Closed Bug 1395495 Opened 2 years ago Closed 2 years ago

modutil -create should initialize database with empty password

Categories

(NSS :: Tools, defect, P3)

defect

Tracking

(Not tracked)

RESOLVED FIXED

People

(Reporter: ueno, Assigned: ueno)

References

Details

Attachments

(2 files, 1 obsolete file)

Attached patch modutil-create-doc.patch (obsolete) — Splinter Review
When an NSS database is created with "modutil -create", the initial password is set invalid and the database is unusable until the password is set with "modutil -changepw":

$ mkdir nssdb
$ modutil -dbdir sql:nssdb -create
$ certutil -S -s 'CN=ca' -n ca -x -t 'C,,' -d sql:nssdb
certutil: unable to generate key(s)
: SEC_ERROR_IO: An I/O error occurred during security authorization.

I would suggest to expand the doc to state that explicitly to avoid any confusion, like the attached patch.
Attachment #8903073 - Flags: review?(kaie)
I think before we add this documentation, we should clarify if this is really the intended behavior, or, if this a bug and modutil should be changed to reject creation of such a database.

It seems this behavior is identical with both dbm: and sql: databases.

I think Bob should give us a recommendation for the intention.
Flags: needinfo?(rrelyea)
Attachment #8903073 - Flags: review?(kaie)
After we've discussed this in a meeting, we've reached an agreement to consider it a bug that modutil creates an uninitialized database, and that modutil should be changed in the following way:

if "modutil -create" is used, but no password parameter is given, then it should init NSS with a default (empty) password.

We may either close this bug and file a new one, or we could just change the purpose/subject of this bug.
Flags: needinfo?(rrelyea)
(In reply to Kai Engert (:kaie:) from comment #2)

> We may either close this bug and file a new one, or we could just change the
> purpose/subject of this bug.

OK, let's reuse this bug.  I will attach a new patch.
Summary: modutil doc should state that -changepw is required after -create → modutil -create should initialize database with empty password
Attachment #8903073 - Attachment is obsolete: true
Attachment #8908620 - Flags: review?(kaie)
Comment on attachment 8908620 [details] [diff] [review]
modutil-create-empty.patch

Looks good, only a minor suggestion.

Instead of naming the test
  "Creating empty DB with modutil -create"
how about
  "Test if DB created by modutil -create is initialized"

(text is in two places)

r=kaie
Attachment #8908620 - Flags: review?(kaie) → review+
(In reply to Kai Engert (:kaie:) from comment #6)
>   "Test if DB created by modutil -create is initialized"

I assume you don't object to this name, I believe it's more descriptive.

I'll make that change for you and check it in.
https://hg.mozilla.org/projects/nss/rev/279b257c6433
Assignee: nobody → dueno
Status: NEW → RESOLVED
Closed: 2 years ago
Resolution: --- → FIXED
Target Milestone: --- → 3.34
Sorry for the test failure; this patch should fix it.
Attachment #8909313 - Flags: review?(kaie)
I notice that you use two different directory variables R_TOOLSDIR and TOOLSDIR, maybe it's better to be consistent? I assume that one is relative and the other is an absolute path, probably both will work.

Maybe you should also print an error message if the first step, the database creation, failed.
Comment on attachment 8909313 [details] [diff] [review]
modutil-create-fix-test.patch

ok, let's try that, r=kaie

https://hg.mozilla.org/projects/nss/rev/70109a01ce53
Attachment #8909313 - Flags: review?(kaie) → review+
Blocks: 1415847
You need to log in before you can comment on or make changes to this bug.