[Pki-devel] [PATCH] 198-203 patches to address multiple issues in KeyResource server and client code.

Endi Sukma Dewata edewata at redhat.com
Tue Feb 25 20:08:11 UTC 2014


On 2/24/2014 4:20 PM, John Magne wrote:
> I'll piggy back on this ACK. Just a few comments interspersed.
>
>> Patch #199:
>>
>> 2. The error message probably should just say "Directory already
>> exists". The end user should not see a variable name in the error
>> message. If the program ends with this error the user would know that an
>> existing database causes a conflict, so either they will remove it or
>> use a different path or overwrite it with a flag.
>
> For this db exists already? Is this really the end of the world?
> Could we just go ahead and open it for them and move on? For instance
> nss now has the notion of a completely common db where one could
> conceivably just add to it.

Not sure how up-to-date this page is, but here's what it says:
https://wiki.mozilla.org/NSS_Library_Init

"We intended to go to a single user/machine configuration for most 
applications and libraries, ... One problem with this approach is that 
not all NSS applications run on systems which will have a 'system 
configured' NSS. In addition, there are still cases where the user may 
want to keep multiple different configurations for testing ..."

I think there would be cases where the client wants to use a separate 
database and make sure it's not overwriting an existing one.

>> 7. Can these 3 invocations be combined:
>>
>>       cryptoutil.NSSCryptoUtil.setup_database(
>>           certdb_dir, certdb_password, over_write=True)
>>       crypto = cryptoutil.NSSCryptoUtil(certdb_dir, certdb_password)
>>       crypto.initialize_db()
>>
>> into this?
>
> I agree with this, if it's feasible. This way they don't have to worry about
> initializing anything, they just put in the params to identify the db.

As discussed with Ade, it might not be possible now since importing the 
transport cert is done using certutil instead of python-nss. Since the 
nss database can't be shared among multiple processes, the import has to 
be done first using certutil, then python-nss can intialize the database 
after that.

Ideally the import has to be done with python-nss as well, but we don't 
know if the functionality is exposed in python-nss.

-- 
Endi S. Dewata




More information about the Pki-devel mailing list