Last Comment Bug 363480 - ocspclnt needs option to take cert from specified file
: ocspclnt needs option to take cert from specified file
Product: NSS
Classification: Components
Component: Tools (show other bugs)
: 3.11.3
: All All
P3 enhancement (vote)
: 3.12
Assigned To: Alexei Volkov
Depends on:
  Show dependency treegraph
Reported: 2006-12-11 11:45 PST by Nelson Bolyard (seldom reads bugmail)
Modified: 2007-01-04 12:08 PST (History)
2 users (show)
See Also:
Crash Signature:
QA Whiteboard:
Iteration: ---
Points: ---

implementation (11.86 KB, patch)
2006-12-15 16:46 PST, Alexei Volkov
nelson: review+
Details | Diff | Splinter Review

Description User image Nelson Bolyard (seldom reads bugmail) 2006-12-11 11:45:53 PST
ocspclnt should have a command line option to take a file name, instead 
of a nickname, to specify a certificate.

The ocspclnt program has numerous options that take a nickname argument.
In order to get oscpclnt to generate a request for a cert, and to send
that request to an OCSP responder, the cert must be imported into one's
cert database and be given a nickname.  

It should be possible to specify the name of a file containing a binary DER, 
or base 64 encoded, cert, instead of specifying a nickname.
Comment 1 User image Alexei Volkov 2006-12-15 16:46:22 PST
Created attachment 248794 [details] [diff] [review]

use a cert name as a name of cert file if cert with such nick was not found in db.
Comment 2 User image Nelson Bolyard (seldom reads bugmail) 2006-12-16 02:13:28 PST
Fellow NSS developers, I'm looking for NSS developer consensus on this patch.

We want the ability to specify a cert either as a nickname in the cert DB 
or as a file name, to crlutil on the command line.  The attached patch is
one possible implementation.  It does what it intends to do, and I would give
it r+ on that basis.  

But the question is: is the approach it takes acceptable? 
or should we try another way?

This patch overloads the -n <nickname> option so that it serves two purposes,
it can specify the nickname OR a file name.  If a cert is found with the 
given nickname, that cert is used, otherwise we try it as a file name. 
This means that if we have a cert in the DB with the nickname "ServerCert"
and we also have a file named "ServerCert" bearing a DER-encoded cert,
the command will be unable to open the file and will always use the DB cert.

Is this a horrible precedent?  
Should I be embarrased for even suggesting it? (which I did)
Comment 3 User image Nelson Bolyard (seldom reads bugmail) 2006-12-20 16:39:15 PST
Comment on attachment 248794 [details] [diff] [review]

This program is already different from all the other NSS test programs,
in that it doesn't have a "command" option which is separate from the 
option that specifies the cert nickname.  So, unless we change the 
command line syntax to make it conform to the other NSS programs, we 
need not worry (IMO) about other differences between this program and
the others.
Comment 4 User image Nelson Bolyard (seldom reads bugmail) 2006-12-20 16:39:44 PST
target for NSS 3.12
Comment 5 User image Alexei Volkov 2007-01-04 12:08:51 PST
/cvsroot/mozilla/security/nss/cmd/ocspclnt/ocspclnt.c,v  <--  ocspclnt.c
new revision: 1.8; previous revision: 1.7

Note You need to log in before you can comment on or make changes to this bug.