[Touch-packages] [Bug 1586538] Re: certutils from libnss3-tools - man page contradicts Mozilla's

Wed, 01 Jun 2016 02:01:52 -0700 

It seems that CERTDB_TERMINAL_RECORD being set to true means that the
trust record is authoritative, at which point it checks for either
CERTDB_TRUSTED or CERTDB_TRUSTED_CA being true. If that's the case, then
the certificate is trusted, otherwise it is distrusted.

Throughout lib/certhigh/certvfy.c you'll see variations on:

case certUsageSSLCA:
    flags = trust.sslFlags;
    if (flags & CERTDB_TERMINAL_RECORD) { /* the trust record is
                                           * authoritative */
        if ((flags & (CERTDB_TRUSTED | CERTDB_TRUSTED_CA)) == 0) {
            /* don't trust this cert */
            *failedFlags = flags;
            return SECFailure;
        }
    }
    break;

The -t p option sets CERTDB_TERMINAL_RECORD while the -t P and -t C set
CERTDB_TRUSTED and CERTDB_TRUSTED_CA respectively.  Without the latter
two (that is, with just -t p ) the certificate is explicitly distrusted
as per the latest online certutil documentation.

It seems that the src man pages haven't been updated.  An older version
(from Sept 2014) at https://developer.mozilla.org/en-
US/docs/Mozilla/Projects/NSS/Tools/certutil agrees with the current man
page in the src package.

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to nss in Ubuntu.
https://bugs.launchpad.net/bugs/1586538

Title:
  certutils from libnss3-tools - man page contradicts Mozilla's

Status in nss package in Ubuntu:
  Incomplete

Bug description:
  Description of certuitls here:
  
https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/tools/NSS_Tools_certutil#Options_and_Arguments

  contradicts the man page here:
  http://manpages.ubuntu.com/manpages/wily/man1/certutil.1.html

  In the former "-t p" is "prohibited (explicitly distrusted)".  In the
  latter, it's "Valid peer".

  I'm listing it as a security vuln, because someone could do mistakenly
  do the wrong thing.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/nss/+bug/1586538/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to     : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

Reply via email to