430378 - vfychain usage should be corrected to show nicknames are supported

Status: NEW

(NSS :: Tools, defect, P2)

Description

[Julien Pierre]

vfychain only supports external files on the command-line .

It should also allow nicknames, so that certs already in a database/token can be used, rather than having to be extracted to a file before verification.

Comment 1

[Nelson Bolyard (seldom reads bugmail)]

Of course, since all the certs for a bridge (or cross signed CA) have
the same subject name, they all have the same nickname.  Therefore, 
when a bridge has multiple certs, and more than one of them is in the 
cert DB, it is not possible to specify a particular one of those certs 
using nicknames.  

There are test cases where you want to specify a particular chain exactly, 
such as (especially) in negative testing.  It is possible to create a 
different cert DB for each chain for testing, but that is very cumbersome.

Still, it would be useful if the -t option could specify anchors by nickname.

Comment 2

[Julien Pierre]

Nelson,

I wasn't only talking about the -t option . It is not possible to specify the EE cert by nickname either. That means in 100% of the cases of using vfychain, even if you aren't using PKIX or bridge CAs, you have to use an external file. I find that unacceptable now that vfychain has become our tool of choice for cert verification. It should conform to the rest of NSS and support the database at least minimally.

Comment 3

[Julien Pierre]

It turns out the feature is in. But it is undocumented. The usage message needs to be fixed.

Comment 4

[BugBot [:suhaib / :marco/ :calixte]]

The bug assignee is inactive on Bugzilla, and this bug has priority 'P2'.
:beurdouche, could you have a look please?

For more information, please visit auto_nag documentation.

Comment 5

[Marco Castelluccio [:marco]]

We have modified the bot to only consider P1 as high priority, so I'm cancelling the needinfo here.