Closed Bug 1329360 Opened 8 years ago Closed 8 years ago

avoid some NSS functions that internally use PK11_GetInternalKeySlot

Categories

(Core :: Security: PSM, defect, P1)

defect

Tracking

()

RESOLVED FIXED
mozilla53
Tracking Status
firefox53 --- fixed

People

(Reporter: keeler, Assigned: keeler)

Details

(Whiteboard: [psm-assigned])

Attachments

(1 file)

CERT_AddTempCertToPerm and CERT_ImportCerts (when called with keepCerts=true) internally use PK11_GetInternalKeySlot. The current plan for making NSS always available involves initializing it in memory-only mode and later opening the user's certificate and key databases. Doing so means that PK11_GetInternalKeySlot will not return the right token, so we can't rely on functions that make use of it internally. For now we'll simply use equivalent functions that take an explicit PK11SlotInfo argument and pass in the current internal token. A later patch will change all places where PSM and Gecko use the internal token to use the correct token. (See https://wiki.mozilla.org/Security/CryptoEngineering/Platform_Use_of_NSS )
Comment on attachment 8826660 [details] bug 1329360 - avoid some NSS functions that internally use PK11_GetInternalKeySlot https://reviewboard.mozilla.org/r/104566/#review105426 Cool - glad to see us moving towards something simpler. ::: security/manager/ssl/nsNSSCertificateDB.cpp:537 (Diff revision 1) > - int i = 0; > - for (CERTCertListNode *chainNode = CERT_LIST_HEAD(certChain); > - !CERT_LIST_END(chainNode, certChain); > + if (encounteredFailure) { > + PR_SetError(savedErrorCode, 0); > + return SECFailure; > - chainNode = CERT_LIST_NEXT(chainNode), i++) { > - rawArray[i] = &chainNode->cert->derCert; > } > - SECStatus srv = CERT_ImportCerts(CERT_GetDefaultCertDB(), usage, chainLen, > - rawArray, nullptr, true, caOnly, nullptr); > > - PORT_Free(rawArray); > + return SECSuccess; Nit: I think we can just return `savedErrorCode` instead, and maybe update the callers to propagate the return value via `GetXPCOMFromNSSError()`.
Attachment #8826660 - Flags: review?(cykesiopka.bmo) → review+
Comment on attachment 8826660 [details] bug 1329360 - avoid some NSS functions that internally use PK11_GetInternalKeySlot https://reviewboard.mozilla.org/r/104566/#review105426 Thanks! > Nit: I think we can just return `savedErrorCode` instead, and maybe update the callers to propagate the return value via `GetXPCOMFromNSSError()`. I don't know if this is what you meant, but I ended up having ImportCertsIntoPermanentStorage return an nsresult (obtained via GetXPCOMFromNSSError) since its callers all return nsresult anyway.
Pushed by dkeeler@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/e6d89beea427 avoid some NSS functions that internally use PK11_GetInternalKeySlot r=Cykesiopka
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla53
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: