439
edits
NSS Library Init: Difference between revisions
→Restrictions on any future solution
| (4 intermediate revisions by the same user not shown) | |||
| Line 19: | Line 19: | ||
=== How we initially intended to solve these problems === | === How we initially intended to solve these problems === | ||
We intended to go to a single user/machine configuration for most applications and libraries, where all applications open the same set of databases for a particular user and machine. This configuration would not be in any one application's specific directory of application configuration files, but would be part of the system. One problem with this approach is that not all NSS applications run on systems which will have a 'system configured' NSS. In addition, there are still cases where the user may want to keep multiple different configurations for testing (Mozilla profiles for example). Finally, some | We intended to go to a single user/machine configuration for most applications and libraries, where all applications open the same set of databases for a particular user and machine. This configuration would not be in any one application's specific directory of application configuration files, but would be part of the system. One problem with this approach is that not all NSS applications run on systems which will have a 'system configured' NSS. In addition, there are still cases where the user may want to keep multiple different configurations for testing (Mozilla profiles for example). Finally, some users only need read-only access to the NSS configuration, but other users (like Firefox, or Thunderbird) need read-write access. This means if a read/only library initializes first, then a read/write application in that same address space will not be able to update the database. (what?? --[[User:Nelsonb|MisterTLS]] 21:48, 1 September 2009 (UTC) I've changed application->library. This is a real issue that I believe sun reported. PAM calls pam-ldap which initializes NSS read only. now FF and TB can't get to their databases.) | ||
=== Restrictions on any future solution === | === Restrictions on any future solution === | ||
| Line 27: | Line 27: | ||
The existing shutdown will close down all NSS internal references to object and free up internal lists. It is possible that the application may still hold references to NSS objects (such as slots, keys, or certs that NSS has returned to it) in its address space. NSS will shutdown all slots that do not have outstanding object references to them. If NSS cannot shutdown all slots, it will return an error. At this point NSS is 'shutdown', but it will not be able to initialized again until all those outstanding references are freed. | The existing shutdown will close down all NSS internal references to object and free up internal lists. It is possible that the application may still hold references to NSS objects (such as slots, keys, or certs that NSS has returned to it) in its address space. NSS will shutdown all slots that do not have outstanding object references to them. If NSS cannot shutdown all slots, it will return an error. At this point NSS is 'shutdown', but it will not be able to initialized again until all those outstanding references are freed. | ||
Few applications depend on | Few applications depend on being able to shutdown with a single NSS_Shutdown call, but there are some that do, usually applications which have some sort of dynamic profile switching code. Even though these apps are few, they must still continue to work.(Do you mean continue to fail? --[[User:Nelsonb|MisterTLS]] 21:48, 1 September 2009 (UTC) no, I mean continue to work. Applications that call the base NSS_InitXXX expect it to be idempotent. It will continue to be. Applications expect to call NSS_Shutdown() and be able to switch profiles. This will continue to work as well. This last one we can discuss. It may make more sense for NSS_Shutdown to work as NSS_ShutdownContext(NULL) does. ) Caveat: Note that today, if there is a library using NSS and holding references, such profile switching will not work in any of the scenarios. | ||
2) '''NSS still maintains a single 'trust domain' in which certificates are verified.''' In a single process, NSS has the ability to process certificates in the context of any one of several independent trust domains, but many of NSS's existing API functions do not allow a trust domain to be explicitly specified. | 2) '''NSS still maintains a single 'trust domain' in which certificates are verified.''' In a single process, NSS has the ability to process certificates in the context of any one of several independent trust domains, but many of NSS's existing API functions do not allow a trust domain to be explicitly specified. | ||
| Line 43: | Line 43: | ||
3. NSS_ShutdownContext() can be called once per context. If NSS_ShutdownContext is called a second time on the same context, an error is returned. NSS_ShutdownContext() will shut down NSS if there are no more active contexts returned by NSS_InitContext() and NSS_Init() has not been called. | 3. NSS_ShutdownContext() can be called once per context. If NSS_ShutdownContext is called a second time on the same context, an error is returned. NSS_ShutdownContext() will shut down NSS if there are no more active contexts returned by NSS_InitContext() and NSS_Init() has not been called. | ||
4. An application that initialized NSS with NSS_Init() can call NSS_LibraryShutdown() with NULL. This will close out the NSS_Init() call, but will only shutdown NSS if all the active contexts are also closed. | 4. An application that initialized NSS with NSS_Init() can call NSS_LibraryShutdown() with NULL. This will close out the NSS_Init() call, but will only shutdown NSS if all the active contexts are also closed. (Note that NSS_Init() is still idempotent. This means that multiple calls to NSS_Init() before an NSS_Shutdown or and NSS_LibraryShutdown will still only result in a single NSS_Init call as far as shutdowns are concerned). | ||
5. NSS_Shutdown() will operate as it does today. NSS will completely shutdown, all active contexts will be closed. | |||
Signature for the new functions: | Signature for the new functions: | ||
typedef struct NSSInitContextStr NSSInitContext; /* opaque */ | typedef struct NSSInitContextStr NSSInitContext; /* opaque */ | ||
typedef struct NSSInitStringStr NSSInitString; | |||
struct NSSInitStringStr { | |||
int len; /* must be set to the length of NSSInitString. future versions. | |||
* of NSS may allow longer versions of this context, but need to | |||
* work with existing apps. */ | |||
PRBool passwordRequired; | |||
int minimumPasswordLength; | |||
char * manufactureID; /* variable names for strings match the */ | |||
char * libraryDescription; /* parameter name in softoken */ | |||
char * cryptoTokenDescription; | |||
char * dbTokenDescription; | |||
char * FIPSTokenDescription; | |||
char * cryptoSlotDescription; | |||
char * dbSlotDescription; | |||
char * FIPSSlotDescription; | |||
}; | |||
NSSInitContext *NSS_InitContext(const char *configdir, | NSSInitContext *NSS_InitContext(const char *configdir, | ||
const char *certPrefix, const char *keyPrefix, | const char *certPrefix, const char *keyPrefix, | ||
const char *secmodName, PRUint32 flags); | const char *secmodName, NSSInitStrings *initStrings, PRUint32 flags); | ||
SECStatus NSS_ShutdownContext(NSSInitContext *); | SECStatus NSS_ShutdownContext(NSSInitContext *); | ||
| Line 67: | Line 83: | ||
#Application calls NSS_Init(). NSS_Init uses configdir to decide what PKCS #11 modules to load and what databases softoken opens. | #Application calls NSS_Init(). NSS_Init uses configdir to decide what PKCS #11 modules to load and what databases softoken opens. | ||
#Library then calls NSS_Init(). Library ends up using whatever application already | #Library then calls NSS_Init(). Library ends up using whatever application already opened (in general, this ok, it make sense the the application controls what databases are used by all libraries it uses). | ||
#*at this point only the application specified databases are open | #*at this point only the application specified databases are open | ||
#Library noticed that NSS was initializied already and does not call shutdown (hopefully). | #Library noticed that NSS was initializied already and does not call shutdown (hopefully). | ||
| Line 125: | Line 141: | ||
#*#If the PKCS #11 module supports the NSS 'add new slot' protocol, then NSS will add a new slow with the new configuration. | #*#If the PKCS #11 module supports the NSS 'add new slot' protocol, then NSS will add a new slow with the new configuration. | ||
#*#For most modules we will move on. The requested module is already initialized and loaded in the trust domain, there is no further work needed to use it. | #*#For most modules we will move on. The requested module is already initialized and loaded in the trust domain, there is no further work needed to use it. | ||
#FIPS | #What happens if different users initialize NSS with differing views of FIPS? | ||
#*FIPS is really a attribute of the slot. NSS can have different slots open in different 'FIPS' states. This is rare today, it only happens when NSS switches from FIPS to non-FIPS. During the switch the old slots stay around until all their outstanding references go way. | |||
#*The 'overall' reflection of FIPS would be controlled by the 'application' (the first caller of NSS_Init). In practice, however, you are not really in FIPS mode unless all your slots are in FIPS mode. | |||