certutil man page does not explain SKI/AKI input method

NEW
Unassigned

Status

P3
normal
2 years ago
a year ago

People

(Reporter: ftweedal, Unassigned)

Tracking

3.30

Firefox Tracking Flags

(Not tracked)

Details

(Reporter)

Description

2 years ago
User Agent: Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:53.0) Gecko/20100101 Firefox/53.0
Build ID: 20170420084331

Steps to reproduce:

Description of problem: when inputting a Subject Key Identifier
or Authority Key Identifier, it is not clear how to input binary
data.

The correct method is to put a hex-encoded value, WITHOUT
octet/group separation and WITH a 0x prefix.  But the manpage
does not mention this.  Without these conditions, the value
is interpreted literally (which is probably not what the user
wants).

I had to read source code to work this out >_<.


Version-Release number of selected component (if applicable):


How reproducible: always



Steps to Reproduce:

1. Sign a certificate using a CA and requesting the --extSKID:

[~/nssdb] root# certutil -d . -f pwdfile.txt -C \
    -i req.csr -o ext.crt -z /etc/motd -c ca2 --extSKID
Adding Subject Key ID extension.
Enter value for the key identifier fields,enter to omit:
4171ac49be1c9b915ce69336b80264ce323c37be
Is this a critical extension [y/N]? n



Actual results:


Observe that certutil has interpreted the input literally:

[~/nssdb] root# openssl x509 -text < ext.crt | grep -A 1 "Subject Key Ident"
            X509v3 Subject Key Identifier:
                34:31:37:31:61:63:34:39:62:65:31:63:39:62:39:31:35:63:65:36:39:33:33:36:62:38:30:32:36:34:63:65:33:32:33:63:33:37:62:65

                41:71:AC:49:BE:1C:9B:91:5C:E6:93:36:B8:02:64:CE:32:3C:37:BE


Expected results:


This is the expected result.  The problem is that the way to get certutil
to interpret the value as hex is totally undocumented.

If the input had been prefixed with "0x", the correct interpretation occurs:

[~/nssdb] root# openssl x509 -text < ext.crt | grep -A 1 "Subject Key Ident"
            X509v3 Subject Key Identifier:
                41:71:AC:49:BE:1C:9B:91:5C:E6:93:36:B8:02:64:CE:32:3C:37:BE

This must be documented in the man page.
Status: UNCONFIRMED → NEW
Ever confirmed: true
You need to log in before you can comment on or make changes to this bug.