129303 - NSS needs to expose interfaces to deal with multiple token sources of certs.

Status: RESOLVED FIXED

(NSS :: Libraries, defect, P1)

Description

[Robert Relyea]

In NSS there is only once cert structure for a given DER cert. That cert
structure has a single entry to store token and nickname information.

Certs can have multiple sources, however. NSS 3.4 correctly manages the fact
that a given cert may live on multiple tokens, but it can only present one token
& nickname for a given cert through it public API's. We need two new functions
(proposed by Ian and agreed by me) to provide this information:

char **CERT_GetTokenNames(CERTCertificate *cert);
char *CERT_GetNicknameForToken(CERTCertificate *cert, PK11SlotInfo *slot);

Comment 1

[Wan-Teh Chang]

Assigned the bug to Bob.

Comment 2

[Wan-Teh Chang]

Changed the QA contact to Bishakha.

Comment 3

[Robert Relyea]

PSM won't be able to use this before RTM, so move the feature out to a future
release of NSS.

Comment 4

[Kai Engert [:KaiE:]]

Bob, you said "Certs can have multiple sources".
What does that mean?

Comment 5

[Robert Relyea]

Attachment: function to return all the slots that this cert exists on.

Here is part of what is needed: given a cert, this function returns all the slots that cert exists on. With it is possible (if not exactly efficient) to implement the rest of the functions.

Comment 6

[Robert Relyea]

Actually this combined with CERT_GetNicknameForToken() will allow efficient implementation of CERT_GetTokenNames...

bob

Comment 7

[Kai Engert [:KaiE:]]

Comment on attachment 203479 [details] [diff] [review]
function to return all the slots that this cert exists on.

r=kaie

You might want to consider the following:

- Should the function behave safe when called with a NULL cert? If you think it should, please check for cert==NULL.

- You do not check whether c is NULL, but I suspect that's not required, as there is a 1:1 relationship between CERT and STAN_NSS ?

- can instance->token ever be NULL ?

Comment 8

[Robert Relyea]

It is a public function, so a NULL check is resonable.

It's highly unlikely NSS will get very far if STAN_GetNSSCertificate ever fails.
Yes, instances always have valid token pointers.

bob

Comment 9

[Robert Relyea]

Checking in pk11cert.c;
/cvsroot/mozilla/security/nss/lib/pk11wrap/pk11cert.c,v  <--  pk11cert.c
new revision: 1.144; previous revision: 1.143
done
/cvsroot/mozilla/security/nss/lib/nss/nss.def,v  <--  nss.def
new revision: 1.159; previous revision: 1.158
done

Comment 10

[Kai Engert [:KaiE:]]

Bob, as you checked it in, can this be marked fixed?

Comment 11

[Robert Relyea]

Oops.

Comment 12

[Nelson Bolyard (seldom reads bugmail)]

This was only fixed on trunk, not branch.
Do we want this fix in NSS 3.11.1 ?
Need to know right away.

Comment 13

[Robert Relyea]

This is also a nice to have. I've held it out of 3.11 because it's and interface change. I wouldn't hold 3.11 to get it, but would be happy to see it in.

bob

Comment 15

[Nelson Bolyard (seldom reads bugmail)]

The patch that was reviewed for this bug was not checked in.

Comment 16

[Julien Pierre]

I checked in the declaration to the trunk for NSS 3.12.1 .

Checking in pk11pub.h;
/cvsroot/mozilla/security/nss/lib/pk11wrap/pk11pub.h,v  <--  pk11pub.h
new revision: 1.26; previous revision: 1.25

Comment 17

[Nelson Bolyard (seldom reads bugmail)]

There is no test for this code.  There are no invocations of the new function
in any NSS libraries or test programs. :(

Comment 18

[Julien Pierre]

Nelson,

It is somewhat difficult to test without support for multiple tokens in the QA.
Right now the best we could do would be to test it with the root cert module.

For example, change the trust on some root certs, and then make sure they exist on both the softoken and built-in tokens.