ocspclnt should have a command line option to take a file name, instead of a nickname, to specify a certificate. The ocspclnt program has numerous options that take a nickname argument. In order to get oscpclnt to generate a request for a cert, and to send that request to an OCSP responder, the cert must be imported into one's cert database and be given a nickname. It should be possible to specify the name of a file containing a binary DER, or base 64 encoded, cert, instead of specifying a nickname.
Created attachment 248794 [details] [diff] [review] implementation use a cert name as a name of cert file if cert with such nick was not found in db.
Fellow NSS developers, I'm looking for NSS developer consensus on this patch. We want the ability to specify a cert either as a nickname in the cert DB or as a file name, to crlutil on the command line. The attached patch is one possible implementation. It does what it intends to do, and I would give it r+ on that basis. But the question is: is the approach it takes acceptable? or should we try another way? This patch overloads the -n <nickname> option so that it serves two purposes, it can specify the nickname OR a file name. If a cert is found with the given nickname, that cert is used, otherwise we try it as a file name. This means that if we have a cert in the DB with the nickname "ServerCert" and we also have a file named "ServerCert" bearing a DER-encoded cert, the command will be unable to open the file and will always use the DB cert. Is this a horrible precedent? Should I be embarrased for even suggesting it? (which I did)
Comment on attachment 248794 [details] [diff] [review] implementation This program is already different from all the other NSS test programs, in that it doesn't have a "command" option which is separate from the option that specifies the cert nickname. So, unless we change the command line syntax to make it conform to the other NSS programs, we need not worry (IMO) about other differences between this program and the others.
target for NSS 3.12
/cvsroot/mozilla/security/nss/cmd/ocspclnt/ocspclnt.c,v <-- ocspclnt.c new revision: 1.8; previous revision: 1.7