Bug 246273

Summary: checkcert missing from nss packages in f7
Product: [Fedora] Fedora Reporter: Michael Breuer <mbreuer>
Component: nssAssignee: Kai Engert (:kaie) (inactive account) <kengert>
Status: CLOSED NOTABUG QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: low    
Version: 7CC: herrold, rrelyea, wtc
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2008-04-01 22:57:39 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
Patch for checkcert.c none

Description Michael Breuer 2007-06-29 18:40:58 UTC 
Description of problem:

checkcert is missing.

Version-Release number of selected component (if applicable):

nss-3.11.5-2.fc7

How reproducible:

Always, it's missing.

Steps to Reproduce:
1. Install f7
2.
3.
  
Actual results:

no checkcert anywhere

Expected results:

/usr/bin/checkcert exists
Additional info:

I downloaded the source and added back to the spec file. It was missing from the
binaries copied for installation (was being built, however).
Comment 1 Kai Engert (:kaie) (inactive account) 2007-07-12 01:44:11 UTC 
Bob, Wan-Teh, what's your thinking about shipping the "checkcert" tools?

(Michael, if we are going to include it, we might only ship it as an unsupported
tool in /usr/lib/nss/unsupported-tools/ )
Comment 2 Michael Breuer 2007-07-12 16:41:56 UTC 
Unsupported is fine with me. It's a useful diagnostic tool to have on the system.
Comment 3 Wan-Teh Chang 2007-07-12 16:43:03 UTC 
I never used checkcert.  CVS logs show that checkcert.c has
never been modified since we open-sourced NSS in 2000.  So
I am afraid that its status is unknown.  It's also possible
that you can use certutil to accomplish what checkcert does.
Comment 4 Bob Relyea 2007-07-12 16:46:43 UTC 
I didn't even know we have it. If it still builds, go ahead and put it into
unsupported. If others find it's useful, I'm sure we will get bugs and patch
submissions for it.;).
Comment 5 Wan-Teh Chang 2007-07-12 16:57:20 UTC 
It needs the following patches.  1. Increase MAX_MODULUS from 1024
to at least 2048.  2. Call NSS_NoDB_Init so that it can verify the
signature for a self-signed cert or when the issuer cert is available.
(It doesn't seem to call any NSS initialization function now.)
Comment 6 Michael Breuer 2007-07-12 17:07:41 UTC 
FWIW, it built and ran for me w/o issue (but the cert I was checking was only 1024).

It's possible that certutil could suffice, but checkcert seemed easier based on
RH & other online documentation.
Comment 7 Wan-Teh Chang 2007-07-12 21:56:15 UTC 
Created attachment 159102 [details]
Patch for checkcert.c

I had to add the NSS_NoDB_Init call, otherwise checkcert
crashes for me.  It crashes in SECOID_FindOID, called by
the SECU_RegisterDynamicOids call in the main function,
because oidhash is NULL.  I'm wondering why Michael can
run checkcert without issue.

I also updated MAX_MODULUS and a warning about not using
PKCS1 MD5 to what might be the appropriate current values,
and removed an incorrect assertion.
Comment 8 Michael Breuer 2007-07-13 00:40:49 UTC 
I can't tell you why it runs - perhaps it's got something to do with my certs?
Comment 9 Kai Engert (:kaie) (inactive account) 2008-04-01 22:57:39 UTC 
I think it's unclear what the checkcert is supposed to check exactly. Can you
explain?

I was not successful in executing checkcert at all, regardless what parameters I
use, I always get the "usage" output.

I think we should not invest resources into unmaintained and broken tools.

If the functionality can not be achieved with certutil, we should rather move
the functionality over.

If I understand correctly, you can get the same functionality using the
validation functionality of certutil:
  certutil -V

I agree, it seems that using certutil might require one or two additional steps.
While checkcert seems to work on files directly, it appears certutil -V can only
operate on certs imported to the database.

So, you can do this:
mkdir test
cd test
certutil -d . -N
  (create empty db)
certutil -d . -A -n nickname-for-your-cert -t ,, -i certfile (-a)
  (import cert without explicit trust, use -a if it's a PEM file)
certutil -d . -V -n nickname-for-your-cert -u X
  (attempt to validate the cert. Explicitly state the desired usage
   you want to validate using -u. )

Optional:
certutil -d . -A -nickname-for-ca-cert -t ,, -i cacertfile (-a)
  (import a root without explicit trust)

Michael, does this make sense?
Comment 10 Bob Relyea 2008-04-02 00:43:00 UTC 
vfychain also verifies certificates.
Comment 11 Michael Breuer 2008-04-02 02:41:09 UTC 
I think we're talking apples & oranges.  In older Fedora versions checkcert was
installed and configured to run from cron to notify the system administrator
when system-wide certs were expiring. Mostly, that'd be for sendmail and apache.
If I understand certutil correctly (which is far from certain), certutil is
intended more for user (browser, etc.) certs.

Rechecking on fedora 8, looks like checkcert has been replaced with certwatch.