Closed Bug 876352 Opened 11 years ago Closed 11 years ago

certutil: (a) Warn if importing PEM file with private key (b) fail if user attempts to import cert with requested "u" trust

Categories

(NSS :: Tools, defect)

Product:
NSS
Component:
Tools
Version:
3.14.3
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED
Milestone:
3.15.1

People

(Reporter: KaiE, Assigned: KaiE)

Details

Attachments

(1 file, 1 obsolete file)

Patch v2
20.90 KB, patch
rrelyea
: review+
Details | Diff | Splinter Review 
certutil currently cannot import private keys from a PEM file, it silently skips over private keys.

We could improve usability by using two minor changes, which shouldn't cause any side effects:

(a) If a user attempts to import a certificate in the ASCII format,
    search if the file contains the phrase "PRIVATE KEY".
    If it does, print a warning message
      "certutil cannot import private keys in this format, please use pk12util"
    but proceed as usual (import cert, skip key).

(b) If a user explicitly requests to set the certificate to include "u" for
    any usage, then FAIL with an error like:
      "Usage u requires a private key, use pk12util to import a certificate with a private key."
I'm adjusting my (b) suggestion.

Even in that scenario, I want to print a warning only, to change the existing behaviour as little as possible.
Attached patch Patch v1 (obsolete) — Splinter Review 
This patch is slightly larger than expected, because we're operating on a file handle, which could be standard input, so we cannot read the file twice. This means, we must adjust the function that processes the input stream.

Luckily that function is in the tool code, so the function can easily be changed, without breaking any API/ABI promises of the core NSS library.
Assignee: nobody → kaie
Attachment #754375 - Flags: review?(rrelyea)
Output with this change:

$ certutil -A -d /tmp/bla/ -n test -a -i test.cert -t u,u,u
Warning: ignoring private key. Consider to use pk12util.
Notice: Trust flag u is set automatically if the private key is present.
Target Milestone: --- → 3.15.1
Attached patch Patch v2Splinter Review 

        Attachment #754375 -
        Attachment is obsolete: true

        Attachment #754375 -
        Flags: review?(rrelyea)

        Attachment #754376 -
        Flags: review?(rrelyea)

    
    

    
  
Comment on attachment 754376 [details] [diff] [review]
Patch v2

r+ Of the changes, the warning on trying to set the 'u' bits are probably the most useful.

bob

        Attachment #754376 -
        Flags: review?(rrelyea) → review+

    
    

    
  
https://hg.mozilla.org/projects/nss/rev/edcb5af30559
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: