On Sunday, September 13, 2020 at 3:00:21 PM UTC-7, Graham Leggett wrote: > Hi all, > > In a script, I need to know what the “best” certificate is in the NSS > database for a given host. > > The “best” certificate is > - A valid certificate by all the usual definitions of valid; and > - Matches the hostname provided either by using the subject or the > subjectAltName (with optional wildcards); and > - (to break ties) Has the longest validity. > > From what I can see certutil can’t do this. Is there an alternative tool I > should be using? > > If no tool exists, is there a corresponding API call in the NSS API that will > return a certificate (or certificates) as per the definition above? If so I > can put together a patch. > > Regards, > Graham > —
Hi Graham, As you saw, there's no good mechanism for this via certutil. Honestly, the logic for the legacy verifier that would accomplish this is somewhat lacking, as well. There's a meta-bug for someday reworking the tools to use mozilla::pkix, which would accomplish what you're looking for, Bug 1648172. The significant lift here though would be reworking the relevant tool to compile in C++, needed for mozilla::pkix. If you're interested in contributing that rework, we'd love to work with you on it. But nevertheless, mozilla::pkix. in the lib/mozpkix dir, is the right way to approach this problem. Cheers, J.C. -- dev-tech-crypto mailing list [email protected] https://lists.mozilla.org/listinfo/dev-tech-crypto
