Re: NSS open multiple NSS-Databses at once?
Am Mittwoch, 11. Januar 2017 14:23:45 UTC+1 schrieb John Dennis: > On 01/11/2017 03:21 AM, Opa114 wrote: > > Am Mittwoch, 11. Januar 2017 00:45:45 UTC+1 schrieb Robert Relyea: > >> On 01/10/2017 02:07 PM, Opa114 wrote: > >>> Am Dienstag, 10. Januar 2017 22:24:10 UTC+1 schrieb Robert Relyea: > On 01/10/2017 10:18 AM, Opa114 wrote: > > thanks, but these facts i know. > > I don't want top let multiple applications open one Database, i want to > > open multiple different Mozilla databases, in the old standard format, > > with one (my) application. > > > > I tried to use the NSS_Init functions. These works with openening one > > database, but when i open a second one the whole application crashes,so > > that's why i asked the question and may be get some working example c++ > > code? > 1) Where are you crashing (it's not expected to work, but I don't expect > a crash because you called NSS_Init again). > > 2) To open additional databases you want to use SECMOD_OpenUserDB: > > https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/PKCS11_Functions#SECMOD_OpenUserDB > > You can call that multiple times. > Once the database is opened any of the NSS find functions will find all > the certs in both databases. The slot returned from SECOMD_OpenUserDB > can be used in functions that take a slot to narrow the operations just > to that particular database. > > To NSS each database will look basically like a smart card. > > When you are through with that database you can use SECMOD_CloseUserDB() > > bob > >>> > >>> thanks for reply. Here are first some little code of which did not work, > >>> that means it crashes: > >>> > >>> functionLoadFirefox() { > >>> SECStatus rv = NSS_InitReadWrite(PATH_TO_FF_DB); > >>> ... if success load Certificates with PK11_ListCerts(PK11CertListAll, > >>> NULL); > >>> NSS_Shutdown(); > >>> } > >>> > >>> functionLoadThunderbird() { > >>> SECStatus rv = NSS_InitReadWrite(PATH_TO_TB_DB); > >>> ... if success load Certificates with PK11_ListCerts(PK11CertListAll, > >>> NULL); > >>> NSS_Shutdown(); > >>> } > >>> > >>> So these are my two functions in which i opened and clos the databases > >>> and retrieve the certificates. > >> So the certs you got from the first call is likely preventing > >> NSS_Shutdown from completing. The certs hold references to the > >> respective slots. Those references prevent NSS_Shutdown from closing > >> completely. The will prevent the second NSS_Init from succeeding, so you > >> probably crash in your second shutdown. You can detect this happened by > >> looking at the return value from NSS_Shutdown(). > >>> > >>> --> 2) To open additional databases you want to use SECMOD_OpenUserDB > >>> So this means. First i have to call NSS_Init with let's say firefox > >>> database ad the i have to call SECMOD_OpenUserDB with the > >>> thudnerbirddatabse, right? Or must i load both with the SECMOD_OpenUserDB? > >> You can either use NSS_Init with no database and then call > >> SECMOD_OpenUserDB() for both, or you can call NSS_Init with one database > >> and then call SECMOD_OpenUserDB with the other. > >>> > >>> --> Once the database is opened any of the NSS find functions will find > >>> all the certs in both databases > >>> But i have to know from which databse the certificates are coming from. > >>> So i need to know that let's say Certificate ABC ist stored inside > >>> Firefox Databse and Certificate 123 is stored in Thunerbird Database. How > >>> can i do that? or is this not possible? > >> The slot the database can be found in the cert->slot entry, but this > >> will only give you ONE of the slots the cert lives in. If a cert exists > >> in both databases, it will have a single entry on the list and be > >> "somewhat" random which slot is listed (If you open one database with > >> NSS_Init and the second with SECMOD_OpenUserDB() then the one you opened > >> with SECMOD_OpenUserDB() will be the slot that shows up. > >> > >> To fix this issue, there's a function called PK11_GetAllSlotsForCert() > >> which returns a slotList and will return all the slots that hold this > >> cert. The slots map one for one to the databases you opened (or any > >> smart cards you have loaded). You can control the 'tokenName' of each > >> slot with the string arguments you pass to SECMOD_OpenUserDB(), and you > >> can get the token name with PK11_GetTokenName() on each slot on the list.. > >> > >> You could also use PK11_ListCertsInSlot() which takes a slot > >> (SECMOD_OpenUserDB() will return a slot for you) and lists only those > >> certs in that slot. > >> > >> Be sure to free all these things once you are through with them, or your > >> shutdown will fail at the end again. > >> > >> > >> bob > > > > thanks again for the detailed explanation, that helps me a lot - many > > thanks! > > > > --> So the certs you got from the first call is
Re: NSS open multiple NSS-Databses at once?
On 01/11/2017 03:21 AM, Opa114 wrote: Am Mittwoch, 11. Januar 2017 00:45:45 UTC+1 schrieb Robert Relyea: On 01/10/2017 02:07 PM, Opa114 wrote: Am Dienstag, 10. Januar 2017 22:24:10 UTC+1 schrieb Robert Relyea: On 01/10/2017 10:18 AM, Opa114 wrote: thanks, but these facts i know. I don't want top let multiple applications open one Database, i want to open multiple different Mozilla databases, in the old standard format, with one (my) application. I tried to use the NSS_Init functions. These works with openening one database, but when i open a second one the whole application crashes,so that's why i asked the question and may be get some working example c++ code? 1) Where are you crashing (it's not expected to work, but I don't expect a crash because you called NSS_Init again). 2) To open additional databases you want to use SECMOD_OpenUserDB: https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/PKCS11_Functions#SECMOD_OpenUserDB You can call that multiple times. Once the database is opened any of the NSS find functions will find all the certs in both databases. The slot returned from SECOMD_OpenUserDB can be used in functions that take a slot to narrow the operations just to that particular database. To NSS each database will look basically like a smart card. When you are through with that database you can use SECMOD_CloseUserDB() bob thanks for reply. Here are first some little code of which did not work, that means it crashes: functionLoadFirefox() { SECStatus rv = NSS_InitReadWrite(PATH_TO_FF_DB); ... if success load Certificates with PK11_ListCerts(PK11CertListAll, NULL); NSS_Shutdown(); } functionLoadThunderbird() { SECStatus rv = NSS_InitReadWrite(PATH_TO_TB_DB); ... if success load Certificates with PK11_ListCerts(PK11CertListAll, NULL); NSS_Shutdown(); } So these are my two functions in which i opened and clos the databases and retrieve the certificates. So the certs you got from the first call is likely preventing NSS_Shutdown from completing. The certs hold references to the respective slots. Those references prevent NSS_Shutdown from closing completely. The will prevent the second NSS_Init from succeeding, so you probably crash in your second shutdown. You can detect this happened by looking at the return value from NSS_Shutdown(). --> 2) To open additional databases you want to use SECMOD_OpenUserDB So this means. First i have to call NSS_Init with let's say firefox database ad the i have to call SECMOD_OpenUserDB with the thudnerbirddatabse, right? Or must i load both with the SECMOD_OpenUserDB? You can either use NSS_Init with no database and then call SECMOD_OpenUserDB() for both, or you can call NSS_Init with one database and then call SECMOD_OpenUserDB with the other. --> Once the database is opened any of the NSS find functions will find all the certs in both databases But i have to know from which databse the certificates are coming from. So i need to know that let's say Certificate ABC ist stored inside Firefox Databse and Certificate 123 is stored in Thunerbird Database. How can i do that? or is this not possible? The slot the database can be found in the cert->slot entry, but this will only give you ONE of the slots the cert lives in. If a cert exists in both databases, it will have a single entry on the list and be "somewhat" random which slot is listed (If you open one database with NSS_Init and the second with SECMOD_OpenUserDB() then the one you opened with SECMOD_OpenUserDB() will be the slot that shows up. To fix this issue, there's a function called PK11_GetAllSlotsForCert() which returns a slotList and will return all the slots that hold this cert. The slots map one for one to the databases you opened (or any smart cards you have loaded). You can control the 'tokenName' of each slot with the string arguments you pass to SECMOD_OpenUserDB(), and you can get the token name with PK11_GetTokenName() on each slot on the list.. You could also use PK11_ListCertsInSlot() which takes a slot (SECMOD_OpenUserDB() will return a slot for you) and lists only those certs in that slot. Be sure to free all these things once you are through with them, or your shutdown will fail at the end again. bob thanks again for the detailed explanation, that helps me a lot - many thanks! --> So the certs you got from the first call is likely preventing NSS_Shutdown from completing. So when i free the used stuff i can close the database correctly, so that i can open the second one. If i can close the first one correctly and NSS shuts down i should be able to open the second one, too. Can you give me some more details to my piece of code or in general how to free the things correctly? Yes, you have to make sure NSS_Shutdown*() returns without an error, if it doesn't the next NSS_init* won't work. You can test for whether NSS is still in an initialized state with NSS_IsInitialized(). If NSS does not shutdown successfully it's because of
Re: NSS open multiple NSS-Databses at once?
Am Mittwoch, 11. Januar 2017 00:45:45 UTC+1 schrieb Robert Relyea: > On 01/10/2017 02:07 PM, Opa114 wrote: > > Am Dienstag, 10. Januar 2017 22:24:10 UTC+1 schrieb Robert Relyea: > >> On 01/10/2017 10:18 AM, Opa114 wrote: > >>> thanks, but these facts i know. > >>> I don't want top let multiple applications open one Database, i want to > >>> open multiple different Mozilla databases, in the old standard format, > >>> with one (my) application. > >>> > >>> I tried to use the NSS_Init functions. These works with openening one > >>> database, but when i open a second one the whole application crashes,so > >>> that's why i asked the question and may be get some working example c++ > >>> code? > >> 1) Where are you crashing (it's not expected to work, but I don't expect > >> a crash because you called NSS_Init again). > >> > >> 2) To open additional databases you want to use SECMOD_OpenUserDB: > >> > >> https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/PKCS11_Functions#SECMOD_OpenUserDB > >> > >> You can call that multiple times. > >> Once the database is opened any of the NSS find functions will find all > >> the certs in both databases. The slot returned from SECOMD_OpenUserDB > >> can be used in functions that take a slot to narrow the operations just > >> to that particular database. > >> > >> To NSS each database will look basically like a smart card. > >> > >> When you are through with that database you can use SECMOD_CloseUserDB() > >> > >> bob > > > > thanks for reply. Here are first some little code of which did not work, > > that means it crashes: > > > > functionLoadFirefox() { > > SECStatus rv = NSS_InitReadWrite(PATH_TO_FF_DB); > > ... if success load Certificates with PK11_ListCerts(PK11CertListAll, NULL); > > NSS_Shutdown(); > > } > > > > functionLoadThunderbird() { > > SECStatus rv = NSS_InitReadWrite(PATH_TO_TB_DB); > > ... if success load Certificates with PK11_ListCerts(PK11CertListAll, NULL); > > NSS_Shutdown(); > > } > > > > So these are my two functions in which i opened and clos the databases and > > retrieve the certificates. > So the certs you got from the first call is likely preventing > NSS_Shutdown from completing. The certs hold references to the > respective slots. Those references prevent NSS_Shutdown from closing > completely. The will prevent the second NSS_Init from succeeding, so you > probably crash in your second shutdown. You can detect this happened by > looking at the return value from NSS_Shutdown(). > > > > --> 2) To open additional databases you want to use SECMOD_OpenUserDB > > So this means. First i have to call NSS_Init with let's say firefox > > database ad the i have to call SECMOD_OpenUserDB with the > > thudnerbirddatabse, right? Or must i load both with the SECMOD_OpenUserDB? > You can either use NSS_Init with no database and then call > SECMOD_OpenUserDB() for both, or you can call NSS_Init with one database > and then call SECMOD_OpenUserDB with the other. > > > > --> Once the database is opened any of the NSS find functions will find all > > the certs in both databases > > But i have to know from which databse the certificates are coming from. So > > i need to know that let's say Certificate ABC ist stored inside Firefox > > Databse and Certificate 123 is stored in Thunerbird Database. How can i do > > that? or is this not possible? > The slot the database can be found in the cert->slot entry, but this > will only give you ONE of the slots the cert lives in. If a cert exists > in both databases, it will have a single entry on the list and be > "somewhat" random which slot is listed (If you open one database with > NSS_Init and the second with SECMOD_OpenUserDB() then the one you opened > with SECMOD_OpenUserDB() will be the slot that shows up. > > To fix this issue, there's a function called PK11_GetAllSlotsForCert() > which returns a slotList and will return all the slots that hold this > cert. The slots map one for one to the databases you opened (or any > smart cards you have loaded). You can control the 'tokenName' of each > slot with the string arguments you pass to SECMOD_OpenUserDB(), and you > can get the token name with PK11_GetTokenName() on each slot on the list.. > > You could also use PK11_ListCertsInSlot() which takes a slot > (SECMOD_OpenUserDB() will return a slot for you) and lists only those > certs in that slot. > > Be sure to free all these things once you are through with them, or your > shutdown will fail at the end again. > > > bob thanks again for the detailed explanation, that helps me a lot - many thanks! --> So the certs you got from the first call is likely preventing NSS_Shutdown from completing. So when i free the used stuff i can close the database correctly, so that i can open the second one. If i can close the first one correctly and NSS shuts down i should be able to open the second one, too. Can you give me some more details to my piece of code or in general how to
Re: NSS open multiple NSS-Databses at once?
I think the main restriction you are likely to run into is with trust. You can likely explain how this works far better than I can, but I think essentially, you can't treat your multiple cert/key databases as entirely separate for purposes of trust. Ie. if you try to trust one CA in one DB/slot and not trust it in another DB/slot, you won't actually be able to do that. I think pkcs11.txt will dictate where trust actually ends up getting stored. But there will be one one value of trust flags per cert per process at a time. So, op should make sure the limitations with trust are understood before trying to use this call. IMO, it's a big can of worms. Like John, I would also recommend avoiding the use of multiple DBs per process. We didn't go all the way and did not implement multiple trust domains, which would be needed to accomplish true separation of trust. Ideally, NSS should support multiple, completely separate initializations per process, without any shared state between them. But it wasn't designed that way. I think this could be fixed for the upper layers like libnss/libssl/libsmime . It is more difficult to fix for the lower layers, especially PKCS#11, unless the different trust domains have no overlapping PKCS#11 shared libs in common . I don't think the PKCS#11 semantics allow for multiple independent states within one shared lib. So this would likely need to be an extension of the spec. Julien On 1/10/2017 3:24 PM, Robert Relyea wrote: On 01/10/2017 01:40 PM, John Dennis wrote: On 01/10/2017 04:23 PM, Robert Relyea wrote: 2) To open additional databases you want to use SECMOD_OpenUserDB: Bob, is SECMOD_OpenUserDB new? No, it's been around for quite some time. bob -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: NSS open multiple NSS-Databses at once?
On 01/10/2017 02:07 PM, Opa114 wrote: Am Dienstag, 10. Januar 2017 22:24:10 UTC+1 schrieb Robert Relyea: On 01/10/2017 10:18 AM, Opa114 wrote: thanks, but these facts i know. I don't want top let multiple applications open one Database, i want to open multiple different Mozilla databases, in the old standard format, with one (my) application. I tried to use the NSS_Init functions. These works with openening one database, but when i open a second one the whole application crashes,so that's why i asked the question and may be get some working example c++ code? 1) Where are you crashing (it's not expected to work, but I don't expect a crash because you called NSS_Init again). 2) To open additional databases you want to use SECMOD_OpenUserDB: https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/PKCS11_Functions#SECMOD_OpenUserDB You can call that multiple times. Once the database is opened any of the NSS find functions will find all the certs in both databases. The slot returned from SECOMD_OpenUserDB can be used in functions that take a slot to narrow the operations just to that particular database. To NSS each database will look basically like a smart card. When you are through with that database you can use SECMOD_CloseUserDB() bob thanks for reply. Here are first some little code of which did not work, that means it crashes: functionLoadFirefox() { SECStatus rv = NSS_InitReadWrite(PATH_TO_FF_DB); ... if success load Certificates with PK11_ListCerts(PK11CertListAll, NULL); NSS_Shutdown(); } functionLoadThunderbird() { SECStatus rv = NSS_InitReadWrite(PATH_TO_TB_DB); ... if success load Certificates with PK11_ListCerts(PK11CertListAll, NULL); NSS_Shutdown(); } So these are my two functions in which i opened and clos the databases and retrieve the certificates. So the certs you got from the first call is likely preventing NSS_Shutdown from completing. The certs hold references to the respective slots. Those references prevent NSS_Shutdown from closing completely. The will prevent the second NSS_Init from succeeding, so you probably crash in your second shutdown. You can detect this happened by looking at the return value from NSS_Shutdown(). --> 2) To open additional databases you want to use SECMOD_OpenUserDB So this means. First i have to call NSS_Init with let's say firefox database ad the i have to call SECMOD_OpenUserDB with the thudnerbirddatabse, right? Or must i load both with the SECMOD_OpenUserDB? You can either use NSS_Init with no database and then call SECMOD_OpenUserDB() for both, or you can call NSS_Init with one database and then call SECMOD_OpenUserDB with the other. --> Once the database is opened any of the NSS find functions will find all the certs in both databases But i have to know from which databse the certificates are coming from. So i need to know that let's say Certificate ABC ist stored inside Firefox Databse and Certificate 123 is stored in Thunerbird Database. How can i do that? or is this not possible? The slot the database can be found in the cert->slot entry, but this will only give you ONE of the slots the cert lives in. If a cert exists in both databases, it will have a single entry on the list and be "somewhat" random which slot is listed (If you open one database with NSS_Init and the second with SECMOD_OpenUserDB() then the one you opened with SECMOD_OpenUserDB() will be the slot that shows up. To fix this issue, there's a function called PK11_GetAllSlotsForCert() which returns a slotList and will return all the slots that hold this cert. The slots map one for one to the databases you opened (or any smart cards you have loaded). You can control the 'tokenName' of each slot with the string arguments you pass to SECMOD_OpenUserDB(), and you can get the token name with PK11_GetTokenName() on each slot on the list.. You could also use PK11_ListCertsInSlot() which takes a slot (SECMOD_OpenUserDB() will return a slot for you) and lists only those certs in that slot. Be sure to free all these things once you are through with them, or your shutdown will fail at the end again. bob -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: NSS open multiple NSS-Databses at once?
Am Dienstag, 10. Januar 2017 22:24:10 UTC+1 schrieb Robert Relyea: > On 01/10/2017 10:18 AM, Opa114 wrote: > > thanks, but these facts i know. > > I don't want top let multiple applications open one Database, i want to > > open multiple different Mozilla databases, in the old standard format, with > > one (my) application. > > > > I tried to use the NSS_Init functions. These works with openening one > > database, but when i open a second one the whole application crashes,so > > that's why i asked the question and may be get some working example c++ > > code? > 1) Where are you crashing (it's not expected to work, but I don't expect > a crash because you called NSS_Init again). > > 2) To open additional databases you want to use SECMOD_OpenUserDB: > > https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/PKCS11_Functions#SECMOD_OpenUserDB > > You can call that multiple times. > Once the database is opened any of the NSS find functions will find all > the certs in both databases. The slot returned from SECOMD_OpenUserDB > can be used in functions that take a slot to narrow the operations just > to that particular database. > > To NSS each database will look basically like a smart card. > > When you are through with that database you can use SECMOD_CloseUserDB() > > bob thanks for reply. Here are first some little code of which did not work, that means it crashes: functionLoadFirefox() { SECStatus rv = NSS_InitReadWrite(PATH_TO_FF_DB); ... if success load Certificates with PK11_ListCerts(PK11CertListAll, NULL); NSS_Shutdown(); } functionLoadThunderbird() { SECStatus rv = NSS_InitReadWrite(PATH_TO_TB_DB); ... if success load Certificates with PK11_ListCerts(PK11CertListAll, NULL); NSS_Shutdown(); } So these are my two functions in which i opened and clos the databases and retrieve the certificates. --> 2) To open additional databases you want to use SECMOD_OpenUserDB So this means. First i have to call NSS_Init with let's say firefox database ad the i have to call SECMOD_OpenUserDB with the thudnerbirddatabse, right? Or must i load both with the SECMOD_OpenUserDB? --> Once the database is opened any of the NSS find functions will find all the certs in both databases But i have to know from which databse the certificates are coming from. So i need to know that let's say Certificate ABC ist stored inside Firefox Databse and Certificate 123 is stored in Thunerbird Database. How can i do that? or is this not possible? -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: NSS open multiple NSS-Databses at once?
On 01/10/2017 10:18 AM, Opa114 wrote: thanks, but these facts i know. I don't want top let multiple applications open one Database, i want to open multiple different Mozilla databases, in the old standard format, with one (my) application. I tried to use the NSS_Init functions. These works with openening one database, but when i open a second one the whole application crashes,so that's why i asked the question and may be get some working example c++ code? 1) Where are you crashing (it's not expected to work, but I don't expect a crash because you called NSS_Init again). 2) To open additional databases you want to use SECMOD_OpenUserDB: https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/PKCS11_Functions#SECMOD_OpenUserDB You can call that multiple times. Once the database is opened any of the NSS find functions will find all the certs in both databases. The slot returned from SECOMD_OpenUserDB can be used in functions that take a slot to narrow the operations just to that particular database. To NSS each database will look basically like a smart card. When you are through with that database you can use SECMOD_CloseUserDB() bob -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: NSS open multiple NSS-Databses at once?
On 01/08/2017 05:34 AM, Opa114 wrote: Hi there, i have to use NSS in one of my applications and therefor i have to open multiple databases (for example Firefox and Thunderbird) at once to read and write into these. How can i do this programatically in C++? Some exmaple Code would be very helpful because the whole NSS-Stuff is not very well documented. Thnaks in advice! :) NSS does have a database format that can allow multiple applications to open the same database at the same time, but neither Firefox nor Thunderbird has yet moved to that database. It is possible to force them to use this database format by setting the NSS_DEFAULT_DB_TYPE to sql. Once they are using the same database, you will have to use symbolic links so that the NSS databases in the separate firefox and thunderbird point to a single database. https://wiki.mozilla.org/NSS_Shared_DB_Howto explains how to do set up the above. If you have an application, you can open the shared database by passing "sql:{shared directory path}" to the configdir parameter of the NSS_Initxxx function you are calling to initialize NSS (where {shared directory path} is replaced by a path to a common directory you which your applications to share. Some recommendations for Linux based applications can be found here: https://wiki.mozilla.org/NSS_Shared_DB_And_LINUX bob -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
NSS open multiple NSS-Databses at once?
Hi there, i have to use NSS in one of my applications and therefor i have to open multiple databases (for example Firefox and Thunderbird) at once to read and write into these. How can i do this programatically in C++? Some exmaple Code would be very helpful because the whole NSS-Stuff is not very well documented. Thnaks in advice! :) -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto