Robert Relyea wrote:
On 10/21/2016 07:04 AM, Rob Crittenden wrote:
I'm trying to figure out how to dynamically enable FIPS support for
NSS Contexts.
I started with multinit.c and initialize FIPS right after calling
NSS_InitContext() using this:
So you can't change the state of an already open database. NSS will
switch all new databases that are opened, and idle the old ones
(basically they are open, but not really accessible).
if (!PK11_IsFIPS()) {
fprintf(stderr, "Initializing FIPS\n");
SECMODModule *mod = SECMOD_GetInternalModule();
if (!mod) {
fprintf(stderr, "No module!?\n");
exit(1);
}
char * internal_name = PR_smprintf("%s",
SECMOD_GetInternalModule()->commonName);
if ((SECMOD_DeleteInternalModule(internal_name) != SECSuccess) ||
!PK11_IsFIPS()) {
fprintf(stderr, "Unable to enable FIPS mode on
certificate database\n");
exit(1);
}
I'm executing it like this, initializing only db1 and db2 as contexts:
So when you do an initcontext, you're main database is usually not the
same as the main database when you open NSS, so it won't get
automatically switched.
A further question: Is NSS_Initialize required or can I just use all
contexts everywhere?
rob
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
