Bug 246273 - checkcert missing from nss packages in f7
Summary: checkcert missing from nss packages in f7
Alias: None
Product: Fedora
Classification: Fedora
Component: nss
Version: 7
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Kai Engert (:kaie) (inactive account)
QA Contact: Fedora Extras Quality Assurance
Depends On:
TreeView+ depends on / blocked
Reported: 2007-06-29 18:40 UTC by Michael Breuer
Modified: 2008-04-02 02:41 UTC (History)
3 users (show)

Clone Of:
Last Closed: 2008-04-01 22:57:39 UTC

Attachments (Terms of Use)
Patch for checkcert.c (1.75 KB, patch)
2007-07-12 21:56 UTC, Wan-Teh Chang
no flags Details | Diff

Description Michael Breuer 2007-06-29 18:40:58 UTC
Description of problem:

checkcert is missing.

Version-Release number of selected component (if applicable):


How reproducible:

Always, it's missing.

Steps to Reproduce:
1. Install f7
Actual results:

no checkcert anywhere

Expected results:

/usr/bin/checkcert exists
Additional info:

I downloaded the source and added back to the spec file. It was missing from the
binaries copied for installation (was being built, however).

Comment 1 Kai Engert (:kaie) (inactive account) 2007-07-12 01:44:11 UTC
Bob, Wan-Teh, what's your thinking about shipping the "checkcert" tools?

(Michael, if we are going to include it, we might only ship it as an unsupported
tool in /usr/lib/nss/unsupported-tools/ )

Comment 2 Michael Breuer 2007-07-12 16:41:56 UTC
Unsupported is fine with me. It's a useful diagnostic tool to have on the system.

Comment 3 Wan-Teh Chang 2007-07-12 16:43:03 UTC
I never used checkcert.  CVS logs show that checkcert.c has
never been modified since we open-sourced NSS in 2000.  So
I am afraid that its status is unknown.  It's also possible
that you can use certutil to accomplish what checkcert does.

Comment 4 Bob Relyea 2007-07-12 16:46:43 UTC
I didn't even know we have it. If it still builds, go ahead and put it into
unsupported. If others find it's useful, I'm sure we will get bugs and patch
submissions for it.;).

Comment 5 Wan-Teh Chang 2007-07-12 16:57:20 UTC
It needs the following patches.  1. Increase MAX_MODULUS from 1024
to at least 2048.  2. Call NSS_NoDB_Init so that it can verify the
signature for a self-signed cert or when the issuer cert is available.
(It doesn't seem to call any NSS initialization function now.)

Comment 6 Michael Breuer 2007-07-12 17:07:41 UTC
FWIW, it built and ran for me w/o issue (but the cert I was checking was only 1024).

It's possible that certutil could suffice, but checkcert seemed easier based on
RH & other online documentation.

Comment 7 Wan-Teh Chang 2007-07-12 21:56:15 UTC
Created attachment 159102 [details]
Patch for checkcert.c

I had to add the NSS_NoDB_Init call, otherwise checkcert
crashes for me.  It crashes in SECOID_FindOID, called by
the SECU_RegisterDynamicOids call in the main function,
because oidhash is NULL.  I'm wondering why Michael can
run checkcert without issue.

I also updated MAX_MODULUS and a warning about not using
PKCS1 MD5 to what might be the appropriate current values,
and removed an incorrect assertion.

Comment 8 Michael Breuer 2007-07-13 00:40:49 UTC
I can't tell you why it runs - perhaps it's got something to do with my certs?

Comment 9 Kai Engert (:kaie) (inactive account) 2008-04-01 22:57:39 UTC
I think it's unclear what the checkcert is supposed to check exactly. Can you

I was not successful in executing checkcert at all, regardless what parameters I
use, I always get the "usage" output.

I think we should not invest resources into unmaintained and broken tools.

If the functionality can not be achieved with certutil, we should rather move
the functionality over.

If I understand correctly, you can get the same functionality using the
validation functionality of certutil:
  certutil -V

I agree, it seems that using certutil might require one or two additional steps.
While checkcert seems to work on files directly, it appears certutil -V can only
operate on certs imported to the database.

So, you can do this:
mkdir test
cd test
certutil -d . -N
  (create empty db)
certutil -d . -A -n nickname-for-your-cert -t ,, -i certfile (-a)
  (import cert without explicit trust, use -a if it's a PEM file)
certutil -d . -V -n nickname-for-your-cert -u X
  (attempt to validate the cert. Explicitly state the desired usage
   you want to validate using -u. )

certutil -d . -A -nickname-for-ca-cert -t ,, -i cacertfile (-a)
  (import a root without explicit trust)

Michael, does this make sense?

Comment 10 Bob Relyea 2008-04-02 00:43:00 UTC
vfychain also verifies certificates.

Comment 11 Michael Breuer 2008-04-02 02:41:09 UTC
I think we're talking apples & oranges.  In older Fedora versions checkcert was
installed and configured to run from cron to notify the system administrator
when system-wide certs were expiring. Mostly, that'd be for sendmail and apache.
If I understand certutil correctly (which is far from certain), certutil is
intended more for user (browser, etc.) certs.

Rechecking on fedora 8, looks like checkcert has been replaced with certwatch.

Note You need to log in before you can comment on or make changes to this bug.