New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
nss: allow fifos and character devices for certificates. #3807
Conversation
Currently you can do things like --cert <(cat ./cert.crt) with (at least) the openssl backend, but that doesn't work for nss because is_file rejects fifos. I don't actually know if this is sufficient, nss might do things internally (like seeking back) that make this not work, so actual testing is needed.
This was reported on irc by pawky |
Seems like a fine fix to me. Can you think of any reason this could be bad @kdudka ? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I am fine with the proposed code change. Unfortunately, I do not think it will make loading of certificates from special files work as expected. The following code in nss-pem expects the file (data) size to be known before reading the data:
https://github.com/kdudka/nss-pem/blob/5c05ed26/src/util.c#L93
FYI
This way you can have have the certs (and key) in your script not needing to keep track of several files. |
Which shell interpreter are you using? For example zsh provides the
|
I use bash. |
I don't mind this fix either, but as @kdudka points out I don't see how it will help as there's a file size requirement within NSS itself... |
I agree, if it doesn't actually change anything, it doesn't make much sense to apply it. The only thing I can think of is that maybe it changes the error message |
I was able to remove the limitation from nss-pem: kdudka/nss-pem#4 Still it might not work as expected when the file given by |
I have pushed the proposed change to nss-pem: kdudka/nss-pem@651e0f03 Is anybody against merging this pull request? |
Not me, I'm fine with merging it! |
Currently you can do things like --cert <(cat ./cert.crt) with (at least) the
openssl backend, but that doesn't work for nss because is_file rejects fifos.
I don't actually know if this is sufficient, nss might do things internally
(like seeking back) that make this not work, so actual testing is needed.