Last Comment Bug 129303 - NSS needs to expose interfaces to deal with multiple token sources of certs.
: NSS needs to expose interfaces to deal with multiple token sources of certs.
Product: NSS
Classification: Components
Component: Libraries (show other bugs)
: 3.4
: x86 Windows NT
P1 normal (vote)
: 3.12.1
Assigned To: Robert Relyea
: Jason Reid
: 449105 (view as bug list)
Depends on: 129298 428106
Blocks: 129301
  Show dependency treegraph
Reported: 2002-03-06 09:53 PST by Robert Relyea
Modified: 2008-08-04 16:51 PDT (History)
5 users (show)
See Also:
Crash Signature:
QA Whiteboard:
Iteration: ---
Points: ---

function to return all the slots that this cert exists on. (2.60 KB, patch)
2005-11-17 18:26 PST, Robert Relyea
kaie: review+
Details | Diff | Splinter Review

Description User image Robert Relyea 2002-03-06 09:53:29 PST
In NSS there is only once cert structure for a given DER cert. That cert
structure has a single entry to store token and nickname information.

Certs can have multiple sources, however. NSS 3.4 correctly manages the fact
that a given cert may live on multiple tokens, but it can only present one token
& nickname for a given cert through it public API's. We need two new functions
(proposed by Ian and agreed by me) to provide this information:

char **CERT_GetTokenNames(CERTCertificate *cert);
char *CERT_GetNicknameForToken(CERTCertificate *cert, PK11SlotInfo *slot);
Comment 1 User image Wan-Teh Chang 2002-03-06 12:40:46 PST
Assigned the bug to Bob.
Comment 2 User image Wan-Teh Chang 2002-04-25 16:34:39 PDT
Changed the QA contact to Bishakha.
Comment 3 User image Robert Relyea 2002-04-30 18:03:09 PDT
PSM won't be able to use this before RTM, so move the feature out to a future
release of NSS.
Comment 4 User image Kai Engert (:kaie) 2005-11-16 12:53:42 PST
Bob, you said "Certs can have multiple sources".
What does that mean?
Comment 5 User image Robert Relyea 2005-11-17 18:26:27 PST
Created attachment 203479 [details] [diff] [review]
function to return all the slots that this cert exists on.

Here is part of what is needed: given a cert, this function returns all the slots that cert exists on. With it is possible (if not exactly efficient) to implement the rest of the functions.
Comment 6 User image Robert Relyea 2005-11-17 18:27:34 PST
Actually this combined with CERT_GetNicknameForToken() will allow efficient implementation of CERT_GetTokenNames...

Comment 7 User image Kai Engert (:kaie) 2005-11-21 05:28:40 PST
Comment on attachment 203479 [details] [diff] [review]
function to return all the slots that this cert exists on.


You might want to consider the following:

- Should the function behave safe when called with a NULL cert? If you think it should, please check for cert==NULL.

- You do not check whether c is NULL, but I suspect that's not required, as there is a 1:1 relationship between CERT and STAN_NSS ?

- can instance->token ever be NULL ?
Comment 8 User image Robert Relyea 2005-11-21 15:02:57 PST
It is a public function, so a NULL check is resonable.

It's highly unlikely NSS will get very far if STAN_GetNSSCertificate ever fails.
Yes, instances always have valid token pointers.

Comment 9 User image Robert Relyea 2005-11-23 15:57:06 PST
Checking in pk11cert.c;
/cvsroot/mozilla/security/nss/lib/pk11wrap/pk11cert.c,v  <--  pk11cert.c
new revision: 1.144; previous revision: 1.143
/cvsroot/mozilla/security/nss/lib/nss/nss.def,v  <--  nss.def
new revision: 1.159; previous revision: 1.158
Comment 10 User image Kai Engert (:kaie) 2005-11-28 09:30:16 PST
Bob, as you checked it in, can this be marked fixed?
Comment 11 User image Robert Relyea 2005-11-28 09:58:23 PST
Comment 12 User image Nelson Bolyard (seldom reads bugmail) 2006-04-23 23:52:36 PDT
This was only fixed on trunk, not branch.
Do we want this fix in NSS 3.11.1 ?
Need to know right away.
Comment 13 User image Robert Relyea 2006-04-24 13:14:14 PDT
This is also a nice to have. I've held it out of 3.11 because it's and interface change. I wouldn't hold 3.11 to get it, but would be happy to see it in.

Comment 14 User image Nelson Bolyard (seldom reads bugmail) 2008-08-04 15:23:19 PDT
*** Bug 449105 has been marked as a duplicate of this bug. ***
Comment 15 User image Nelson Bolyard (seldom reads bugmail) 2008-08-04 15:28:55 PDT
The patch that was reviewed for this bug was not checked in.
Comment 16 User image Julien Pierre 2008-08-04 15:45:42 PDT
I checked in the declaration to the trunk for NSS 3.12.1 .

Checking in pk11pub.h;
/cvsroot/mozilla/security/nss/lib/pk11wrap/pk11pub.h,v  <--  pk11pub.h
new revision: 1.26; previous revision: 1.25
Comment 17 User image Nelson Bolyard (seldom reads bugmail) 2008-08-04 16:10:07 PDT
There is no test for this code.  There are no invocations of the new function
in any NSS libraries or test programs. :(
Comment 18 User image Julien Pierre 2008-08-04 16:51:27 PDT

It is somewhat difficult to test without support for multiple tokens in the QA.
Right now the best we could do would be to test it with the root cert module.

For example, change the trust on some root certs, and then make sure they exist on both the softoken and built-in tokens.

Note You need to log in before you can comment on or make changes to this bug.