Last Comment Bug 620373 - firefox doesn't use system certificate store
: firefox doesn't use system certificate store
Status: VERIFIED DUPLICATE of bug 449498
:
Product: Core
Classification: Components
Component: Security: PSM (show other bugs)
: Trunk
: x86 Linux
: -- normal with 2 votes (vote)
: ---
Assigned To: Nobody; OK to take it and work on it
:
Mentors:
https://bugzilla.redhat.com/show_bug....
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2010-12-20 06:27 PST by Martin Stránský
Modified: 2013-03-27 04:04 PDT (History)
8 users (show)
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Attachments
adapted downstream patch (3.13 KB, patch)
2010-12-20 06:27 PST, Martin Stránský
no flags Details | Diff | Splinter Review

Description Martin Stránský 2010-12-20 06:27:20 PST
Created attachment 498727 [details] [diff] [review]
adapted downstream patch

There is a system-wide NSS db in /etc/pki/nssdb which should be recognized by Firefox. With the attached patch if the system database isn't enabled, it should just continue to use the old DBM database.
Comment 1 Elio Maldonado 2011-01-27 11:07:40 PST
Comment on attachment 498727 [details] [diff] [review]
adapted downstream patch


> extern "C" {
> #include "pkcs12.h"
> #include "p12plcy.h"
>+#include <unistd.h>
> }

I don't think we need to include unitstd.h, this is probably a left-over from
the original version that made unix-style file io calls. The code now calls NSPR.
You may need to add a #include "prio.h" in the section with nss related includes.

---
I have questions in this style initialization.
>+          init_rv = ::NSS_InitWithMerge(nssdb,
>+                                        "", "", SECMOD_DB,
>+                                        profileStr.get(), "", "",
>+                                        profileStr.get(), profileStr.get(), init_flags);
>+        }
>+    }
>+#endif

The nssyinit documention recommends applications call NSS_InitReadAndWrite(sql:/etc/pki/nssdb);
as nss-syinit will open the sytem db read-only, and the user db plus the user's added ones read-write. 
Is the NSS_InitWithMerge() used because Mozilla applications don't yet support the shared db? 
Are there plans to do so?
Comment 2 Elio Maldonado 2011-01-31 09:04:45 PST
(In reply to comment #1) 
Thnks to Bob Relyea's clarifications and a more careful reading of https://wiki.mozilla.org/NSS_Shared_DB_And_LINUX this becomes clear for me.

> The nssyinit documention recommends applications call
> NSS_InitReadAndWrite(sql:/etc/pki/nssdb);

Yes, and the guidelines enumerates exceptions to this general rule. 

Firefox is an application that needs to perform automatic migration of an old legacy NSS database from an old location to the new system location, so initializing NSS with:
>+          init_rv = ::NSS_InitWithMerge(nssdb,
>+                                        "", "", SECMOD_DB,
>+                                        profileStr.get(), "", "",
>+                                        profileStr.get(), profileStr.get(), init_flags);

is what's prescrived and the patch takes care of enabling support for the shared db and taking advantage of the system-wide certificate store.
Comment 3 Honza Bambas (:mayhemer) 2011-02-03 12:40:35 PST
Could anyone with good knowledge of NSS say what NSS_InitWithMerge exactly does?
Comment 4 Elio Maldonado 2011-02-03 15:24:13 PST
(In reply to comment #3)
The sources I find most useful are (1) the NSS Shared DB Design proposal: https://bugzilla.mozilla.org/show_bug.cgi?id=620373 and the discussions in
the bug for it: https://bugzilla.mozilla.org/show_bug.cgi?id=391296
Comment 5 Kai Engert (:kaie) 2011-02-09 11:10:01 PST
This is a dupe of bug 449498, which contains the same patch.

I just wrote a comment, at bug 449498 comment 10.

In my understanding the use of NSS_InitWithMerge requires application level user interface.

*** This bug has been marked as a duplicate of bug 449498 ***

Note You need to log in before you can comment on or make changes to this bug.