[Bug 473] New: NSS PKCS11 regression - due to java.security automatic loading

bugzilla-daemon at icedtea.classpath.org bugzilla-daemon at icedtea.classpath.org
Mon Apr 19 05:03:35 PDT 2010 

http://icedtea.classpath.org/bugzilla/show_bug.cgi?id=473

           Summary: NSS PKCS11 regression - due to java.security automatic
                    loading
           Product: IcedTea
           Version: 6-1.8
          Platform: all
        OS/Version: Windows
            Status: NEW
          Severity: critical
          Priority: P2
         Component: IcedTea6
        AssignedTo: unassigned at icedtea.classpath.org
        ReportedBy: matej.spiller at gmail.com


According to 
http://mail.openjdk.java.net/pipermail/distro-pkg-dev/2009-September/007272.html
there was added a patch for automatic NSS provider loading. This patch breaks
presumably all applications using NSS DB.

The main problem is because NSS cannot be loaded again with appropriate user's
firefox profile with password DB after it was already loaded.

There should be an option to either REALLY unload provider (remove provider
still leaves SecMod in initialized state), or allow loading of user DBs through
a keystore.load (after provider is loaded), or remove the patch completely.
Another option could be to add boolean flag like nssForceLoad that unloads and
loads SECMOD PKCS11 again.

Another problem is invalid location of: libnssckbi.so. PKCS11 should load
libnssckbi.so by hand before initializing NSS.


Sample:
//java.security.Security.removeProvider("SunPKCS11-NSS"); //this does not work
(unless you remove it from java.security).

string profile = "/home/hermes/.mozilla/firefox/w7j6r223.default/"; //replace
with your own profile
String tmpConfig = 
        "name=NSSSofToken\n" + 
        "description=NSS PKCS11\n" + 
        "nssLibraryDirectory=/usr/lib\n" +
        "nssSecmodDirectory = \"" + profile.replaceAll("\\\\", "\\\\\\\\") +
"\"\n" + 
        "nssDbMode = readOnly\n" + 
        "nssModule = keystore\n" + 
        "attributes = compatibility";

ByteArrayInputStream strConfig = new
ByteArrayInputStream(tmpConfig.getBytes());

Constructor c =
Class.forName("sun.security.pkcs11.SunPKCS11").getConstructor(new Class[] {
InputStream.class });
java.security.Provider nss = (java.security.Provider) c.newInstance(new
Object[] { strConfig });
KeyStore keystore = KeyStore.getInstance("PKCS11", nss);
System.out.println(keystore.size());


-- 
Configure bugmail: http://icedtea.classpath.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

More information about the distro-pkg-dev mailing list