ocspclnt needs option to take cert from specified file



12 years ago
12 years ago


(Reporter: nelson, Assigned: alvolkov.bgs)



Firefox Tracking Flags

(Not tracked)



(1 attachment)

ocspclnt should have a command line option to take a file name, instead 
of a nickname, to specify a certificate.

The ocspclnt program has numerous options that take a nickname argument.
In order to get oscpclnt to generate a request for a cert, and to send
that request to an OCSP responder, the cert must be imported into one's
cert database and be given a nickname.  

It should be possible to specify the name of a file containing a binary DER, 
or base 64 encoded, cert, instead of specifying a nickname.

Comment 1

12 years ago
Created attachment 248794 [details] [diff] [review]

use a cert name as a name of cert file if cert with such nick was not found in db.
Attachment #248794 - Flags: review?(nelson)


12 years ago
Priority: -- → P3
Fellow NSS developers, I'm looking for NSS developer consensus on this patch.

We want the ability to specify a cert either as a nickname in the cert DB 
or as a file name, to crlutil on the command line.  The attached patch is
one possible implementation.  It does what it intends to do, and I would give
it r+ on that basis.  

But the question is: is the approach it takes acceptable? 
or should we try another way?

This patch overloads the -n <nickname> option so that it serves two purposes,
it can specify the nickname OR a file name.  If a cert is found with the 
given nickname, that cert is used, otherwise we try it as a file name. 
This means that if we have a cert in the DB with the nickname "ServerCert"
and we also have a file named "ServerCert" bearing a DER-encoded cert,
the command will be unable to open the file and will always use the DB cert.

Is this a horrible precedent?  
Should I be embarrased for even suggesting it? (which I did)
Comment on attachment 248794 [details] [diff] [review]

This program is already different from all the other NSS test programs,
in that it doesn't have a "command" option which is separate from the 
option that specifies the cert nickname.  So, unless we change the 
command line syntax to make it conform to the other NSS programs, we 
need not worry (IMO) about other differences between this program and
the others.
Attachment #248794 - Flags: review?(nelson) → review+
target for NSS 3.12
Target Milestone: --- → 3.12

Comment 5

12 years ago
/cvsroot/mozilla/security/nss/cmd/ocspclnt/ocspclnt.c,v  <--  ocspclnt.c
new revision: 1.8; previous revision: 1.7
Last Resolved: 12 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.