The default bug view has changed. See this FAQ.

firefox doesn't use system certificate store

VERIFIED DUPLICATE of bug 449498

Status

()

Core
Security: PSM
VERIFIED DUPLICATE of bug 449498
6 years ago
4 years ago

People

(Reporter: Martin Stránský, Unassigned)

Tracking

Trunk
x86
Linux
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(URL)

Attachments

(1 attachment)

(Reporter)

Description

6 years ago
Created attachment 498727 [details] [diff] [review]
adapted downstream patch

There is a system-wide NSS db in /etc/pki/nssdb which should be recognized by Firefox. With the attached patch if the system database isn't enabled, it should just continue to use the old DBM database.
Attachment #498727 - Flags: review?(kaie)
(Reporter)

Updated

6 years ago
Attachment #498727 - Flags: review?(kaie) → review?(honzab.moz)

Comment 1

6 years ago
Comment on attachment 498727 [details] [diff] [review]
adapted downstream patch


> extern "C" {
> #include "pkcs12.h"
> #include "p12plcy.h"
>+#include <unistd.h>
> }

I don't think we need to include unitstd.h, this is probably a left-over from
the original version that made unix-style file io calls. The code now calls NSPR.
You may need to add a #include "prio.h" in the section with nss related includes.

---
I have questions in this style initialization.
>+          init_rv = ::NSS_InitWithMerge(nssdb,
>+                                        "", "", SECMOD_DB,
>+                                        profileStr.get(), "", "",
>+                                        profileStr.get(), profileStr.get(), init_flags);
>+        }
>+    }
>+#endif

The nssyinit documention recommends applications call NSS_InitReadAndWrite(sql:/etc/pki/nssdb);
as nss-syinit will open the sytem db read-only, and the user db plus the user's added ones read-write. 
Is the NSS_InitWithMerge() used because Mozilla applications don't yet support the shared db? 
Are there plans to do so?

Comment 2

6 years ago
(In reply to comment #1) 
Thnks to Bob Relyea's clarifications and a more careful reading of https://wiki.mozilla.org/NSS_Shared_DB_And_LINUX this becomes clear for me.

> The nssyinit documention recommends applications call
> NSS_InitReadAndWrite(sql:/etc/pki/nssdb);

Yes, and the guidelines enumerates exceptions to this general rule. 

Firefox is an application that needs to perform automatic migration of an old legacy NSS database from an old location to the new system location, so initializing NSS with:
>+          init_rv = ::NSS_InitWithMerge(nssdb,
>+                                        "", "", SECMOD_DB,
>+                                        profileStr.get(), "", "",
>+                                        profileStr.get(), profileStr.get(), init_flags);

is what's prescrived and the patch takes care of enabling support for the shared db and taking advantage of the system-wide certificate store.
Could anyone with good knowledge of NSS say what NSS_InitWithMerge exactly does?

Comment 4

6 years ago
(In reply to comment #3)
The sources I find most useful are (1) the NSS Shared DB Design proposal: https://bugzilla.mozilla.org/show_bug.cgi?id=620373 and the discussions in
the bug for it: https://bugzilla.mozilla.org/show_bug.cgi?id=391296

Comment 5

6 years ago
This is a dupe of bug 449498, which contains the same patch.

I just wrote a comment, at bug 449498 comment 10.

In my understanding the use of NSS_InitWithMerge requires application level user interface.
Status: NEW → RESOLVED
Last Resolved: 6 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 449498
Status: RESOLVED → VERIFIED
Attachment #498727 - Flags: review?(honzab.moz)
You need to log in before you can comment on or make changes to this bug.