mirror of
https://github.com/mozilla/gecko-dev.git
synced 2024-10-19 08:15:31 +00:00
Bug 1360307 - Improves the arguments to mozilla::psm::InitializeNSS r=keeler
Differential Revision: https://phabricator.services.mozilla.com/D39011 --HG-- extra : moz-landing-system : lando
This commit is contained in:
parent
a2b73b8abc
commit
978fb0351d
@ -1281,8 +1281,8 @@ void NSSCertDBTrustDomain::NoteAuxiliaryExtension(AuxiliaryExtension extension,
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
SECStatus InitializeNSS(const nsACString& dir, bool readOnly,
|
SECStatus InitializeNSS(const nsACString& dir, NSSDBConfig nssDbConfig,
|
||||||
bool loadPKCS11Modules) {
|
PKCS11DBConfig pkcs11DbConfig) {
|
||||||
MOZ_ASSERT(NS_IsMainThread());
|
MOZ_ASSERT(NS_IsMainThread());
|
||||||
|
|
||||||
// The NSS_INIT_NOROOTINIT flag turns off the loading of the root certs
|
// The NSS_INIT_NOROOTINIT flag turns off the loading of the root certs
|
||||||
@ -1291,24 +1291,24 @@ SECStatus InitializeNSS(const nsACString& dir, bool readOnly,
|
|||||||
// Ubuntu 8.04, which loads any nonexistent "<configdir>/libnssckbi.so" as
|
// Ubuntu 8.04, which loads any nonexistent "<configdir>/libnssckbi.so" as
|
||||||
// "/usr/lib/nss/libnssckbi.so".
|
// "/usr/lib/nss/libnssckbi.so".
|
||||||
uint32_t flags = NSS_INIT_NOROOTINIT | NSS_INIT_OPTIMIZESPACE;
|
uint32_t flags = NSS_INIT_NOROOTINIT | NSS_INIT_OPTIMIZESPACE;
|
||||||
if (readOnly) {
|
if (nssDbConfig == NSSDBConfig::ReadOnly) {
|
||||||
flags |= NSS_INIT_READONLY;
|
flags |= NSS_INIT_READONLY;
|
||||||
}
|
}
|
||||||
if (!loadPKCS11Modules) {
|
if (pkcs11DbConfig == PKCS11DBConfig::DoNotLoadModules) {
|
||||||
flags |= NSS_INIT_NOMODDB;
|
flags |= NSS_INIT_NOMODDB;
|
||||||
}
|
}
|
||||||
nsAutoCString dbTypeAndDirectory("sql:");
|
nsAutoCString dbTypeAndDirectory("sql:");
|
||||||
dbTypeAndDirectory.Append(dir);
|
dbTypeAndDirectory.Append(dir);
|
||||||
MOZ_LOG(gCertVerifierLog, LogLevel::Debug,
|
MOZ_LOG(gCertVerifierLog, LogLevel::Debug,
|
||||||
("InitializeNSS(%s, %d, %d)", dbTypeAndDirectory.get(), readOnly,
|
("InitializeNSS(%s, %d, %d)", dbTypeAndDirectory.get(),
|
||||||
loadPKCS11Modules));
|
(int)nssDbConfig, (int)pkcs11DbConfig));
|
||||||
SECStatus srv =
|
SECStatus srv =
|
||||||
NSS_Initialize(dbTypeAndDirectory.get(), "", "", SECMOD_DB, flags);
|
NSS_Initialize(dbTypeAndDirectory.get(), "", "", SECMOD_DB, flags);
|
||||||
if (srv != SECSuccess) {
|
if (srv != SECSuccess) {
|
||||||
return srv;
|
return srv;
|
||||||
}
|
}
|
||||||
|
|
||||||
if (!readOnly) {
|
if (nssDbConfig == NSSDBConfig::ReadWrite) {
|
||||||
UniquePK11SlotInfo slot(PK11_GetInternalKeySlot());
|
UniquePK11SlotInfo slot(PK11_GetInternalKeySlot());
|
||||||
if (!slot) {
|
if (!slot) {
|
||||||
return SECFailure;
|
return SECFailure;
|
||||||
|
@ -28,6 +28,16 @@ enum class ValidityCheckingMode {
|
|||||||
CheckForEV = 1,
|
CheckForEV = 1,
|
||||||
};
|
};
|
||||||
|
|
||||||
|
enum class NSSDBConfig {
|
||||||
|
ReadWrite = 0,
|
||||||
|
ReadOnly = 1,
|
||||||
|
};
|
||||||
|
|
||||||
|
enum class PKCS11DBConfig {
|
||||||
|
DoNotLoadModules = 0,
|
||||||
|
LoadModules = 1,
|
||||||
|
};
|
||||||
|
|
||||||
// Policy options for matching id-Netscape-stepUp with id-kp-serverAuth (for CA
|
// Policy options for matching id-Netscape-stepUp with id-kp-serverAuth (for CA
|
||||||
// certificates only):
|
// certificates only):
|
||||||
// * Always match: the step-up OID is considered equivalent to serverAuth
|
// * Always match: the step-up OID is considered equivalent to serverAuth
|
||||||
@ -42,8 +52,8 @@ enum class NetscapeStepUpPolicy : uint32_t {
|
|||||||
NeverMatch = 3,
|
NeverMatch = 3,
|
||||||
};
|
};
|
||||||
|
|
||||||
SECStatus InitializeNSS(const nsACString& dir, bool readOnly,
|
SECStatus InitializeNSS(const nsACString& dir, NSSDBConfig nssDbConfig,
|
||||||
bool loadPKCS11Modules);
|
PKCS11DBConfig pkcs11DbConfig);
|
||||||
|
|
||||||
void DisableMD5();
|
void DisableMD5();
|
||||||
|
|
||||||
|
@ -1571,7 +1571,10 @@ static nsresult InitializeNSSWithFallbacks(const nsACString& profilePath,
|
|||||||
#ifndef ANDROID
|
#ifndef ANDROID
|
||||||
PRErrorCode savedPRErrorCode1;
|
PRErrorCode savedPRErrorCode1;
|
||||||
#endif // ifndef ANDROID
|
#endif // ifndef ANDROID
|
||||||
SECStatus srv = ::mozilla::psm::InitializeNSS(profilePath, false, !safeMode);
|
PKCS11DBConfig safeModeDBConfig =
|
||||||
|
safeMode ? PKCS11DBConfig::DoNotLoadModules : PKCS11DBConfig::LoadModules;
|
||||||
|
SECStatus srv = ::mozilla::psm::InitializeNSS(
|
||||||
|
profilePath, NSSDBConfig::ReadWrite, safeModeDBConfig);
|
||||||
if (srv == SECSuccess) {
|
if (srv == SECSuccess) {
|
||||||
MOZ_LOG(gPIPNSSLog, LogLevel::Debug, ("initialized NSS in r/w mode"));
|
MOZ_LOG(gPIPNSSLog, LogLevel::Debug, ("initialized NSS in r/w mode"));
|
||||||
#ifndef ANDROID
|
#ifndef ANDROID
|
||||||
@ -1584,7 +1587,8 @@ static nsresult InitializeNSSWithFallbacks(const nsACString& profilePath,
|
|||||||
PRErrorCode savedPRErrorCode2;
|
PRErrorCode savedPRErrorCode2;
|
||||||
#endif // ifndef ANDROID
|
#endif // ifndef ANDROID
|
||||||
// That failed. Try read-only mode.
|
// That failed. Try read-only mode.
|
||||||
srv = ::mozilla::psm::InitializeNSS(profilePath, true, !safeMode);
|
srv = ::mozilla::psm::InitializeNSS(profilePath, NSSDBConfig::ReadOnly,
|
||||||
|
safeModeDBConfig);
|
||||||
if (srv == SECSuccess) {
|
if (srv == SECSuccess) {
|
||||||
MOZ_LOG(gPIPNSSLog, LogLevel::Debug, ("initialized NSS in r-o mode"));
|
MOZ_LOG(gPIPNSSLog, LogLevel::Debug, ("initialized NSS in r-o mode"));
|
||||||
return NS_OK;
|
return NS_OK;
|
||||||
@ -1611,7 +1615,8 @@ static nsresult InitializeNSSWithFallbacks(const nsACString& profilePath,
|
|||||||
// problem, but for some reason the combination of read-only and no-moddb
|
// problem, but for some reason the combination of read-only and no-moddb
|
||||||
// flags causes NSS initialization to fail, so unfortunately we have to use
|
// flags causes NSS initialization to fail, so unfortunately we have to use
|
||||||
// read-write mode.
|
// read-write mode.
|
||||||
srv = ::mozilla::psm::InitializeNSS(profilePath, false, false);
|
srv = ::mozilla::psm::InitializeNSS(profilePath, NSSDBConfig::ReadWrite,
|
||||||
|
PKCS11DBConfig::DoNotLoadModules);
|
||||||
if (srv == SECSuccess) {
|
if (srv == SECSuccess) {
|
||||||
MOZ_LOG(gPIPNSSLog, LogLevel::Debug, ("FIPS may be the problem"));
|
MOZ_LOG(gPIPNSSLog, LogLevel::Debug, ("FIPS may be the problem"));
|
||||||
// Unload NSS so we can attempt to fix this situation for the user.
|
// Unload NSS so we can attempt to fix this situation for the user.
|
||||||
@ -1637,12 +1642,14 @@ static nsresult InitializeNSSWithFallbacks(const nsACString& profilePath,
|
|||||||
# endif
|
# endif
|
||||||
return rv;
|
return rv;
|
||||||
}
|
}
|
||||||
srv = ::mozilla::psm::InitializeNSS(profilePath, false, true);
|
srv = ::mozilla::psm::InitializeNSS(profilePath, NSSDBConfig::ReadWrite,
|
||||||
|
PKCS11DBConfig::LoadModules);
|
||||||
if (srv == SECSuccess) {
|
if (srv == SECSuccess) {
|
||||||
MOZ_LOG(gPIPNSSLog, LogLevel::Debug, ("initialized in r/w mode"));
|
MOZ_LOG(gPIPNSSLog, LogLevel::Debug, ("initialized in r/w mode"));
|
||||||
return NS_OK;
|
return NS_OK;
|
||||||
}
|
}
|
||||||
srv = ::mozilla::psm::InitializeNSS(profilePath, true, true);
|
srv = ::mozilla::psm::InitializeNSS(profilePath, NSSDBConfig::ReadOnly,
|
||||||
|
PKCS11DBConfig::LoadModules);
|
||||||
if (srv == SECSuccess) {
|
if (srv == SECSuccess) {
|
||||||
MOZ_LOG(gPIPNSSLog, LogLevel::Debug, ("initialized in r-o mode"));
|
MOZ_LOG(gPIPNSSLog, LogLevel::Debug, ("initialized in r-o mode"));
|
||||||
return NS_OK;
|
return NS_OK;
|
||||||
|
Loading…
Reference in New Issue
Block a user