Closed Bug 620373 Opened 14 years ago Closed 13 years ago

firefox doesn't use system certificate store

Categories

(Core :: Security: PSM, defect)

x86
Linux
defect
Not set
normal

Tracking

()

VERIFIED DUPLICATE of bug 449498

People

(Reporter: stransky, Unassigned)

References

()

Details

Attachments

(1 file)

There is a system-wide NSS db in /etc/pki/nssdb which should be recognized by Firefox. With the attached patch if the system database isn't enabled, it should just continue to use the old DBM database.
Attachment #498727 - Flags: review?(kaie)
Attachment #498727 - Flags: review?(kaie) → review?(honzab.moz)
Comment on attachment 498727 [details] [diff] [review]
adapted downstream patch


> extern "C" {
> #include "pkcs12.h"
> #include "p12plcy.h"
>+#include <unistd.h>
> }

I don't think we need to include unitstd.h, this is probably a left-over from
the original version that made unix-style file io calls. The code now calls NSPR.
You may need to add a #include "prio.h" in the section with nss related includes.

---
I have questions in this style initialization.
>+          init_rv = ::NSS_InitWithMerge(nssdb,
>+                                        "", "", SECMOD_DB,
>+                                        profileStr.get(), "", "",
>+                                        profileStr.get(), profileStr.get(), init_flags);
>+        }
>+    }
>+#endif

The nssyinit documention recommends applications call NSS_InitReadAndWrite(sql:/etc/pki/nssdb);
as nss-syinit will open the sytem db read-only, and the user db plus the user's added ones read-write. 
Is the NSS_InitWithMerge() used because Mozilla applications don't yet support the shared db? 
Are there plans to do so?
(In reply to comment #1) 
Thnks to Bob Relyea's clarifications and a more careful reading of https://wiki.mozilla.org/NSS_Shared_DB_And_LINUX this becomes clear for me.

> The nssyinit documention recommends applications call
> NSS_InitReadAndWrite(sql:/etc/pki/nssdb);

Yes, and the guidelines enumerates exceptions to this general rule. 

Firefox is an application that needs to perform automatic migration of an old legacy NSS database from an old location to the new system location, so initializing NSS with:
>+          init_rv = ::NSS_InitWithMerge(nssdb,
>+                                        "", "", SECMOD_DB,
>+                                        profileStr.get(), "", "",
>+                                        profileStr.get(), profileStr.get(), init_flags);

is what's prescrived and the patch takes care of enabling support for the shared db and taking advantage of the system-wide certificate store.
Could anyone with good knowledge of NSS say what NSS_InitWithMerge exactly does?
(In reply to comment #3)
The sources I find most useful are (1) the NSS Shared DB Design proposal: https://bugzilla.mozilla.org/show_bug.cgi?id=620373 and the discussions in
the bug for it: https://bugzilla.mozilla.org/show_bug.cgi?id=391296
This is a dupe of bug 449498, which contains the same patch.

I just wrote a comment, at bug 449498 comment 10.

In my understanding the use of NSS_InitWithMerge requires application level user interface.
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → DUPLICATE
Status: RESOLVED → VERIFIED
Attachment #498727 - Flags: review?(honzab.moz)
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: