On 07/27/2012 10:25 AM, David Woodhouse wrote:
On Fri, 2012-07-27 at 10:08 -0700, Robert Relyea wrote:
Oh, so you switch between sql:/etc/pki/nssdb and sql:$HOME/.pki/nssdb=20
depending on whether libnsssysinit.so exists.
It's worse than that. It's not just whether libnsssysinit.so *exists*,
but whether it's actually loaded by a line in /etc/pki/nssdb/pkcs11.txt.
I meant loaded and activated.
If on a Fedora system you run 'setup-nsssysinit.sh off', we need to open
~/.pki/nssdb. If you run 'setup-nsssysinit.sh on', we need to
open /etc/pki/nssdb.
Hence
http://git.gnome.org/browse/evolution-data-server/commit/?id=bd704bff
Hmm I just presumed you=20
would just always open sql:/etc/pki/nssdb, but I guess you need to work=20
on other systems as well. If you need that info, I need to find a way to =
give it to you, since long term I envision admins having custom versions =
for libnsssysinit.so which can fetch things like root trust lists from=20
central ldap servers or get admin information for some as of yet=20
undeveloped central admin server.
Please $DEITY no. Why put that into libnsssysinit instead of its *own*
module which can be loaded as appropriate?
The point is it should be considered the same as libnsssysinit. With no
api to call to see that this is the case, there isn't a good way to tell
what is going on. If you are reaching into /etc/nssdb/pkcs11.txt to tell
what the state is, you may get the wrong answer in the future.
This is really just another argument for what you are asking for. The
Library should be able to tell you what the 'state' is rather than the
application trying to guess it. The news to me is that applications
care, which means I need to figure out an api to give the application
that information.
Sorry, yes. I mean 2 slots in the same module. I've managed to access
*one* or the other of ~/.pki/nssdb and /etc/pki/nssdb by loading the
softokn module via p11-kit, but not both.
You can already do that: NSS_Init("sql:/etc/pki/nssdb")
SECUTIL_OpenUserDB("~/.pki/nssdb");
Perhaps we've been too aggressive in trimming our citations. This
particular issue was in the context of a non-NSS user of the softokn
PKCS#11 module. I can load the NSS softokn module from GnuTLS etc., and
a little bit of work will let me use the trust assertions from it. But
still I can only load one database (slot) at a time that way.
If you are opening softoken from some other module, you presumable know
the softoken "magic" to specify the database. softoken can be told to
open more than one database from that string. softoken also has a
mechanism to add additional DB's later (which is what SECMOD_OpenUserDB
uses). GnuTLS and company would have to know about that mechanism.
In short softoken can do it, but the normal PKCS #11 spec is silent on
how to do this. Non-NSS users of softoken would have to learn the
softoken protocol to use this feature.
bob
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
