On Fri, 2012-07-27 at 10:08 -0700, Robert Relyea wrote: > Oh, so you switch between sql:/etc/pki/nssdb and sql:$HOME/.pki/nssdb=20 > depending on whether libnsssysinit.so exists.
It's worse than that. It's not just whether libnsssysinit.so *exists*, but whether it's actually loaded by a line in /etc/pki/nssdb/pkcs11.txt. If on a Fedora system you run 'setup-nsssysinit.sh off', we need to open ~/.pki/nssdb. If you run 'setup-nsssysinit.sh on', we need to open /etc/pki/nssdb. Hence http://git.gnome.org/browse/evolution-data-server/commit/?id=bd704bff > Hmm I just presumed you=20 > would just always open sql:/etc/pki/nssdb, but I guess you need to work=20 > on other systems as well. If you need that info, I need to find a way to = > give it to you, since long term I envision admins having custom versions = > for libnsssysinit.so which can fetch things like root trust lists from=20 > central ldap servers or get admin information for some as of yet=20 > undeveloped central admin server. Please $DEITY no. Why put that into libnsssysinit instead of its *own* module which can be loaded as appropriate? Unless you're going to do something like make libnsssysinit just load the modules which are configured by p11-kit, perhaps? In which case its *current* behaviour, of loading the user's own personal database on top of the system-wide database which it expects to be already loaded, is somewhat incongruous. > > Sorry, yes. I mean 2 slots in the same module. I've managed to access > > *one* or the other of ~/.pki/nssdb and /etc/pki/nssdb by loading the > > softokn module via p11-kit, but not both. > You can already do that: NSS_Init("sql:/etc/pki/nssdb") > SECUTIL_OpenUserDB("~/.pki/nssdb"); Perhaps we've been too aggressive in trimming our citations. This particular issue was in the context of a non-NSS user of the softokn PKCS#11 module. I can load the NSS softokn module from GnuTLS etc., and a little bit of work will let me use the trust assertions from it. But still I can only load one database (slot) at a time that way. -- dwmw2
smime.p7s
Description: S/MIME cryptographic signature
-- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
