Closed Bug 876352 Opened 12 years ago Closed 12 years ago

certutil: (a) Warn if importing PEM file with private key (b) fail if user attempts to import cert with requested "u" trust

Categories

(NSS :: Tools, defect)

Product:
NSS
Component:
Tools
Version:
3.14.3
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED
Milestone:
3.15.1

People

(Reporter: KaiE, Assigned: KaiE)

Details

Attachments

(1 file, 1 obsolete file)

Patch v2
20.90 KB, patch
rrelyea
: review+
Details | Diff | Splinter Review
certutil currently cannot import private keys from a PEM file, it silently skips over private keys. We could improve usability by using two minor changes, which shouldn't cause any side effects: (a) If a user attempts to import a certificate in the ASCII format, search if the file contains the phrase "PRIVATE KEY". If it does, print a warning message "certutil cannot import private keys in this format, please use pk12util" but proceed as usual (import cert, skip key). (b) If a user explicitly requests to set the certificate to include "u" for any usage, then FAIL with an error like: "Usage u requires a private key, use pk12util to import a certificate with a private key."
I'm adjusting my (b) suggestion. Even in that scenario, I want to print a warning only, to change the existing behaviour as little as possible.
Attached patch Patch v1 (obsolete) — Splinter Review
This patch is slightly larger than expected, because we're operating on a file handle, which could be standard input, so we cannot read the file twice. This means, we must adjust the function that processes the input stream. Luckily that function is in the tool code, so the function can easily be changed, without breaking any API/ABI promises of the core NSS library.
Assignee: nobody → kaie
Attachment #754375 - Flags: review?(rrelyea)
Output with this change: $ certutil -A -d /tmp/bla/ -n test -a -i test.cert -t u,u,u Warning: ignoring private key. Consider to use pk12util. Notice: Trust flag u is set automatically if the private key is present.
Target Milestone: --- → 3.15.1
Attached patch Patch v2Splinter Review
Attachment #754375 - Attachment is obsolete: true
Attachment #754375 - Flags: review?(rrelyea)
Attachment #754376 - Flags: review?(rrelyea)
Comment on attachment 754376 [details] [diff] [review] Patch v2 r+ Of the changes, the warning on trying to set the 'u' bits are probably the most useful. bob
Attachment #754376 - Flags: review?(rrelyea) → review+
https://hg.mozilla.org/projects/nss/rev/edcb5af30559
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: