 2•22 years ago
|
||
An alternative to using the new PK11CertListAll parameter proposed in bug 215186
is to call PK11_ListCerts twice with two different arguments :
PK11CertListUser and PK11CertListRootUnique .
This would show all the instances of user certs, and only one instance for root
certificates. Some products do that (NES) because typically the
administrator/user only cares about the multiple instances for the user certs,
but not for the root certs, for which the private keys are not normally available.
Assignee: wtc → jpierre
|
||
Comment 3•22 years ago
|
||
The proposal in comment 2 would not show intermediate CA certs, right?
I think certutil -L -h all means "show all certs in all tokens".
I think it should include intermediates and duplicates.
I don't think we should be using the "unique" flag in certutil -L.
Perhaps we should have a new argument that suggests doing a "unique" search.
|
|
Assignee | |
Comment 4•21 years ago
|
||
Nelson, in response to comment #2, you are right it wouldn't show intermediates,
so that would be a bad thing.
It makes more sense for certutil to use the new PK11CertListAll option, once the
patch for bug 215186 is reviewed and checked in.
|
|
Assignee | |
Comment 5•21 years ago
|
||
Replace PK11CertListUnique with PK11CertListAll as argument to PK11_ListCerts .
I don't think we need an option for unique in this case. If the user specifies
-h all, it's safe to say that he wants to see all the instances of certs on all
tokens.
|
|
Assignee | |
Updated•21 years ago
|
Attachment #131639 -
Flags: superreview?(MisterSSL)
Attachment #131639 -
Flags: review?(wchang0222)
|
||
Comment 6•21 years ago
|
||
Comment on attachment 131639 [details] [diff] [review]
list all instances of certs
r=wtc.
By the way, we found that PK11CertListRootUnique is a misnomer.
The "Root" really means a CA cert (as opposed to a root CA cert)
without a private key.
We've added a new flag, PK11CertListCAUnique, which means a
CA cert, whether we have the private key for it or not.
Attachment #131639 -
Flags: review?(wchang0222) → review+
|
|
Assignee | |
Comment 7•21 years ago
|
||
Checked in :
Checking in certutil.c;
/cvsroot/mozilla/security/nss/cmd/certutil/certutil.c,v <-- certutil.c
new revision: 1.79; previous revision: 1.78
done
Status: NEW → RESOLVED
Closed: 21 years ago
Resolution: --- → FIXED
|
|
||
Comment 8•21 years ago
|
||
Regarding comment 6 and the name that is a minomer, I hope you have added
comments to that header file to document that important finding.
|
|
||
Comment 9•21 years ago
|
||
Comment on attachment 131639 [details] [diff] [review]
list all instances of certs
sr=MisterSSL
Attachment #131639 -
Flags: superreview?(MisterSSL) → superreview+
You need to log in
before you can comment on or make changes to this bug.
Description
•