Closed
Bug 1429393
Opened 6 years ago
Closed 6 years ago
Clarify certutil docs/help that -F deletes both cert and key, not just the key.
Categories
(NSS :: Tools, enhancement)
Tracking
(Not tracked)
RESOLVED
FIXED
3.36
People
(Reporter: KaiE, Assigned: KaiE)
Details
Attachments
(1 file)
2.76 KB,
patch
|
rrelyea
:
review+
|
Details | Diff | Splinter Review |
The documentation of certutil -F seems incorrect. Looking at the certutil code, -F calls DeleteKey, which calls PK11_DeleteTokenCertAndKey. This function name suggests it deletes both, and based on observed behavior, it indeed appears to delete both key and certificate. The help output of certutil -F -H says: Delete a key from the database The man page says: Delete a private key from a key database. Specify the key to delete with the -n argument. Specify the database from which to delete the key with the -d argument. Use the -k argument to specify explicitly whether to delete a DSA, RSA, or ECC key. If you don't use the -k argument, the option looks for an RSA key matching the specified nickname. When you delete keys, be sure to also remove any certificates associated with those keys from the certificate database, by using -D. Some smart cards do not let you remove a public key you have generated. In such a case, only the private key is deleted from the key pair. You can display the public key with the command certutil -K -h tokenname. This seems to be the opposite of what has been observed. It seems unnecessary to call -D.
Assignee | ||
Comment 1•6 years ago
|
||
(In reply to Kai Engert (:kaie:) from comment #0) > Use the -k argument to specify > explicitly whether to delete a DSA, RSA, or ECC key. If you don't use > the -k argument, the option looks for an RSA key matching the specified > nickname. I don't understand where this statement came from. The implementation in certutil's DeleteKey is very simple, and doesn't look at the key type parameter.
Assignee | ||
Comment 2•6 years ago
|
||
(In reply to Kai Engert (:kaie:) from comment #0) > > When you delete keys, be sure to also remove any certificates associated > with those keys from the certificate database, by using -D. This first sentence ... > Some smart cards > do not let you remove a public key you have > generated. In such a case, only the private key is deleted from the key > pair. ... is in contradiction with this second sentence. Because this second sentence says "in such a case only the private key is deleted", it implies that in the general case, the public key is deleted, too. Does certutil have any mechanism to delete a public key that lives separately from a certificate and a private key? I haven't seen any. > You can display the public key with the command certutil -K -h > tokenname. Why does the man page talk about "public key", if certutil -K is documented to operate on private keys? I think we should completely rewrite the description for -F.
Assignee | ||
Comment 3•6 years ago
|
||
Assignee: nobody → kaie
Attachment #8941409 -
Flags: review?(rrelyea)
Updated•6 years ago
|
Attachment #8941409 -
Flags: review?(rrelyea) → review+
Assignee | ||
Comment 4•6 years ago
|
||
https://hg.mozilla.org/projects/nss/rev/c9e1c807240c
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → FIXED
Target Milestone: --- → 3.36
You need to log in
before you can comment on or make changes to this bug.
Description
•