ocspclnt needs option to take cert from specified file

RESOLVED FIXED in 3.12

Status

NSS
Tools
P3
enhancement
RESOLVED FIXED
11 years ago
10 years ago

People

(Reporter: Nelson Bolyard (seldom reads bugmail), Assigned: Alexei Volkov)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(1 attachment)

11.86 KB, patch
Nelson Bolyard (seldom reads bugmail)
: review+
Details | Diff | Splinter Review
ocspclnt should have a command line option to take a file name, instead 
of a nickname, to specify a certificate.

The ocspclnt program has numerous options that take a nickname argument.
In order to get oscpclnt to generate a request for a cert, and to send
that request to an OCSP responder, the cert must be imported into one's
cert database and be given a nickname.  

It should be possible to specify the name of a file containing a binary DER, 
or base 64 encoded, cert, instead of specifying a nickname.
(Assignee)

Comment 1

11 years ago
Created attachment 248794 [details] [diff] [review]
implementation

use a cert name as a name of cert file if cert with such nick was not found in db.
Attachment #248794 - Flags: review?(nelson)
(Assignee)

Updated

11 years ago
Priority: -- → P3
(Reporter)

Comment 2

11 years ago
Fellow NSS developers, I'm looking for NSS developer consensus on this patch.

We want the ability to specify a cert either as a nickname in the cert DB 
or as a file name, to crlutil on the command line.  The attached patch is
one possible implementation.  It does what it intends to do, and I would give
it r+ on that basis.  

But the question is: is the approach it takes acceptable? 
or should we try another way?

This patch overloads the -n <nickname> option so that it serves two purposes,
it can specify the nickname OR a file name.  If a cert is found with the 
given nickname, that cert is used, otherwise we try it as a file name. 
This means that if we have a cert in the DB with the nickname "ServerCert"
and we also have a file named "ServerCert" bearing a DER-encoded cert,
the command will be unable to open the file and will always use the DB cert.

Is this a horrible precedent?  
Should I be embarrased for even suggesting it? (which I did)
(Reporter)

Comment 3

11 years ago
Comment on attachment 248794 [details] [diff] [review]
implementation

This program is already different from all the other NSS test programs,
in that it doesn't have a "command" option which is separate from the 
option that specifies the cert nickname.  So, unless we change the 
command line syntax to make it conform to the other NSS programs, we 
need not worry (IMO) about other differences between this program and
the others.
Attachment #248794 - Flags: review?(nelson) → review+
(Reporter)

Comment 4

11 years ago
target for NSS 3.12
Target Milestone: --- → 3.12
(Assignee)

Comment 5

10 years ago
/cvsroot/mozilla/security/nss/cmd/ocspclnt/ocspclnt.c,v  <--  ocspclnt.c
new revision: 1.8; previous revision: 1.7
Status: NEW → RESOLVED
Last Resolved: 10 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.