On 2009-09-12 09:23 PDT, Guenter wrote: > Hi all, > I've some questions regarding proper initializing NSS. > From what I've read newer NSS now supports / prefers SQLite cert databases:
Supports: yes Prefers: I would say no. NSS must be explicitly instructed to use the new SQLite3 databases in each and every process that uses it, or else, by default, it will use the old Berkeley DBs, even if the SQLite3 DB files exist and the Berkeley DB files do not. > https://wiki.mozilla.org/NSS_Shared_DB_And_LINUX#Type_3_packages:_Libraries > now what I need to know is > when I want to open the certdb readonly and in a backward-compatible way > is it valid to allways prefix the certdb path with sql: like: > char *certDir = PR_smprintf("sql:%s", SSL_DIR); > rv = NSS_Initialize(certDir, [...] NSS_INIT_READONLY); > does NSS then still proper initialize even if SSL_DIR points to a folder > holding an older DBM certdb (certX, keyX, secmod) ? Yes, it is valid to use the sql: prefix, even with read-only, even when only the older Berkeley cert8.db and key3.db files exist. You can test this easily with the certutil program. Given a directory named DB containing a cert8/key3 pair containing some certs, the command certutil -L -d sql:DB will initialize NSS read-only with that certDir string, and will list the contents of the old DBs, without creating new SQLite3 DBs. > Which is the lowest NSS version which understands and works with the sql: > prefix? NSS 3.12.0 > Then I've seen code like: > rv = NSS_Initialize(certDir, NULL, NULL, "secmod.db", NSS_INIT_READONLY); > is it really necessary to specify secmod.db with NSS_Initialize() ? No. A NULL or empty string will be replaced by an appropriate default. Note that when used with the Berkeley DBs, the PKCS#11 module configuration information is stored in secmod.db, which is also a Berkeley DB; but when used with the SQLite3 DBs, the PKCS#11 module configuration information is stored into a file named pkcs11.txt, which (as the name suggests) is a plain text file. > finally in the NSS docs I found somewhere a sample for initializing where > the parameters are not NULL but empty strings: > rv = NSS_Initialize(certDir, "", "", "", NSS_INIT_READONLY); > what is the correct way? NSS_Initialize treats NULL and "" equivalently, turning them both into newly allocated empty strings (e.g. ""), which is then replaced by the appropriate default. > thanks, Günter. > -- 12345678901234567890123456789012345678901234567890123456789012345678901234567890 00000000011111111112222222222333333333344444444445555555555666666666677777777778 -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
