294542 - CRMF code not in any NSS shared lib

Status: NEW

(NSS :: Libraries, enhancement, P4)

Description

[Jason Reid]

The following api calls in crmf.h are not found in a .def file.

CRMF_EncodeCertReqMsg NOT exported
CRMF_EncodeCertRequest NOT exported
CRMF_EncodeCertReqMessages NOT exported
CRMF_CreateCertReqMsg NOT exported
CRMF_DestroyCertReqMsg NOT exported
CRMF_CertReqMsgSetCertRequest NOT exported
CRMF_CreateCertRequest NOT exported
CRMF_DestroyCertRequest NOT exported
CRMF_CreateCertExtension NOT exported
CRMF_DestroyCertExtension NOT exported
CRMF_CertRequestSetTemplateField NOT exported
CRMF_CertRequestIsFieldPresent NOT exported
CRMF_CertRequestIsControlPresent NOT exported
CRMF_CertRequestSetRegTokenControl NOT exported
CRMF_CertRequestSetAuthenticatorControl NOT exported
CRMF_CreateEncryptedKeyWithEncryptedValue NOT exported
CRMF_DestroyEncryptedKey NOT exported
CRMF_CreatePKIArchiveOptions NOT exported
CRMF_DestroyPKIArchiveOptions NOT exported
CRMF_CertRequestSetPKIArchiveOptions NOT exported
CRMF_CertReqMsgGetPOPType NOT exported
CRMF_CertReqMsgSetRAVerifiedPOP NOT exported
CRMF_CertReqMsgSetSignaturePOP NOT exported
CRMF_CertReqMsgSetKeyEnciphermentPOP NOT exported
CRMF_CertReqMsgSetKeyAgreementPOP NOT exported
CRMF_CreateCertReqMsgFromDER NOT exported
CRMF_CreateCertReqMessagesFromDER NOT exported
CRMF_DestroyCertReqMessages NOT exported
CRMF_CertReqMessagesGetNumMessages NOT exported
CRMF_CertReqMessagesGetCertReqMsgAtIndex NOT exported
CRMF_CertReqMsgGetID NOT exported
CRMF_DoesRequestHaveField NOT exported
CRMF_CertReqMsgGetCertRequest NOT exported
CRMF_CertRequestGetCertTemplateVersion NOT exported
CRMF_CertRequestGetCertTemplateSerialNumber NOT exported
CRMF_CertRequestGetCertTemplateSigningAlg NOT exported
CRMF_CertRequestGetCertTemplateIssuer NOT exported
CRMF_CertRequestGetCertTemplateValidity NOT exported
CRMF_DestroyGetValidity NOT exported
CRMF_CertRequestGetCertTemplateSubject NOT exported
CRMF_CertRequestGetCertTemplatePublicKey NOT exported
CRMF_CertRequestGetCertTemplateIssuerUID NOT exported
CRMF_GetCertTemplateSubjectUID NOT exported
CRMF_CertRequestGetNumberOfExtensions NOT exported
CRMF_CertRequestGetExtensionAtIndex NOT exported
CRMF_CertExtensionGetOidTag NOT exported
CRMF_CertExtensionGetIsCritical NOT exported
CRMF_CertExtensionGetValue NOT exported
CRMF_CertReqMsgGetPOPOSigningKey NOT exported
CRMF_DestroyPOPOSigningKey NOT exported
CRMF_POPOSigningKeyGetAlgID NOT exported
CRMF_POPOSigningKeyGetSignature NOT exported
CRMF_POPOSigningKeyGetInput NOT exported
CRMF_CertReqMsgGetPOPKeyEncipherment NOT exported
CRMF_CertReqMsgGetPOPKeyAgreement NOT exported
CRMF_DestroyPOPOPrivKey NOT exported
CRMF_POPOPrivKeyGetChoice NOT exported
CRMF_POPOPrivKeyGetThisMessage NOT exported
CRMF_POPOPrivKeyGetSubseqMess NOT exported
CRMF_POPOPrivKeyGetDHMAC NOT exported
CRMF_CertRequestGetNumControls NOT exported
CRMF_CertRequestGetControlAtIndex NOT exported
CRMF_DestroyControl NOT exported
CRMF_ControlGetControlType NOT exported
CRMF_ControlGetRegTokenControlValue NOT exported
CRMF_ControlGetAuthicatorControlValue NOT exported
CRMF_ControlGetPKIArchiveOptions NOT exported
CRMF_DestroyPKIArchiveOptions NOT exported
CRMF_PKIArchiveOptionsGetOptionType NOT exported
CRMF_PKIArchiveOptionsGetEncryptedPrivKey NOT exported
CRMF_EncryptedKeyGetChoice NOT exported
CRMF_EncryptedKeyGetEncryptedValue NOT exported
CRMF_DestroyEncryptedValue NOT exported
CRMF_EncryptedValueGetEncValue NOT exported
CRMF_EncryptedValueGetIntendedAlg NOT exported
CRMF_EncryptedValueGetSymmAlg NOT exported
CRMF_EncryptedValueGetKeyAlg NOT exported
CRMF_EncryptedValueGetValueHint NOT exported
CRMF_EncryptedValueGetEncSymmKey NOT exported
CRMF_PKIArchiveOptionsGetKeyGenParameters NOT exported
CRMF_PKIArchiveOptionsGetArchiveRemGenPrivKey NOT exported
CRMF_GetBestWrapPadMechanism NOT exported
CRMF_GetIVFromMechanism NOT exported

Comment 1

[Nelson Bolyard (seldom reads bugmail)]

The CRMF functions are not in any .def file because they are not in any NSS
shared libs.  

Into which of the existing NSS shared libs, if any, should they be added?

Kai, any opinion on this?
Does mozilla even use the CRMF code?

Comment 2

[Kai Engert [:KaiE:]]

I don't have an opinion on this.
I think Bob and Wan-Teh are better candidates to propose where they should be
exported.

Why do you need them exported?
You can't simply link them statically?

Comment 3

[Kai Engert [:KaiE:]]

(In reply to comment #1)
> Does mozilla even use the CRMF code?

Yes, PSM calls several CRMF_ functions.
See file mozilla/security/manager/ssl/src/nsCrypto.cpp

Comment 4

[Kai Engert [:KaiE:]]

A solution to this bug, and reducing the need of PSM to link against libcrmf.a, could avoid a RPM package dependency issue we are currently trying to solve.

The issue is: When a Mozilla/PSM application gets built, it links in functions from libcrmf.a, which references the required exported functions from NSS.

We recently exported SEC_ASN1EncodeUnsignedInteger on the 3.11 branch. This function is used by the crmf code.

When the application package got compiled on an up-to-date build system, a dependency on that new exported symbol was added to the PSM shared library - although PSM does not use the new symbol itself.

Now we had a bug, where end users updated the Mozilla/PSM application ONLY, but did not update the NSS package.

This broke the Mozilla application, end users were no longer able to start it up.

We currently have to find a solution how to avoid this kind of "unfortunate dependency" in the future. Either by explicit, manual dependency configuration when producing the Mozilla application package, or hopefully by finding a way to automate recording of the NSS version dependency when producing the application package.

However, getting rid of libcrmf.a and only linking in dynamic NSS symbols, might also be a good solution to this bug (thanks to Wan-Teh for making this proposal).

This way, recompiling the Mozilla/PSM application would not introduce dependency on new symbols that are only used internally by NSS.