157996 - crlutil should have a way to import CRLs without checking issuer

Status: RESOLVED FIXED

(NSS :: Tools, defect, P2)

Description

[Julien Pierre]

The mozilla browser uses SEC_NewCrl to import a CRL, which bypasses the check
for the certificate of the issuer CA.
However, crlutil uses CERT_ImportCRL, which has that check. This makes it hard
to test bugs coming from mozilla.

I propose a new -B option (B for "bypass check" or "browser emulation") that
will make the alternate call.

Comment 1

[Julien Pierre]

Attachment: add -B option to use SEC_NewCrl

Comment 2

[Julien Pierre]

checked in

Checking in crlutil.c;
/cvsroot/mozilla/security/nss/cmd/crlutil/crlutil.c,v  <--  crlutil.c
new revision: 1.9; previous revision: 1.8
done

Comment 3

[Wan-Teh Chang]

Comment on attachment 91707 [details] [diff] [review]
add -B option to use SEC_NewCrl

>+    fprintf(stderr, "\n%-20s Bypass CA certificate checks (browser emulation).\n", "-B");

I suggest removing "(browser emulation)" from the usage message.
It makes no sense to someone who hasn't read this bug.

Do you think the -B option would be useful to other NSS tools
such as certutil?

Comment 4

[Julien Pierre]

Wan-Teh,

OK, I will remove the (browser emulation).

I am not sure if the same logic would apply to certutil. I don't think it will
prevent you from importing a cert if it doesn't know its issuer, like this
import crl function is doing. Nelson, do you know if that's the case ?

Comment 5

[Nelson Bolyard (seldom reads bugmail)]

Certutil calls CERT_DecodeCertFromPackage to extract the first certificate
(only) from the input file, and put it in the temp cert DB with a call
to CERT_NewTempCertDB().  

Then Certutil calls PK11_ImportCert to store the cert into a token in a 
specified slot.  AFAIK, that function doesn't check signatures or require
trust.  But it was rewritten in NSS 3.4, so I'm not so sure now.