Closed Bug 386057 Opened 17 years ago Closed 17 years ago

Pk12util allows import of new certificate with existing nickname without warning.

Categories

(NSS :: Libraries, defect)

Product:
NSS
Component:
Libraries
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED INVALID

People

(Reporter: slavomir.katuscak+mozilla, Unassigned)

Details

I did some experiments with pk12util and certificates:

1. Export certificate and key as PKCS#12 file (pk12util -o).
2. Delete certificate and key (certutil -F).
3. Import certificate and key from PKCS#12 file (pk12util -i).
4. Delete certificate only (certutil -D).
5. Import certificate and key from PKCS#12 file again (pk12util -i).

Second import passed without any warning. Is it ok to reimport existing key ? 

I tried also to import one certificate+key more times (successfull), and finally there was only one in DB, so probably it was rewritten.

I tried to create another certificate+key with the same nickname and import it (successfull), and there were 2 certificates+keys with the same nickname. Is this OK ?

certutil -L (list of certificates):
testcert                                                     u,u,u
testcert                                                     u,u,u

certutil -K (list of keys):
<0> testcert
<1> testcert

When I tried to delete certificate with nickname testcert (certutil -D) only one was deleted and one was still there.
The ability to "import" a cert (and private key) multiple times is a feature.
The act of importing says "I want this cert (or cert and private key) in my
DB."  If the cert (and key) are already in the DB, then the action succeeds
without any changes being made.  So that issue is not a bug, and is working
as designed.  

certutil -L lists one line per cert.  It is quite possible to have multiple
certs with the same exact subject name.  Multiple certs with the same subject
name will always have the same nickname.  There can only be one nickname 
per unique subject name, no matter how many certs exist with that subject 
name.  

So, this all sounds like it is working as designed.

Your comments about "another certificate+key with the same nickname" don't
tell us whether those certificates all had the same exact subject name or
not.  If they do/did all have the same subject name, then this is all 
working as designed.  If they did not have the same subject names but did
have the same nickname, then something is wrong.  

Please review your results to see if all the certs had the same subject
name, or not.  If so, please mark this bug invalid. 
Both cert+key pairs had the same subject name. 

How is it with certificates deleting when they have the same nickname and subject name ? Can I select which one I want delete ?
Marking invalid, based on comment 2.  The code is working as intended.
See Bug 291394 for info on deleteing multiple certs with the same nickname.
Status: NEW → RESOLVED
Closed: 17 years ago
Resolution: --- → INVALID
You need to log in before you can comment on or make changes to this bug.