Closed
Bug 358785
Opened 18 years ago
Closed 17 years ago
Merge NSS_LIBPKIX_BRANCH back to trunk
Categories
(NSS :: Libraries, defect, P1)
NSS
Libraries
Tracking
(Not tracked)
RESOLVED
FIXED
3.12
People
(Reporter: KaiE, Assigned: alvolkov.bgs)
References
Details
(Whiteboard: PKIX)
Attachments
(6 files, 10 obsolete files)
|
1.17 KB,
patch
|
rrelyea
:
review+
|
Details | Diff | Splinter Review |
|
30.24 KB,
text/plain
|
nelson
:
review+
rrelyea
:
superreview+
|
Details |
|
529 bytes,
text/plain
|
Details | |
|
4.21 KB,
text/plain
|
nelson
:
review+
|
Details |
|
78.44 KB,
patch
|
Details | Diff | Splinter Review | |
|
91.70 KB,
patch
|
julien.pierre
:
review+
|
Details | Diff | Splinter Review |
The code developed on NSS_LIBPKIX_BRANCH should be merged into the trunk of NSS development, and once it is done, work on the branch should stop. It would be good to get this done this week.
|
Reporter | |
Comment 1•18 years ago
|
||
This diff compares two directories on my system. The left hand side was the result of using "cvs update -j" on the trunk. It contains about 20 conflicts. The right hand side is the result of my manual attempt to clean up the conflicts. The biggest code conflict in code was in file genname.c, my attempt to resolve the conflict is most likely wrong...? I have already asked Julien to help and produce a merged version of that file. Another larger conflict is the code of the new HTTP client callback API. It seems cvs was not smart merging those portions, several sections were duplicated, maybe there were too many whitespace changes. I believe I merged it correctly.
|
|
Reporter | |
Comment 2•18 years ago
|
||
When merging the pkix branch to the trunk, and still having the conflicts in the tree, this diff lists all the changes to the existing files. It ignores new files.
|
|
Reporter | |
Comment 3•18 years ago
|
||
This diff was produced after my attempt to remove the conflicts. It still requires a correct genname.c merge.
|
||
Comment 4•18 years ago
|
||
Comment on attachment 244112 [details] [diff] [review] Diff showing changes to existing files only (most conflicts removed, genname pending) All the changes to mozilla/security/coreconf should be ignored.
|
|
||
Comment 5•18 years ago
|
||
Fix the x509PolicyConstraints OID (you can verify by searching for id-ce-policyConstraints in RFC 3280). Fix errors in a comment.
Attachment #244522 -
Flags: review?(rrelyea)
|
|
||
Comment 6•18 years ago
|
||
I suggest that we land libpkix's new files on the NSS trunk first. This will make it easy to review them and the changes to existing files. Please use review+ to indicate your approval of checking in the new files listed in this attachment on the NSS trunk. The contents of the new files will be taken from the NSS_LIBPKIX_BRANCH, with the license header replaced by the MPL/GPL/LGPL triple license.
Attachment #244619 -
Flags: superreview?(rrelyea)
Attachment #244619 -
Flags: review?(nelson)
|
|
||
Comment 7•18 years ago
|
||
As this attachment shows, libpkix only modifies a small number of existing files. I will attach the patch for these files next.
|
|
||
Comment 8•18 years ago
|
||
I examined all the changes to existing files made by libpkix. I resolved all the merging conflicts, including the conflicts in lib/certdb/genname.c. I only made a small number of editing changes to make the coding style blend in better with existing NSS code. I plan to implement a better solution for exporting the PKIX symbols from nss.def for the PKIX unit tests, but you can start reviewing and experimenting with this patch. I do have some suggested changes based on my review. 1. secoidt.h and secoid.c I suggest that we change inhibitAny to inhibitAnyPolicy. Note that the patch changes three policy-related extensions from UNSUPPORTED to SUPPORTED. 2. cert.h Note that the patch changes the function prototype of CERT_FindCRLNumberExten. This function is not exported in nss.def, even though it is declared in the public header cert.h. 3. certt.h I suggest that we shorten the following policy-related type names. CERTCertificatePolicyMappings => CERTPolicyMappings CERTCertificatePolicyConstraints => CERTPolicyConstraints CERTCertificateInhibitAny => CERTInhibitAnyPolicy In CERTCRLEntryReasonCode (CRL entry reason code), "Unspecified" is called "unused" in RFC 3280, and "certificatedHold" should be renamed "CertificateHold". RFC 3280 doesn't have "RemoveFromCRL". The extra reason code "RemoveFromCRL" caused the values of "PrivilegeWithdrawn" and "AcCompromise" to be one greater than their values in RFC 3280. 4. ocsp.h and nss.def Note that we export the function GetRegisteredHttpClient. This function, whose name doesn't have a prefix, doesn't match our naming convention for public functions.
|
|
||
Updated•18 years ago
|
Attachment #244109 -
Attachment is obsolete: true
|
|
||
Updated•18 years ago
|
Attachment #244111 -
Attachment is obsolete: true
|
|
||
Updated•18 years ago
|
Attachment #244112 -
Attachment is obsolete: true
|
|
||
Comment 9•18 years ago
|
||
I found that I missed four CERT_ functions that the libpkix branch exports from nss.def, so I added them to the NSS_3.12 section. I can build and run all the test programs without exporting those four CERT_ functions, so I don't know why they are exported. Note that one of these four CERT_ functions is CERT_FindCRLNumberExten, whose function prototype is changed by libpkix. I also found that the new libpkix files already use the MPL/GPL/LGPL triple license. The only problem is that they say: The Original Code is the Netscape security libraries. The Initial Developer of the Original Code is Netscape Communications Corporation. Copyright (C) 1994-2000 Ideally these should be changed to reflect the fact that Sun wrote the original code (libpkix) starting in 2004.
Attachment #244621 -
Attachment is obsolete: true
|
||
Comment 10•18 years ago
|
||
Comment on attachment 244619 [details]
List of new files added by libpkix
I've never been asked to review a list of file names before. I'm not sure how to review them.
Here are some comments.
It seems like this list has a lot of directories, each of which holds just a single .c file, a manifest, and a Makefile.
Are these necessary?
Does each build a separate executable?
If not, I'd surely prefer that the .c files be consolidated into fewer directories. Remember that, once added, directories can never be removed from the CVS repository or workareas pulled therefrom.
Also, up until now, we've carefully avoided having checked-in copies of cert and key DBs for testing. Is this now unavoidable?
|
||
Comment 11•18 years ago
|
||
Comment on attachment 244522 [details] [diff] [review] Bug fixes for secoid.c r=relyea
Attachment #244522 -
Flags: review?(rrelyea) → review+
|
|
||
Comment 12•18 years ago
|
||
Comment on attachment 244619 [details]
List of new files added by libpkix
These files are all in libpkix directories, r=relyea to check in.
No review of the content has been make.
Attachment #244619 -
Flags: superreview?(rrelyea) → superreview+
|
|
||
Comment 13•18 years ago
|
||
Comment on attachment 244522 [details] [diff] [review] Bug fixes for secoid.c I checked in the patch "bug fixes for secoid.c" on the NSS trunk (NSS 3.12). Checking in secoid.c; /cvsroot/mozilla/security/nss/lib/util/secoid.c,v <-- secoid.c new revision: 1.33; previous revision: 1.32 done
|
|
||
Updated•18 years ago
|
Attachment #244619 -
Flags: review?(nelson) → review+
|
|
||
Comment 14•18 years ago
|
||
Comment on attachment 244619 [details]
List of new files added by libpkix
I merged the mozilla/security/nss/lib/libpkix directory onto the
NSS trunk. It is not being built yet.|
|
||
Comment 15•17 years ago
|
||
Nelson, in comment 10 you noted that many directories under cmd/libpkix contain only Makefile, manifest.mn, and a single .c file. I collapsed one level of these directories. This is the list of files. Please review it. Note that I kept the subdirectories under cmd/libpkix/{pkix,pkix_pl} so that they match the subdirectories under lib/libpkix/{pkix,pkix_pl}. A small number of these subdirectories have only one or two .c files. Do you want me to further collapse the subdirectories under cmd/libpkix{pkix,pkix_pl}? Or is this list good enough?
Attachment #256239 -
Flags: review?(nelson)
|
|
||
Comment 16•17 years ago
|
||
Comment on attachment 256239 [details]
Proposed cmd/libpkix file list
This consolidation of test programs reduced the number of new files
in cmd/libpkix from 239 to 109.|
|
||
Comment 17•17 years ago
|
||
Comment on attachment 256239 [details]
Proposed cmd/libpkix file list
Wan-Teh, this is a HUGE improvement. I think this is fine. Thank you very much!
Attachment #256239 -
Flags: review?(nelson) → review+
|
|
||
Comment 18•17 years ago
|
||
Comment on attachment 256239 [details]
Proposed cmd/libpkix file list
I added the new files listed in this patch on the
NSS trunk (NSS 3.12). They are all under the directory
mozilla/security/nss/cmd/libpkix.|
|
||
Comment 19•17 years ago
|
||
I will provide two solutions for giving the libpkix test programs access to the LIBPKIX functions. This patch is solution 1. By default, we build the regular libnss3.so and don't build and run the libpkix test programs. If the environment variable BUILD_LIBPKIX_TESTS is set to 1, we build the special libnss3.so that exports the LIBPKIX functions, and build and run the libpkix test programs. Tomorrow I will attach another patch for solution 2: link the libpkix test programs with NSS static libraries.
Attachment #244635 -
Attachment is obsolete: true
|
|
||
Comment 20•17 years ago
|
||
I cleaned up the patch a little.
Attachment #256550 -
Attachment is obsolete: true
|
|
||
Comment 21•17 years ago
|
||
Comment on attachment 256690 [details] [diff] [review] libpkix patch for existing files (set BUILD_LIBPKIX_TESTS for building libpkix test programs) v2 The main code cleanup is that the newly exported function GetRegisteredHttpClient (defined in ocsp.c) is renamed SEC_GetRegisteredHttpClient.
|
|
||
Comment 22•17 years ago
|
||
In this alternative patch, we link the libpkix test programs with NSS static libraries, so that we don't need to export the libpkix functions from libnss3.so/nss3.dll.
|
||
Comment 23•17 years ago
|
||
Wan-Teh, Using static NSS libs with the many libpkix test programs will cause issues for builds. The files will be much bigger, and build times will be higher. When you multiply the disk space by each platform, this becomes significant. Also, many official builds and tinderboxes are done on network drives concurrently, and the network and disk bandwidth requirements will go up in addition to the space. I would advise using dynamic libraries.
|
|
||
Comment 24•17 years ago
|
||
maybe you shoul prefix the names with double-underscore to signify that they're private symbols.
|
Assignee | |
Updated•17 years ago
|
Whiteboard: PKIX
|
|
Assignee | |
Updated•17 years ago
|
Target Milestone: --- → 3.12
|
|
||
Comment 25•17 years ago
|
||
I landed the libpkix test scripts and data in the
mozilla/security/nss/tests/libpkix directory on the
NSS trunk (NSS 3.12).
Three directories
(mozilla/security/nss/tests/libpkix/{pkix_pl_tests/module,pkix_tests/top,sample_apps/cert8.db})
contain NSS database files (cert8.db,key3.db,secmod.db).
We'll deal with them later.|
|
||
Comment 26•17 years ago
|
||
I made a minor mistake. The three directories should be
mozilla/security/nss/tests/libpkix/{pkix_pl_tests/module,pkix_tests/top,sample_apps}.|
|
||
Comment 27•17 years ago
|
||
Comment on attachment 256690 [details] [diff] [review] libpkix patch for existing files (set BUILD_LIBPKIX_TESTS for building libpkix test programs) v2 Alexei, please review this patch and the next one attached, and choose one.
Attachment #256690 -
Flags: review?(alexei.volkov.bugs)
|
|
Assignee | |
Updated•17 years ago
|
Assignee: nobody → alexei.volkov.bugs
|
|
Assignee | |
Comment 28•17 years ago
|
||
code cleanup. changes in crlv2.c, policyxtn.c. Julien please review crl.c changes in cache functions.
Attachment #256690 -
Attachment is obsolete: true
Attachment #263373 -
Flags: review?
Attachment #256690 -
Flags: review?(alexei.volkov.bugs)
|
|
Assignee | |
Updated•17 years ago
|
Attachment #263373 -
Flags: review? → review?(julien.pierre.boogz)
|
|
||
Comment 29•17 years ago
|
||
Comment on attachment 244522 [details] [diff] [review] Bug fixes for secoid.c This corrective patch should also have been applied to the 3.11 branch, IMO. I will make this correction on the branch as part of another patch.
|
|
Assignee | |
Updated•17 years ago
|
Priority: -- → P1
|
|
||
Comment 30•17 years ago
|
||
Comment on attachment 263373 [details] [diff] [review] libpkix patch for existing files (set BUILD_LIBPKIX_TESTS for building libpkix test programs) v3 I gave Alexei my review feedback in person. Some changes are needed.
Attachment #263373 -
Flags: review?(julien.pierre.boogz) → review-
|
|
Assignee | |
Comment 31•17 years ago
|
||
changes for problems found during review.
Attachment #263373 -
Attachment is obsolete: true
Attachment #265969 -
Flags: review?
|
|
||
Comment 32•17 years ago
|
||
Comment on attachment 265969 [details] [diff] [review] libpkix patch for existing files (set BUILD_LIBPKIX_TESTS for building libpkix test programs) v4 I think Alexei meant to ask Julien for this review.
Attachment #265969 -
Flags: review? → review?(julien.pierre.boogz)
|
|
||
Comment 33•17 years ago
|
||
Comment on attachment 265969 [details] [diff] [review] libpkix patch for existing files (set BUILD_LIBPKIX_TESTS for building libpkix test programs) v4 There is still a problem in CERT_FinCRLEntryReasonExten . wrapperItem needs to be initialized . I believe the assignment as written only initializes tmpItem .
Attachment #265969 -
Flags: review?(julien.pierre.boogz) → review-
|
|
||
Comment 34•17 years ago
|
||
Other comments : - Even though many existing destroy functions return void, I think returning void is a bad idea for public functions in general. So, I recommend we don't propagate this error because of history, and make CERT_DestroyPolicyMappingsExtension return SECStatus instead of void . If relevant errors pop up in the future, we won't be able to tell the caller about them if the function is made public and returning void now. - A little merge work is needed for nss.def / secoid.c / secoidt.h for this patch to apply . I understand the patch was created against an old tree which you kept at my request in order to diff the 2 patches. But the next submission should probably made against the trunk. - Re: the typo in the field of a public structure, DERPermited , I am of the opinion that it's OK to rename it to DERPermitted . This won't break binary compatibility. It may break source compatibility, but in that unlikely event, the application would have an easy 1-letter fix .
|
|
Assignee | |
Comment 35•17 years ago
|
||
builds and passes all nss tests
Attachment #265969 -
Attachment is obsolete: true
Attachment #266032 -
Flags: review?(julien.pierre.boogz)
|
|
Assignee | |
Comment 36•17 years ago
|
||
Attachment #266032 -
Attachment is obsolete: true
Attachment #266034 -
Flags: review?(julien.pierre.boogz)
Attachment #266032 -
Flags: review?(julien.pierre.boogz)
|
|
||
Comment 37•17 years ago
|
||
Comment on attachment 266034 [details] [diff] [review] last patch failed to fix initialization of wrapperItem. Fixing it now. v6 This looks good, Alexei. Thank you !
Attachment #266034 -
Flags: review?(julien.pierre.boogz) → review+
|
|
Assignee | |
Comment 38•17 years ago
|
||
v6 is checked into trunk /cvsroot/mozilla/security/nss/cmd/Makefile,v <-- Makefile new revision: 1.7; previous revision: 1.6 /cvsroot/mozilla/security/nss/cmd/platlibs.mk,v <-- platlibs.mk new revision: 1.48; previous revision: 1.47 /cvsroot/mozilla/security/nss/lib/manifest.mn,v <-- manifest.mn new revision: 1.17; previous revision: 1.16 /cvsroot/mozilla/security/nss/lib/certdb/cert.h,v <-- cert.h new revision: 1.57; previous revision: 1.56 /cvsroot/mozilla/security/nss/lib/certdb/certi.h,v <-- certi.h new revision: 1.17; previous revision: 1.16 /cvsroot/mozilla/security/nss/lib/certdb/certt.h,v <-- certt.h new revision: 1.36; previous revision: 1.35 /cvsroot/mozilla/security/nss/lib/certdb/crl.c,v <-- crl.c new revision: 1.56; previous revision: 1.55 /cvsroot/mozilla/security/nss/lib/certdb/genname.c,v <-- genname.c new revision: 1.32; previous revision: 1.31 /cvsroot/mozilla/security/nss/lib/certdb/polcyxtn.c,v <-- polcyxtn.c new revision: 1.7; previous revision: 1.6 /cvsroot/mozilla/security/nss/lib/certhigh/crlv2.c,v <-- crlv2.c new revision: 1.5; previous revision: 1.4 /cvsroot/mozilla/security/nss/lib/certhigh/ocsp.c,v <-- ocsp.c new revision: 1.42; previous revision: 1.41 /cvsroot/mozilla/security/nss/lib/certhigh/ocsp.h,v <-- ocsp.h new revision: 1.11; previous revision: 1.10 /cvsroot/mozilla/security/nss/lib/libpkix/pkix/certsel/manifest.mn,v <-- manifest.mn new revision: 1.3; previous revision: 1.2 /cvsroot/mozilla/security/nss/lib/libpkix/pkix/checker/manifest.mn,v <-- manifest.mn new revision: 1.3; previous revision: 1.2 /cvsroot/mozilla/security/nss/lib/libpkix/pkix/crlsel/manifest.mn,v <-- manifest.mn new revision: 1.3; previous revision: 1.2 /cvsroot/mozilla/security/nss/lib/libpkix/pkix/params/manifest.mn,v <-- manifest.mn new revision: 1.3; previous revision: 1.2 /cvsroot/mozilla/security/nss/lib/libpkix/pkix/results/manifest.mn,v <-- manifest.mn new revision: 1.3; previous revision: 1.2 /cvsroot/mozilla/security/nss/lib/libpkix/pkix/store/manifest.mn,v <-- manifest.mn new revision: 1.3; previous revision: 1.2 /cvsroot/mozilla/security/nss/lib/libpkix/pkix/top/manifest.mn,v <-- manifest.mn new revision: 1.3; previous revision: 1.2 /cvsroot/mozilla/security/nss/lib/libpkix/pkix/util/manifest.mn,v <-- manifest.mn new revision: 1.3; previous revision: 1.2 /cvsroot/mozilla/security/nss/lib/libpkix/pkix_pl_nss/module/manifest.mn,v <-- manifest.mn new revision: 1.3; previous revision: 1.2 /cvsroot/mozilla/security/nss/lib/libpkix/pkix_pl_nss/module/pkix_pl_aiamgr.c,v <-- pkix_pl_aiamgr.c new revision: 1.3; previous revision: 1.2 /cvsroot/mozilla/security/nss/lib/libpkix/pkix_pl_nss/module/pkix_pl_httpcertstore.c,v <-- pkix_pl_httpcertstore.c new revision: 1.3; previous revision: 1.2 /cvsroot/mozilla/security/nss/lib/libpkix/pkix_pl_nss/pki/manifest.mn,v <-- manifest.mn new revision: 1.3; previous revision: 1.2 /cvsroot/mozilla/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_cert.c,v <-- pkix_pl_cert.c new revision: 1.3; previous revision: 1.2 /cvsroot/mozilla/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_generalname.c,v <-- pkix_pl_generalname.c new revision: 1.3; previous revision: 1.2 /cvsroot/mozilla/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_nameconstraints.c,v <-- pkix_pl_nameconstraints.c new revision: 1.3; previous revision: 1.2 /cvsroot/mozilla/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_ocspresponse.c,v <-- pkix_pl_ocspresponse.c new revision: 1.4; previous revision: 1.3 /cvsroot/mozilla/security/nss/lib/libpkix/pkix_pl_nss/system/manifest.mn,v <-- manifest.mn new revision: 1.3; previous revision: 1.2 /cvsroot/mozilla/security/nss/lib/nss/Makefile,v <-- Makefile new revision: 1.5; previous revision: 1.4 /cvsroot/mozilla/security/nss/lib/nss/config.mk,v <-- config.mk new revision: 1.28; previous revision: 1.27 /cvsroot/mozilla/security/nss/lib/nss/nss.def,v <-- nss.def new revision: 1.175; previous revision: 1.174 /cvsroot/mozilla/security/nss/lib/nss/nssinit.c,v <-- nssinit.c new revision: 1.80; previous revision: 1.79 RCS file: /cvsroot/mozilla/security/nss/lib/nss/pkixpriv.def,v /cvsroot/mozilla/security/nss/lib/nss/pkixpriv.def,v <-- pkixpriv.def initial revision: 1.1 /cvsroot/mozilla/security/nss/lib/util/secoid.c,v <-- secoid.c new revision: 1.37; previous revision: 1.36 /cvsroot/mozilla/security/nss/tests/all.sh,v <-- all.sh new revision: 1.28; previous revision: 1.27
|
|
||
Comment 39•17 years ago
|
||
> Re: the typo in the field of a public structure, DERPermited , I am of the
> opinion that it's OK to rename it to DERPermitted . This won't break binary
> compatibility. It may break source compatibility, but in that unlikely event,
> the application would have an easy 1-letter fix .
Julien, I think you have forgotten the vehemence with which Sun server teams
chastised us over changes of this nature in the past.
The safe way to make such changes for the names of structure members
is shown in this pseudo patch.
struct foo {
...
- int oldname;
+ int newname;
...
}
+#define oldname newname|
|
||
Comment 40•17 years ago
|
||
There is a build failure on HP-UX in the pkixutil.sl shared library. grep -v ';+' pkixutil.def | grep -v ';-' | sed -e 's; DATA ;;' -e 's,;;,,' -e 's,;.*,,' -e 's,^,+e ,' > HP-UXB.11.11_DBG. OBJ/pkixutil.def rm -f HP-UXB.11.11_DBG.OBJ/libpkixutil.sl ld -b +h libpkixutil.sl -c HP-UXB.11.11_DBG.OBJ/pkixutil.def -o HP-UXB.11.11_DBG.OBJ/libpkixutil.sl HP-UXB.11.11_DBG.OBJ/ testutil_nss.o HP-UXB.11.11_DBG.OBJ/testutil.o ../../../../../dist/HP-UXB.11.11_DBG.OBJ/lib/libsectool.a -Wl,+b,'$ORI GIN/../lib' -L../../../../../dist/HP-UXB.11.11_DBG.OBJ/lib -lssl3 -lsmime3 -lnss3 -lnssutil3 -L../../../../../dist/HP-UXB .11.11_DBG.OBJ/lib -lplc4 -lplds4 -lnspr4 -lpthread -lm -lrt ld: Unrecognized argument: -Wl,+b,$ORIGIN/../lib ld: Usage: ld [options] [flags] files gmake-3.80[2]: *** [HP-UXB.11.11_DBG.OBJ/libpkixutil.sl] Error 1 gmake-3.80[2]: Leaving directory `/net/monstre/export/home/julien/nss/tip2/mozilla/security/nss/cmd/libpkix/testutil' gmake-3.80[1]: *** [libs] Error 2 gmake-3.80[1]: Leaving directory `/net/monstre/export/home/julien/nss/tip2/mozilla/security/nss/cmd/libpkix' gmake-3.80: *** [libs] Error 2
Hardware: PC → All
|
|
||
Comment 41•17 years ago
|
||
Note that this failure goes undetected in Christophe's builds or tinderbox because they do not set BUILD_LIBPKIX_TESTS . But I have that set in my .cshrc .
|
|
||
Comment 42•17 years ago
|
||
Any WHY don't they build libpkix tests?
|
|
||
Comment 43•17 years ago
|
||
Nelson, Building libpkix tests currently causes a different NSS shared library to be built, one that has all the pkix symbols made public, so that the libpkix test programs can call them. That is not fit for release. I think it should be OK for the tinderboxes to build and test this way, since we don't release from tinderbox. For the nightly builds, I have suggested before that we build two versions of libnss3, one with the symbols public and another with them private.
|
|
||
Updated•17 years ago
|
|
|
||
Comment 44•17 years ago
|
||
What part of this bug remains undone? What code from the branch has not yet been merged to the trunk?
|
|
Assignee | |
Updated•17 years ago
|
Status: NEW → RESOLVED
Closed: 17 years ago
Resolution: --- → FIXED
You need to log in
before you can comment on or make changes to this bug.
Description
•