Closed
Bug 157996
Opened 22 years ago
Closed 22 years ago
crlutil should have a way to import CRLs without checking issuer
Categories
(NSS :: Tools, defect, P2)
Tracking
(Not tracked)
RESOLVED
FIXED
3.6
People
(Reporter: julien.pierre, Assigned: wtc)
Details
Attachments
(1 file)
2.53 KB,
patch
|
Details | Diff | Splinter Review |
The mozilla browser uses SEC_NewCrl to import a CRL, which bypasses the check for the certificate of the issuer CA. However, crlutil uses CERT_ImportCRL, which has that check. This makes it hard to test bugs coming from mozilla. I propose a new -B option (B for "bypass check" or "browser emulation") that will make the alternate call.
Reporter | ||
Comment 1•22 years ago
|
||
Reporter | ||
Updated•22 years ago
|
Status: NEW → ASSIGNED
Priority: -- → P2
Target Milestone: --- → 3.6
Reporter | ||
Comment 2•22 years ago
|
||
checked in Checking in crlutil.c; /cvsroot/mozilla/security/nss/cmd/crlutil/crlutil.c,v <-- crlutil.c new revision: 1.9; previous revision: 1.8 done
Status: ASSIGNED → RESOLVED
Closed: 22 years ago
Resolution: --- → FIXED
Assignee | ||
Comment 3•22 years ago
|
||
Comment on attachment 91707 [details] [diff] [review] add -B option to use SEC_NewCrl >+ fprintf(stderr, "\n%-20s Bypass CA certificate checks (browser emulation).\n", "-B"); I suggest removing "(browser emulation)" from the usage message. It makes no sense to someone who hasn't read this bug. Do you think the -B option would be useful to other NSS tools such as certutil?
Reporter | ||
Comment 4•22 years ago
|
||
Wan-Teh, OK, I will remove the (browser emulation). I am not sure if the same logic would apply to certutil. I don't think it will prevent you from importing a cert if it doesn't know its issuer, like this import crl function is doing. Nelson, do you know if that's the case ?
Comment 5•22 years ago
|
||
Certutil calls CERT_DecodeCertFromPackage to extract the first certificate (only) from the input file, and put it in the temp cert DB with a call to CERT_NewTempCertDB(). Then Certutil calls PK11_ImportCert to store the cert into a token in a specified slot. AFAIK, that function doesn't check signatures or require trust. But it was rewritten in NSS 3.4, so I'm not so sure now.
You need to log in
before you can comment on or make changes to this bug.
Description
•