Last Comment Bug 385642 - Add additional cert usage(s) for certutil's -V -u option
: Add additional cert usage(s) for certutil's -V -u option
Status: RESOLVED FIXED
:
Product: NSS
Classification: Components
Component: Tools (show other bugs)
: trunk
: All All
: P3 enhancement (vote)
: 3.12
Assigned To: Neil Williams
:
Mentors:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2007-06-24 06:55 PDT by Kaspar Brand
Modified: 2007-06-26 18:51 PDT (History)
0 users
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---


Attachments
Add support for validating object signing usage with certutil -V (2.16 KB, patch)
2007-06-24 06:55 PDT, Kaspar Brand
nelson: review+
Details | Diff | Splinter Review

Description Kaspar Brand 2007-06-24 06:55:19 PDT
Created attachment 269584 [details] [diff] [review]
Add support for validating object signing usage with certutil -V

Nelson wrote on dev-tech-crypto:
> You're right that the absence of any way to specify a
> code-signing or object-signing usage is a deficiency of certutil's -u
> option.  Please file a bug about this in bugzilla.

So, here's the bug and a proposed patch. I chose "J" as the letter for object signing, because both O and S are already used, and J occurs in both obJect as well as in Jar - where such a cert also tends to be used...

In addition, I added a diagnostic message when an incorrect option is supplied - with the current version, certutil -V will just fail silently (it won't produce any output).

Finally, I'm not sure if any other cert usage (besides ObjectSigner) should be added, too... for the sake of completeness, these are the remaining ones:

    certUsageSSLServerWithStepUp = 2,
    certUsageSSLCA = 3,
    certUsageUserCertImport = 7,
    certUsageVerifyCA = 8,
    certUsageProtectedObjectSigner = 9,
    certUsageAnyCA = 11
Comment 1 Nelson Bolyard (seldom reads bugmail) 2007-06-24 08:27:38 PDT
Comment on attachment 269584 [details] [diff] [review]
Add support for validating object signing usage with certutil -V

r=nelson for trunk
Comment 2 Nelson Bolyard (seldom reads bugmail) 2007-06-24 08:29:15 PDT
Neil, please commit this on Kaspar's behalf. 
Be sure to cite him as the source in the RCS log comment.  
Thanks.
Comment 3 Neil Williams 2007-06-26 18:51:10 PDT
Checking in cmd/certutil/certutil.c;
/cvsroot/mozilla/security/nss/cmd/certutil/certutil.c,v  <--  certutil.c
new revision: 1.112; previous revision: 1.111
done

Note You need to log in before you can comment on or make changes to this bug.