eliminate references to NSS key/cert/module files



16 years ago
16 years ago


(Reporter: mcs, Assigned: mcs)


Firefox Tracking Flags

(Not tracked)



(1 attachment, 1 obsolete attachment)



16 years ago
There are a few places where the LDAP C SDK code references NSS key,
certificate, or module database files by name. We need to eliminate all such
references so that changes made by NSS do not affect the LDAP C SDK. Some
occurrences I know about (will look for more):

mozilla/directory/c-sdk/ldap/libraries/libssldap/clientinit.c (.db and secmod.db)
mozilla/directory/c-sdk/ldap/clients/tools/common.c (see certpath2keypath())


16 years ago
Priority: -- → P1
Target Milestone: --- → 5.12


16 years ago

Comment 1

16 years ago
I don't see an easy way to avoid using "secmod.db" as a default name
(NSS_Initialize() does not accept NULL). And because of the way the
ldapssl_.*_init() APIs were originally defined, they need to know enough to
split a full key/cert DB path into a directory and prefix. But I fixed as much
as I can for now. Patch coming.

Comment 2

16 years ago
Created attachment 117851 [details] [diff] [review]
proposed fix

Most of the changes are de-linting (I made the mistake of running lint because
I was looking for a specific problem, and then felt compelled to fix many
things it complained about).

There real changes are threefold:

1) In ldap/libraries/libssldap/clientinit.c:ldapssl_pkcs_init(), the secmod.db
name (-m option to ldapsearch et al) was ignored. Now it is retrieved and used.

2) In ldap/client/tools/common.c, I eliminated a function named
certpath2keypath() that constructed a key DB path from a cert DB path. It isn't
really needed, since all NSS needs to know is the overall path and the prefix
(which is computed inside the libssldap code without relying on the fact that
key3.db is in the name). Now if no key DB path is given by the user but a cert
DB path is, the code in common.c just passes the cert DB path for the key DB

3) The ldapsearch and ldapcmp tools now exit( LDAP_NO_MEMORY ) if an LDIF
fragment can't be constructed. Previously such failures were ignored.

Comment 3

16 years ago
Created attachment 117852 [details] [diff] [review]
improved fix: added comment

Sorry. Same as the last diff, except I added this comment in
ldap/libraries/libssldap/clientinit.c above ldapssl_basic_init():

 * Note: by design, the keydbpath can actually be a certdbpath.  Some
 * callers rely on this behavior, e.g., the LDAP command line tools.
 * This function simply does not care whether the paths end in the
 * correct NSS filenames or not; the mission here is just to extract
 * the base directory (which is pulled out of certdbpath) and the
 * cert and key prefixes (pulled out of certdbpath and keydbpath
 * respectively).

Hopefully that will prevent someone from breaking this in the future.
Attachment #117851 - Attachment is obsolete: true


16 years ago
Attachment #117852 - Flags: review?(richm)

Comment 4

16 years ago
Fix looks good.

Comment 5

16 years ago
Fix committed to the trunk:

  new revision: 5.3; previous revision: 5.2
  new revision: 5.2; previous revision: 5.1
  new revision: 5.6; previous revision: 5.5
  new revision: 5.1; previous revision: 5.0
  new revision: 5.6; previous revision: 5.5
  new revision: 5.3; previous revision: 5.2
  new revision: 5.3; previous revision: 5.2
  new revision: 5.2; previous revision: 5.1
  new revision: 5.2; previous revision: 5.1
  new revision: 5.5; previous revision: 5.4
    Fix 183385 - eliminate references to NSS key/cert/module files.
        The LDAP tools code no longer has any knowledge of the NSS
        file names; the certpath2keypath() function has been deleted
        and we now simply use the certdbpath as keydbpath when it is
        provided (it makes no difference in the end). But note that
        because we need to maintain backwards compatibility, the
        libssldap code used by the ldapssl_.*_init() functions still
        knows the default name of the NSS module file (secmod.db),
        and the code also relies on the fact that the suffix for the
        key and cert files is ".db" and that the first letter in the
        main part of the name is either 'c' or 'k'.
    Also fixed a bug that caused the module file name specified on
        the LDAP tools command line (-m name) to be ignored.
    The ldapsearch and ldapcmp tools now exit with LDAP_NO_MEMORY
        if an LDIF fragment can't be constructed.
    Also fixed some issues reported by lint:
        Return values that were ignored.
        Make more functions and global variables static.
        Add /*ARGSUSED*/ and similar lint-friendly comments.
Last Resolved: 16 years ago
Resolution: --- → FIXED

Comment 6

16 years ago
Spam for bug 129472
QA Contact: nobody → nobody

Comment 7

16 years ago
Comment on attachment 117852 [details] [diff] [review]
improved fix: added comment

removing obsolete review request
Attachment #117852 - Flags: review?(richm)
You need to log in before you can comment on or make changes to this bug.