Persona is no longer an option for authentication on BMO. For more details see Persona Deprecated.
Last Comment Bug 417392 - certutil -L -n reports bogus trust flags
: certutil -L -n reports bogus trust flags
: regression
Product: NSS
Classification: Components
Component: Tools (show other bugs)
: trunk
: All All
: P2 critical (vote)
: 3.12
Assigned To: Julien Pierre
Depends on:
  Show dependency treegraph
Reported: 2008-02-13 19:00 PST by Nelson Bolyard (seldom reads bugmail)
Modified: 2008-02-13 21:44 PST (History)
1 user (show)
See Also:
Crash Signature:
QA Whiteboard:
Iteration: ---
Points: ---


Description Nelson Bolyard (seldom reads bugmail) 2008-02-13 19:00:34 PST
I have two certs in my cert DB with the nickname "Imported Certificate". :(
The two are Verisign class 1 email certs, not CA certs, not server certs.

When I run the command "certutil -L", and grep it for "Imported Certificate"
I get this output, which I believe is correct:

Imported Certificate                                         u,pu,u
Imported Certificate                                         u,u,u

When I run the command "certutil -L -n "Imported Certificate", using a trunk build from today, I get output that shows the full details of each cert, 
followed by an expanded listing of the trust flags.  It shows the following flags for both of the two certs.  These results are utterly bogus.

    Certificate Trust Flags:
        SSL Flags:
            Valid Peer
        Email Flags:
            Valid Peer
            Valid CA
            Netscape Trusted CA
        Object Signing Flags:
            Valid Peer
            Netscape Trusted CA

I don't know if this is a bug in certutil or in the cert libraries, so 
for now, I will mark this as a "tools" bug.
Julien, since you're working on certutil now, will you look at this?
Comment 1 Julien Pierre 2008-02-13 19:23:48 PST
I confirmed this regression. -L -n shows garbage trust flags, even if there is only one cert. -L shows the correct flags. This is probably a bug within certutil.
Comment 2 Julien Pierre 2008-02-13 19:32:06 PST

That's a regression by Alexei that I reported in . I thought he would have fixed it by now. I have checked in the fix which is as follows.

Index: certutil.c
RCS file: /cvsroot/mozilla/security/nss/cmd/certutil/certutil.c,v
retrieving revision 1.131
diff -u -r1.131 certutil.c
--- certutil.c  14 Feb 2008 00:51:53 -0000      1.131
+++ certutil.c  14 Feb 2008 03:31:31 -0000
@@ -517,8 +517,8 @@
                rv = SECSuccess;
            } else {
-               rv = SEC_PrintCertificateAndTrust(the_cert, the_cert->trust,
-                                                 "Certificate");
+               rv = SEC_PrintCertificateAndTrust(the_cert, "Certificate",
+                                                  the_cert->trust);
                if (rv != SECSuccess) {
                    SECU_PrintError(progName, "problem printing certificate");
Comment 3 Julien Pierre 2008-02-13 19:33:34 PST
Checking in certutil.c;
/cvsroot/mozilla/security/nss/cmd/certutil/certutil.c,v  <--  certutil.c
new revision: 1.132; previous revision: 1.131
Comment 4 Nelson Bolyard (seldom reads bugmail) 2008-02-13 21:44:32 PST
Thanks, Julien

Note You need to log in before you can comment on or make changes to this bug.