Closed Bug 1462627 Opened 7 years ago Closed 7 years ago

certutil -O --simple-self-signed

Categories

(NSS :: Tools, enhancement)

Product:
NSS
Component:
Tools
Version:
3.36
Type:
enhancement
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: KaiE, Assigned: KaiE)

Details

Attachments

(1 file)

1462627-v1.patch
6.40 KB, patch
rrelyea
: review+
Details | Diff | Splinter Review
The output of certutil -O may be confusing in some scenarios. certutil -O starts to search for the best certificate for the given nickname. Then certutil uses CERT_CertChainFromCert to get its chain. The confusing output is generated in the following scenario: - there are multiple certificates with with the given nickname - all matching certificates contain the same subject name - some certificates are self-signed (same issuer name), others are signed by other CAs - the "best" certificate is self-signed In my understanding, PKIX allows that a non-CA certificate contains identical and subject names, but a different CA certificate with the same subject name was used to sign it. This means in general, it's acceptable for CERT_CertChainFromCert to continue to search for a trusted issuer CA certificate. And apparently that's what CERT_CertChainFromCert is doing. Unfortunately the implementation isn't very smart. NSS identifies the older non-CA certificate as a potential issuer, and certutil -O prints it as part of the chain. Ideally we'd enhance CERT_CertChainFromCert to be smarter, but this would be tricky, in particular, because our internal PKIX implementation (libPKIX) might be on the way to deprecation, and realistically I don't see a better replacement, which would be usable internally by NSS, on the horizon. However, we've been asked to provide a solution for an environment that relies on the certutil -O functionality to print the chain. That environment doesn't require full PKIX support at this time. Consequently, this is an enhancement request, which allows a user to explicitly request that certutil treats certificates with the assumption that same subject and issuer names mean it's a self signed certificate. When providing the suggested new parameter --simple-self-signed then certutil -O should print only the best certificate, without a chain, if the certificate has same issuer and subject names.
Attached patch 1462627-v1.patchSplinter Review
Assignee: nobody → kaie
Attachment #8976958 - Flags: review?(rrelyea)
Comment on attachment 8976958 [details] [diff] [review] 1462627-v1.patch Review of attachment 8976958 [details] [diff] [review]: ----------------------------------------------------------------- r+ rrelyea
Attachment #8976958 - Flags: review?(rrelyea) → review+
https://hg.mozilla.org/projects/nss/rev/16645cb510db
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
Target Milestone: --- → 3.38
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: