[Pki-devel] [PATCH] 198-203 patches to address multiple issues in KeyResource server and client code.
Ade Lee
alee at redhat.com
Wed Feb 26 15:08:54 UTC 2014
Issues addressed and pushed to master.
On Tue, 2014-02-25 at 14:08 -0600, Endi Sukma Dewata wrote:
> On 2/24/2014 4:20 PM, John Magne wrote:
> > I'll piggy back on this ACK. Just a few comments interspersed.
> >
> >> Patch #199:
> >>
> >> 2. The error message probably should just say "Directory already
> >> exists". The end user should not see a variable name in the error
> >> message. If the program ends with this error the user would know that an
> >> existing database causes a conflict, so either they will remove it or
> >> use a different path or overwrite it with a flag.
> >
> > For this db exists already? Is this really the end of the world?
> > Could we just go ahead and open it for them and move on? For instance
> > nss now has the notion of a completely common db where one could
> > conceivably just add to it.
>
> Not sure how up-to-date this page is, but here's what it says:
> https://wiki.mozilla.org/NSS_Library_Init
>
> "We intended to go to a single user/machine configuration for most
> applications and libraries, ... One problem with this approach is that
> not all NSS applications run on systems which will have a 'system
> configured' NSS. In addition, there are still cases where the user may
> want to keep multiple different configurations for testing ..."
>
> I think there would be cases where the client wants to use a separate
> database and make sure it's not overwriting an existing one.
>
> >> 7. Can these 3 invocations be combined:
> >>
> >> cryptoutil.NSSCryptoUtil.setup_database(
> >> certdb_dir, certdb_password, over_write=True)
> >> crypto = cryptoutil.NSSCryptoUtil(certdb_dir, certdb_password)
> >> crypto.initialize_db()
> >>
> >> into this?
> >
> > I agree with this, if it's feasible. This way they don't have to worry about
> > initializing anything, they just put in the params to identify the db.
>
> As discussed with Ade, it might not be possible now since importing the
> transport cert is done using certutil instead of python-nss. Since the
> nss database can't be shared among multiple processes, the import has to
> be done first using certutil, then python-nss can intialize the database
> after that.
>
> Ideally the import has to be done with python-nss as well, but we don't
> know if the functionality is exposed in python-nss.
>
More information about the Pki-devel
mailing list