certutil -L -n reports bogus trust flags

VERIFIED FIXED in 3.12

Status

NSS
Tools
P2
critical
VERIFIED FIXED
10 years ago
10 years ago

People

(Reporter: Nelson Bolyard (seldom reads bugmail), Assigned: Julien Pierre)

Tracking

({regression})

trunk
3.12
regression

Firefox Tracking Flags

(Not tracked)

Details

I have two certs in my cert DB with the nickname "Imported Certificate". :(
The two are Verisign class 1 email certs, not CA certs, not server certs.

When I run the command "certutil -L", and grep it for "Imported Certificate"
I get this output, which I believe is correct:

Imported Certificate                                         u,pu,u
Imported Certificate                                         u,u,u

When I run the command "certutil -L -n "Imported Certificate", using a trunk build from today, I get output that shows the full details of each cert, 
followed by an expanded listing of the trust flags.  It shows the following flags for both of the two certs.  These results are utterly bogus.

    Certificate Trust Flags:
        SSL Flags:
            Valid Peer
            Trusted
            User
        Email Flags:
            Valid Peer
            Valid CA
            Netscape Trusted CA
            User
            Step-up
        Object Signing Flags:
            Valid Peer
            Netscape Trusted CA
            User

I don't know if this is a bug in certutil or in the cert libraries, so 
for now, I will mark this as a "tools" bug.
Julien, since you're working on certutil now, will you look at this?
(Reporter)

Updated

10 years ago
Keywords: regression
(Assignee)

Comment 1

10 years ago
I confirmed this regression. -L -n shows garbage trust flags, even if there is only one cert. -L shows the correct flags. This is probably a bug within certutil.
Status: NEW → ASSIGNED
OS: Windows XP → All
Priority: -- → P2
Hardware: PC → All
(Assignee)

Comment 2

10 years ago
Nelson,

That's a regression by Alexei that I reported in https://bugzilla.mozilla.org/show_bug.cgi?id=412468#c11 . I thought he would have fixed it by now. I have checked in the fix which is as follows.

Index: certutil.c
===================================================================
RCS file: /cvsroot/mozilla/security/nss/cmd/certutil/certutil.c,v
retrieving revision 1.131
diff -u -r1.131 certutil.c
--- certutil.c  14 Feb 2008 00:51:53 -0000      1.131
+++ certutil.c  14 Feb 2008 03:31:31 -0000
@@ -517,8 +517,8 @@
                }
                rv = SECSuccess;
            } else {
-               rv = SEC_PrintCertificateAndTrust(the_cert, the_cert->trust,
-                                                 "Certificate");
+               rv = SEC_PrintCertificateAndTrust(the_cert, "Certificate",
+                                                  the_cert->trust);
                if (rv != SECSuccess) {
                    SECU_PrintError(progName, "problem printing certificate");
                }
Status: ASSIGNED → RESOLVED
Last Resolved: 10 years ago
Resolution: --- → FIXED
(Assignee)

Comment 3

10 years ago
Checking in certutil.c;
/cvsroot/mozilla/security/nss/cmd/certutil/certutil.c,v  <--  certutil.c
new revision: 1.132; previous revision: 1.131
done
(Reporter)

Comment 4

10 years ago
Thanks, Julien
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.