certutils from libnss3-tools - man page contradicts Mozilla's

Bug #1586538 reported by DiagonalArg on 2016-05-27
This bug affects 1 person
Affects Status Importance Assigned to Milestone
nss (Ubuntu)

Bug Description

Description of certuitls here:

contradicts the man page here:

In the former "-t p" is "prohibited (explicitly distrusted)". In the latter, it's "Valid peer".

I'm listing it as a security vuln, because someone could do mistakenly do the wrong thing.

information type: Private Security → Public Security
Seth Arnold (seth-arnold) wrote :

Could you please report this issue to Mozilla? Based on a quick look of our source code and manpage I think our manpages correctly document the situation:


CERT_DecodeTrustString(CERTCertTrust *trust, const char *trusts)
    unsigned int i;
    unsigned int *pflags;

    if (!trust) {
        return SECFailure;
    trust->sslFlags = 0;
    trust->emailFlags = 0;
    trust->objectSigningFlags = 0;
    if (!trusts) {
        return SECFailure;

    pflags = &trust->sslFlags;

    for (i=0; i < PORT_Strlen(trusts); i++) {
        switch (trusts[i]) {
          case 'p':
              *pflags = *pflags | CERTDB_TERMINAL_RECORD;

          case 'P':
              *pflags = *pflags | CERTDB_TRUSTED | CERTDB_TERMINAL_RECORD;


typedef unsigned int __CERTDB_VALID_PEER __attribute__((deprecated

There's a chance that "valid peer" is really being used to mean "not trusted for this particular feature" but that feels strange.


Changed in nss (Ubuntu):
status: New → Incomplete
DiagonalArg (diagonalarg) wrote :

I'm checking in with IRC. It's friday though. I'll let you know what I find.

Gareth Williams (gareththered) wrote :

It seems that CERTDB_TERMINAL_RECORD being set to true means that the trust record is authoritative, at which point it checks for either CERTDB_TRUSTED or CERTDB_TRUSTED_CA being true. If that's the case, then the certificate is trusted, otherwise it is distrusted.

Throughout lib/certhigh/certvfy.c you'll see variations on:

case certUsageSSLCA:
    flags = trust.sslFlags;
    if (flags & CERTDB_TERMINAL_RECORD) { /* the trust record is
                                           * authoritative */
        if ((flags & (CERTDB_TRUSTED | CERTDB_TRUSTED_CA)) == 0) {
            /* don't trust this cert */
            *failedFlags = flags;
            return SECFailure;

The -t p option sets CERTDB_TERMINAL_RECORD while the -t P and -t C set CERTDB_TRUSTED and CERTDB_TRUSTED_CA respectively. Without the latter two (that is, with just -t p ) the certificate is explicitly distrusted as per the latest online certutil documentation.

It seems that the src man pages haven't been updated. An older version (from Sept 2014) at https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/Tools/certutil agrees with the current man page in the src package.

Robie Basak (racb) wrote :

Thanks Gareth. So upstream have an inconsistency in their docs so presumably need an upstream bug to fix that? And Ubuntu is currently consistent between its documentation and behaviour? Is my understanding accurate?

tags: added: needs-upstream-report
Gareth Williams (gareththered) wrote :

Robie - I believe it's an inconsistency between upstream source docs and behaviour. However, upstream docs align with Ubuntu (and presumably other distro) docs and are _not_ consistent with the current behaviour.

The distro man pages and the online docs at https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/Tools/certutil (Sept 2014) do not agree with the current behaviour and the later online docs at https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/tools/NSS_Tools_certutil (Sept 2015). Therefore, the source man page needs to be updated to align with the latter 2015 online docs.

As I understand it, the relevant -t trustargs arguments are:

p - mark the trustargs settings as authoritative, but don't flag the certificate as a CA. This makes the certificate explicitly distrusted as a CA as per the Sept 2015 online docs.

c - mark the trustargs settings as authoritative and also flag the certificate as a CA. I.e trusted.

'T' and 'C' also set 'c'

So, bottom line is to raise an upstream bug to align the source code man page with the online (Sept 2015) docs and current behaviour as there doesn't seem to be one currently - https://bugzilla.mozilla.org/buglist.cgi?quicksearch=certutil+trustargs

Robie Basak (racb) wrote :

Thanks Gareth. Is anyone volunteering to report this upstream? If reporting, please link to the report here.

Robie Basak (racb) wrote :

Thanks Gareth!

tags: removed: needs-upstream-report
Changed in nss (Ubuntu):
status: Incomplete → New
Changed in nss:
importance: Unknown → Medium
status: Unknown → New
Changed in nss (Ubuntu):
status: New → Triaged
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.