[Bug 1586538] Re: certutils from libnss3-tools - man page contradicts Mozilla's

Wed Jun 1 08:54:16 UTC 2016

It seems that CERTDB_TERMINAL_RECORD being set to true means that the
trust record is authoritative, at which point it checks for either
CERTDB_TRUSTED or CERTDB_TRUSTED_CA being true. If that's the case, then
the certificate is trusted, otherwise it is distrusted.

Throughout lib/certhigh/certvfy.c you'll see variations on:

case certUsageSSLCA:
    flags = trust.sslFlags;
    if (flags & CERTDB_TERMINAL_RECORD) { /* the trust record is
                                           * authoritative */
        if ((flags & (CERTDB_TRUSTED | CERTDB_TRUSTED_CA)) == 0) {
            /* don't trust this cert */
            *failedFlags = flags;
            return SECFailure;
        }
    }
    break;

The -t p option sets CERTDB_TERMINAL_RECORD while the -t P and -t C set
CERTDB_TRUSTED and CERTDB_TRUSTED_CA respectively.  Without the latter
two (that is, with just -t p ) the certificate is explicitly distrusted
as per the latest online certutil documentation.

It seems that the src man pages haven't been updated.  An older version
(from Sept 2014) at https://developer.mozilla.org/en-
US/docs/Mozilla/Projects/NSS/Tools/certutil agrees with the current man
page in the src package.

-- 
You received this bug notification because you are a member of Mozilla
Bugs, which is subscribed to nss in Ubuntu.
https://bugs.launchpad.net/bugs/1586538

Title:
  certutils from libnss3-tools - man page contradicts Mozilla's

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/nss/+bug/1586538/+subscriptions