It seems that CERTDB_TERMINAL_RECORD being set to true means that the
trust record is authoritative, at which point it checks for either
CERTDB_TRUSTED or CERTDB_TRUSTED_CA being true. If that's the case, then
the certificate is trusted, otherwise it is distrusted.
Throughout lib/certhigh/certvfy.c you'll see variations on:
case certUsageSSLCA:
flags = trust.sslFlags;
if (flags & CERTDB_TERMINAL_RECORD) { /* the trust record is
* authoritative */
if ((flags & (CERTDB_TRUSTED | CERTDB_TRUSTED_CA)) == 0) {
/* don't trust this cert */
*failedFlags = flags;
return SECFailure;
}
}
break;
The -t p option sets CERTDB_TERMINAL_RECORD while the -t P and -t C set
CERTDB_TRUSTED and CERTDB_TRUSTED_CA respectively. Without the latter
two (that is, with just -t p ) the certificate is explicitly distrusted
as per the latest online certutil documentation.
It seems that the src man pages haven't been updated. An older version
(from Sept 2014) at https://developer.mozilla.org/en-
US/docs/Mozilla/Projects/NSS/Tools/certutil agrees with the current man
page in the src package.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1586538
Title:
certutils from libnss3-tools - man page contradicts Mozilla's
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/nss/+bug/1586538/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
