certutil: (a) Warn if importing PEM file with private key (b) fail if user attempts to import cert with requested "u" trust

RESOLVED FIXED in 3.15.1

Status

NSS
Tools
RESOLVED FIXED
4 years ago
4 years ago

People

(Reporter: kaie, Assigned: kaie)

Tracking

3.14.3
3.15.1
x86_64
Linux

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(1 attachment, 1 obsolete attachment)

20.90 KB, patch
Robert Relyea
: review+
Details | Diff | Splinter Review
(Assignee)

Description

4 years ago
certutil currently cannot import private keys from a PEM file, it silently skips over private keys.

We could improve usability by using two minor changes, which shouldn't cause any side effects:

(a) If a user attempts to import a certificate in the ASCII format,
    search if the file contains the phrase "PRIVATE KEY".
    If it does, print a warning message
      "certutil cannot import private keys in this format, please use pk12util"
    but proceed as usual (import cert, skip key).

(b) If a user explicitly requests to set the certificate to include "u" for
    any usage, then FAIL with an error like:
      "Usage u requires a private key, use pk12util to import a certificate with a private key."
(Assignee)

Comment 1

4 years ago
I'm adjusting my (b) suggestion.

Even in that scenario, I want to print a warning only, to change the existing behaviour as little as possible.
(Assignee)

Comment 2

4 years ago
Created attachment 754375 [details] [diff] [review]
Patch v1

This patch is slightly larger than expected, because we're operating on a file handle, which could be standard input, so we cannot read the file twice. This means, we must adjust the function that processes the input stream.

Luckily that function is in the tool code, so the function can easily be changed, without breaking any API/ABI promises of the core NSS library.
Assignee: nobody → kaie
Attachment #754375 - Flags: review?(rrelyea)
(Assignee)

Comment 3

4 years ago
Output with this change:

$ certutil -A -d /tmp/bla/ -n test -a -i test.cert -t u,u,u
Warning: ignoring private key. Consider to use pk12util.
Notice: Trust flag u is set automatically if the private key is present.
(Assignee)

Updated

4 years ago
Target Milestone: --- → 3.15.1
(Assignee)

Comment 4

4 years ago
Created attachment 754376 [details] [diff] [review]
Patch v2
Attachment #754375 - Attachment is obsolete: true
Attachment #754375 - Flags: review?(rrelyea)
Attachment #754376 - Flags: review?(rrelyea)

Comment 5

4 years ago
Comment on attachment 754376 [details] [diff] [review]
Patch v2

r+ Of the changes, the warning on trying to set the 'u' bits are probably the most useful.

bob
Attachment #754376 - Flags: review?(rrelyea) → review+
(Assignee)

Comment 6

4 years ago
https://hg.mozilla.org/projects/nss/rev/edcb5af30559
Status: NEW → RESOLVED
Last Resolved: 4 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.