Closed Bug 1429393 Opened 6 years ago Closed 6 years ago

Clarify certutil docs/help that -F deletes both cert and key, not just the key.

Categories

(NSS :: Tools, enhancement)

Product:
NSS
Component:
Tools
Version:
3.35
Type:
enhancement
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: KaiE, Assigned: KaiE)

Details

Attachments

(1 file)

1429393-v1.patch
2.76 KB, patch
rrelyea
: review+
Details | Diff | Splinter Review 
The documentation of certutil -F seems incorrect.

Looking at the certutil code, -F calls DeleteKey, which calls PK11_DeleteTokenCertAndKey. This function name suggests it deletes both, and based on observed behavior, it indeed appears to delete both key and certificate.

The help output of certutil -F -H says:
  Delete a key from the database

The man page says:

    Delete a private key from a key database. Specify the key to delete with the -n argument. Specify the database from which to delete the key with the -d argument. Use the -k argument to specify
    explicitly whether to delete a DSA, RSA, or ECC key. If you don't use the -k argument, the option looks for an RSA key matching the specified nickname.

    When you delete keys, be sure to also remove any certificates associated with those keys from the certificate database, by using -D. Some smart cards do not let you remove a public key you have
    generated. In such a case, only the private key is deleted from the key pair. You can display the public key with the command certutil -K -h tokenname.


This seems to be the opposite of what has been observed.

It seems unnecessary to call -D.
(In reply to Kai Engert (:kaie:) from comment #0)
> Use the -k argument to specify
>     explicitly whether to delete a DSA, RSA, or ECC key. If you don't use
> the -k argument, the option looks for an RSA key matching the specified
> nickname.

I don't understand where this statement came from.

The implementation in certutil's DeleteKey is very simple, and doesn't look at the key type parameter.
(In reply to Kai Engert (:kaie:) from comment #0)
> 
>     When you delete keys, be sure to also remove any certificates associated
> with those keys from the certificate database, by using -D. 

This first sentence ...


> Some smart cards
> do not let you remove a public key you have
>     generated. In such a case, only the private key is deleted from the key
> pair.

... is in contradiction with this second sentence. Because this second sentence says "in such a case only the private key is deleted", it implies that in the general case, the public key is deleted, too.

Does certutil have any mechanism to delete a public key that lives separately from a certificate and a private key? I haven't seen any.



> You can display the public key with the command certutil -K -h
> tokenname.

Why does the man page talk about "public key", if certutil -K is documented to operate on private keys?

I think we should completely rewrite the description for -F.
Attached patch 1429393-v1.patchSplinter Review 
Assignee: nobody → kaie

        Attachment #8941409 -
        Flags: review?(rrelyea)

    
  

        Attachment #8941409 -
        Flags: review?(rrelyea) → review+

    
    

    
  
https://hg.mozilla.org/projects/nss/rev/c9e1c807240c
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → FIXED
Target Milestone: --- → 3.36

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: