Open
Bug 568481
Opened 15 years ago
Updated 1 year ago
checkcert does not initialize secoid
Categories
(NSS :: Tools, defect, P5)
Tracking
(Not tracked)
UNCONFIRMED
People
(Reporter: hanno, Unassigned)
Details
Attachments
(2 files)
|
645 bytes,
patch
|
Details | Diff | Splinter Review | |
|
3.38 KB,
patch
|
Details | Diff | Splinter Review |
User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.3) Gecko/20100421 Gentoo Firefox/3.6.3
Build Identifier:
running the checkcert tool just gives an assertion error after some lines. The problem is that it does not call SECOIDT_Init(). The tool seems to have some other issues and is pretty outdated, but attached patch is a start to get it working again.
Reproducible: Always
|
Reporter | |
Comment 1•15 years ago
|
||
|
||
Comment 2•15 years ago
|
||
Hanno, Thanks for filing this bug, reminding us about the orphan program
checkcert. Checkcert was was a part of NSS 2.0 that was never converted
to use the NSS_Init functions for NSS 2.8. It's effectively been dead code
since the year 2000. We should have removed it from the tree. But we didn't
and so for the last 10 years, NSS developers who have been making systematic changes to the NSS utility programs have been making changes to this program, even though this program doesn't work. Consequently, this program has the
appearance of being maintained, when actually it is not. This is actually a
pretty good argument against leaving source code for dead programs in the
tree on the trunk.
IMO, this program was superseded by another program years ago. That program
is vfychain. But vfychain's goals are not quite the same as this program's.
This program's goal seems to have been to issue lots of diagnostic output
about a cert, saying "here's what's syntactically wrong with this cert".
Unfortunately, it complains about things that are not errors, and ignores
things that are common errors. It also will simply fail without diagnostic
help for some errors. So, I'm not sure that it ever accomplished its intended goal.
If you're in the business of constructing certs, and you need a tool to tell
you if you're doing a good job of creating syntatically correct certs, maybe
you need this. If what you want is a tool to look at a chain of certs and validate that chain, then you want vfychain, which is fully supported today.
If you want to fix this program, then what you need to do is to call NSS_NoDB_Init at around line 322 and NSS_Shutdown before the exit. Do that
instead of calling SECOID_Init. That will call SECOID_Init, among many
other important init calls.
If you want to fix this, we'd accept your patch, but otherwise, I think we'd
probably mark this bug WONTFIX and remove this file from the source tree in
deference to vfychain.
|
|
Reporter | |
Comment 3•15 years ago
|
||
vfychain does what I need, so that seems fine. Anyway, I created a patch with your suggestions, though it's not very nice as every exit call needs the shutdown call. But it probably still makes sense to apply that (and maybe put in a big warning in the code that this is deprecated and needs more fixes).
|
||
Updated•2 years ago
|
Severity: normal → S3
|
||
Updated•1 year ago
|
Severity: S3 → S4
Priority: -- → P5
You need to log in
before you can comment on or make changes to this bug.
Description
•