Closed
Bug 620373
Opened 14 years ago
Closed 13 years ago
firefox doesn't use system certificate store
Categories
(Core :: Security: PSM, defect)
Tracking
()
VERIFIED
DUPLICATE
of bug 449498
People
(Reporter: stransky, Unassigned)
References
()
Details
Attachments
(1 file)
3.13 KB,
patch
|
Details | Diff | Splinter Review |
There is a system-wide NSS db in /etc/pki/nssdb which should be recognized by Firefox. With the attached patch if the system database isn't enabled, it should just continue to use the old DBM database.
Attachment #498727 -
Flags: review?(kaie)
Reporter | ||
Updated•13 years ago
|
Attachment #498727 -
Flags: review?(kaie) → review?(honzab.moz)
Comment 1•13 years ago
|
||
Comment on attachment 498727 [details] [diff] [review] adapted downstream patch > extern "C" { > #include "pkcs12.h" > #include "p12plcy.h" >+#include <unistd.h> > } I don't think we need to include unitstd.h, this is probably a left-over from the original version that made unix-style file io calls. The code now calls NSPR. You may need to add a #include "prio.h" in the section with nss related includes. --- I have questions in this style initialization. >+ init_rv = ::NSS_InitWithMerge(nssdb, >+ "", "", SECMOD_DB, >+ profileStr.get(), "", "", >+ profileStr.get(), profileStr.get(), init_flags); >+ } >+ } >+#endif The nssyinit documention recommends applications call NSS_InitReadAndWrite(sql:/etc/pki/nssdb); as nss-syinit will open the sytem db read-only, and the user db plus the user's added ones read-write. Is the NSS_InitWithMerge() used because Mozilla applications don't yet support the shared db? Are there plans to do so?
Comment 2•13 years ago
|
||
(In reply to comment #1) Thnks to Bob Relyea's clarifications and a more careful reading of https://wiki.mozilla.org/NSS_Shared_DB_And_LINUX this becomes clear for me. > The nssyinit documention recommends applications call > NSS_InitReadAndWrite(sql:/etc/pki/nssdb); Yes, and the guidelines enumerates exceptions to this general rule. Firefox is an application that needs to perform automatic migration of an old legacy NSS database from an old location to the new system location, so initializing NSS with: >+ init_rv = ::NSS_InitWithMerge(nssdb, >+ "", "", SECMOD_DB, >+ profileStr.get(), "", "", >+ profileStr.get(), profileStr.get(), init_flags); is what's prescrived and the patch takes care of enabling support for the shared db and taking advantage of the system-wide certificate store.
Comment 3•13 years ago
|
||
Could anyone with good knowledge of NSS say what NSS_InitWithMerge exactly does?
Comment 4•13 years ago
|
||
(In reply to comment #3) The sources I find most useful are (1) the NSS Shared DB Design proposal: https://bugzilla.mozilla.org/show_bug.cgi?id=620373 and the discussions in the bug for it: https://bugzilla.mozilla.org/show_bug.cgi?id=391296
Comment 5•13 years ago
|
||
This is a dupe of bug 449498, which contains the same patch. I just wrote a comment, at bug 449498 comment 10. In my understanding the use of NSS_InitWithMerge requires application level user interface.
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → DUPLICATE
Updated•13 years ago
|
Attachment #498727 -
Flags: review?(honzab.moz)
You need to log in
before you can comment on or make changes to this bug.
Description
•