ocspclnt should have a command line option to take a file name, instead
of a nickname, to specify a certificate.
The ocspclnt program has numerous options that take a nickname argument.
In order to get oscpclnt to generate a request for a cert, and to send
that request to an OCSP responder, the cert must be imported into one's
cert database and be given a nickname.
It should be possible to specify the name of a file containing a binary DER,
or base 64 encoded, cert, instead of specifying a nickname.
Created attachment 248794 [details] [diff] [review]
use a cert name as a name of cert file if cert with such nick was not found in db.
Fellow NSS developers, I'm looking for NSS developer consensus on this patch.
We want the ability to specify a cert either as a nickname in the cert DB
or as a file name, to crlutil on the command line. The attached patch is
one possible implementation. It does what it intends to do, and I would give
it r+ on that basis.
But the question is: is the approach it takes acceptable?
or should we try another way?
This patch overloads the -n <nickname> option so that it serves two purposes,
it can specify the nickname OR a file name. If a cert is found with the
given nickname, that cert is used, otherwise we try it as a file name.
This means that if we have a cert in the DB with the nickname "ServerCert"
and we also have a file named "ServerCert" bearing a DER-encoded cert,
the command will be unable to open the file and will always use the DB cert.
Is this a horrible precedent?
Should I be embarrased for even suggesting it? (which I did)
Comment on attachment 248794 [details] [diff] [review]
This program is already different from all the other NSS test programs,
in that it doesn't have a "command" option which is separate from the
option that specifies the cert nickname. So, unless we change the
command line syntax to make it conform to the other NSS programs, we
need not worry (IMO) about other differences between this program and
target for NSS 3.12
/cvsroot/mozilla/security/nss/cmd/ocspclnt/ocspclnt.c,v <-- ocspclnt.c
new revision: 1.8; previous revision: 1.7