On 01/11/2017 03:21 AM, Opa114 wrote:
Am Mittwoch, 11. Januar 2017 00:45:45 UTC+1 schrieb Robert Relyea:
On 01/10/2017 02:07 PM, Opa114 wrote:
Am Dienstag, 10. Januar 2017 22:24:10 UTC+1 schrieb Robert Relyea:
On 01/10/2017 10:18 AM, Opa114 wrote:
thanks, but these facts i know.
I don't want top let multiple applications open one Database, i want to open
multiple different Mozilla databases, in the old standard format, with one (my)
application.
I tried to use the NSS_Init functions. These works with openening one database,
but when i open a second one the whole application crashes,so that's why i
asked the question and may be get some working example c++ code?
1) Where are you crashing (it's not expected to work, but I don't expect
a crash because you called NSS_Init again).
2) To open additional databases you want to use SECMOD_OpenUserDB:
https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/PKCS11_Functions#SECMOD_OpenUserDB
You can call that multiple times.
Once the database is opened any of the NSS find functions will find all
the certs in both databases. The slot returned from SECOMD_OpenUserDB
can be used in functions that take a slot to narrow the operations just
to that particular database.
To NSS each database will look basically like a smart card.
When you are through with that database you can use SECMOD_CloseUserDB()
bob
thanks for reply. Here are first some little code of which did not work, that
means it crashes:
functionLoadFirefox() {
SECStatus rv = NSS_InitReadWrite(PATH_TO_FF_DB);
... if success load Certificates with PK11_ListCerts(PK11CertListAll, NULL);
NSS_Shutdown();
}
functionLoadThunderbird() {
SECStatus rv = NSS_InitReadWrite(PATH_TO_TB_DB);
... if success load Certificates with PK11_ListCerts(PK11CertListAll, NULL);
NSS_Shutdown();
}
So these are my two functions in which i opened and clos the databases and
retrieve the certificates.
So the certs you got from the first call is likely preventing
NSS_Shutdown from completing. The certs hold references to the
respective slots. Those references prevent NSS_Shutdown from closing
completely. The will prevent the second NSS_Init from succeeding, so you
probably crash in your second shutdown. You can detect this happened by
looking at the return value from NSS_Shutdown().
--> 2) To open additional databases you want to use SECMOD_OpenUserDB
So this means. First i have to call NSS_Init with let's say firefox database ad
the i have to call SECMOD_OpenUserDB with the thudnerbirddatabse, right? Or
must i load both with the SECMOD_OpenUserDB?
You can either use NSS_Init with no database and then call
SECMOD_OpenUserDB() for both, or you can call NSS_Init with one database
and then call SECMOD_OpenUserDB with the other.
--> Once the database is opened any of the NSS find functions will find all the
certs in both databases
But i have to know from which databse the certificates are coming from. So i
need to know that let's say Certificate ABC ist stored inside Firefox Databse
and Certificate 123 is stored in Thunerbird Database. How can i do that? or is
this not possible?
The slot the database can be found in the cert->slot entry, but this
will only give you ONE of the slots the cert lives in. If a cert exists
in both databases, it will have a single entry on the list and be
"somewhat" random which slot is listed (If you open one database with
NSS_Init and the second with SECMOD_OpenUserDB() then the one you opened
with SECMOD_OpenUserDB() will be the slot that shows up.
To fix this issue, there's a function called PK11_GetAllSlotsForCert()
which returns a slotList and will return all the slots that hold this
cert. The slots map one for one to the databases you opened (or any
smart cards you have loaded). You can control the 'tokenName' of each
slot with the string arguments you pass to SECMOD_OpenUserDB(), and you
can get the token name with PK11_GetTokenName() on each slot on the list..
You could also use PK11_ListCertsInSlot() which takes a slot
(SECMOD_OpenUserDB() will return a slot for you) and lists only those
certs in that slot.
Be sure to free all these things once you are through with them, or your
shutdown will fail at the end again.
bob
thanks again for the detailed explanation, that helps me a lot - many thanks!
--> So the certs you got from the first call is likely preventing
NSS_Shutdown from completing.....
So when i free the used stuff i can close the database correctly, so that i can
open the second one. If i can close the first one correctly and NSS shuts down
i should be able to open the second one, too.
Can you give me some more details to my piece of code or in general how to free
the things correctly?
Yes, you have to make sure NSS_Shutdown*() returns without an error, if
it doesn't the next NSS_init* won't work. You can test for whether NSS
is still in an initialized state with NSS_IsInitialized(). If NSS does
not shutdown successfully it's because of dangling references, finding
out who is holding on to these is the tricky part. Calling
NSS_DumpCertificateCacheInfo() *may* give you enough addition
information to figure that out. In the past I've had to resort to
running the process under GDB and step through code and data structures
to figure it out. How hard this is is really a reflection of the
complexity of your application code. In our case it was pretty complex.
If your code is simple and clean it may be a total non-issue, YMMV.
So if it will be better to open the two or more databases but successively and
not at the same time as i wanted to do it. Would this be the better working
solution. The only thing is that i then must reopen and shutdown the databses
multiple times if needed.
Yes, it's better for successive single databases than multiple
simultaneous IMHO.
And did i understand it right, that i can use SECMOD_OpenUserDB() and
SECMOD_CloseUserDB() to open and close the databases instead of using
NSS_Init() and NSS_Shutdown()? The SECMOD-functions do call them internal or?
Or does it not matter which of the functions i use?
--> ... if you try to trust one CA in one DB/slot and not trust it in another
DB/slot, you won't actually be able to do that
This is extremely bad, because i have to maybe change the Trust-Status of some
Certificates.
So in conclusion for my needs it would be the way to open each database
separately and successively?
--
John
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
