Created attachment 269584 [details] [diff] [review] Add support for validating object signing usage with certutil -V Nelson wrote on dev-tech-crypto: > You're right that the absence of any way to specify a > code-signing or object-signing usage is a deficiency of certutil's -u > option. Please file a bug about this in bugzilla. So, here's the bug and a proposed patch. I chose "J" as the letter for object signing, because both O and S are already used, and J occurs in both obJect as well as in Jar - where such a cert also tends to be used... In addition, I added a diagnostic message when an incorrect option is supplied - with the current version, certutil -V will just fail silently (it won't produce any output). Finally, I'm not sure if any other cert usage (besides ObjectSigner) should be added, too... for the sake of completeness, these are the remaining ones: certUsageSSLServerWithStepUp = 2, certUsageSSLCA = 3, certUsageUserCertImport = 7, certUsageVerifyCA = 8, certUsageProtectedObjectSigner = 9, certUsageAnyCA = 11
Comment on attachment 269584 [details] [diff] [review] Add support for validating object signing usage with certutil -V r=nelson for trunk
Neil, please commit this on Kaspar's behalf. Be sure to cite him as the source in the RCS log comment. Thanks.
Checking in cmd/certutil/certutil.c; /cvsroot/mozilla/security/nss/cmd/certutil/certutil.c,v <-- certutil.c new revision: 1.112; previous revision: 1.111 done