POC wrote: > How best do I control what PKCS#11 module containing the default CA > certs gets loaded at NSS init? As it stands now, NSS will > *automatically* load any PK11 module with names like "nssckbi" or > "roots"...
The automatic loading you describe only takes place if a roots module is not loaded by the modules listed in the secmod.db file, I believe. > What if I want NSS to *only* auto load my custom module with > a specific name? Put your module in the secmod.db file. > Why not include a parameter in the NSS_Init() function to specify the > root ca PK11 file name? There is a way for the application to control the loading of the roots module. NSS_Initialize takes a flags argument. One of the flags, NSS_INIT_NOROOTINIT, causes NSS to suppress the step of searching for a "nssckbi" or "roots" module that normally occurs if a roots module is not loaded by secmod.db. Then after NSS_Initialize is done, it is possible for the application to inquire whether a roots module was loaded by secmod.db, and if not, the application can call a function to load a roots module explicitly. But that's some work. Here's an outline of the steps involved: 1. get a list of slots with tokens from PK11_GetAllTokens(). 2. interate through the list, calling PK11_HasRootCerts() to see if any of them has root certs. 3. Free the slot list with PK11_FreeSlotList 4. If none had the root certs, then call SECMOD_AddNewModule to add it. I think this adds the module to the secmod.db as well as loading it for immediate use. Disclaimer: Your mileage may vary. -- Nelson Bolyard Disclaimer: I speak for myself, not for Netscape
