nss: allow fifos and character devices for certificates. #3807
Conversation
Currently you can do things like --cert <(cat ./cert.crt) with (at least) the openssl backend, but that doesn't work for nss because is_file rejects fifos. I don't actually know if this is sufficient, nss might do things internally (like seeking back) that make this not work, so actual testing is needed.
|
This was reported on irc by pawky |
|
Seems like a fine fix to me. Can you think of any reason this could be bad @kdudka ? |
There was a problem hiding this comment.
I am fine with the proposed code change. Unfortunately, I do not think it will make loading of certificates from special files work as expected. The following code in nss-pem expects the file (data) size to be known before reading the data:
https://github.com/kdudka/nss-pem/blob/5c05ed26/src/util.c#L93
|
FYI This way you can have have the certs (and key) in your script not needing to keep track of several files. |
|
Which shell interpreter are you using? For example zsh provides the
|
|
I use bash. |
|
I don't mind this fix either, but as @kdudka points out I don't see how it will help as there's a file size requirement within NSS itself... |
|
I agree, if it doesn't actually change anything, it doesn't make much sense to apply it. The only thing I can think of is that maybe it changes the error message |
|
I was able to remove the limitation from nss-pem: kdudka/nss-pem#4 Still it might not work as expected when the file given by |
|
I have pushed the proposed change to nss-pem: kdudka/nss-pem@651e0f03 Is anybody against merging this pull request? |
|
Not me, I'm fine with merging it! |
Currently you can do things like --cert <(cat ./cert.crt) with (at least) the
openssl backend, but that doesn't work for nss because is_file rejects fifos.
I don't actually know if this is sufficient, nss might do things internally
(like seeking back) that make this not work, so actual testing is needed.