Bug 915818 - Preparing NSS for SharedSystemCertificates
Summary: Preparing NSS for SharedSystemCertificates
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: nss
Version: 19
Hardware: Unspecified
OS: Unspecified
high
unspecified
Target Milestone: ---
Assignee: Kai Engert (:kaie) (inactive account)
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks: 466626 959179
TreeView+ depends on / blocked
 
Reported: 2013-02-26 15:09 UTC by Kai Engert (:kaie) (inactive account)
Modified: 2013-05-03 19:36 UTC (History)
7 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
: 959179 (view as bug list)
Environment:
Last Closed: 2013-05-03 19:36:32 UTC
Type: Bug
Embargoed:


Attachments (Terms of Use)
a dummy.src.rpm, using NSS existing approach - regular lib.so (1.96 KB, application/octet-stream)
2013-02-26 15:15 UTC, Kai Engert (:kaie) (inactive account)
no flags Details
a dummy.src.rpm, new proposed approach - lib.so as alternative symbolic link (2.40 KB, application/octet-stream)
2013-02-26 15:16 UTC, Kai Engert (:kaie) (inactive account)
no flags Details
Patch for nss.spec (3.43 KB, patch)
2013-03-05 15:01 UTC, Kai Engert (:kaie) (inactive account)
no flags Details | Diff
Patch v2 (3.95 KB, patch)
2013-03-05 20:39 UTC, Kai Engert (:kaie) (inactive account)
no flags Details | Diff

Description Kai Engert (:kaie) (inactive account) 2013-02-26 15:09:46 UTC
This is a preparation task for
https://fedoraproject.org/wiki/Features/SharedSystemCertificates

For Fedora 19, we want to introduce a drop-in replacement for libnssckbi.so

The drop in replacement will likely be contained in the p11-kit.rpm package.

We want:
- NSS continues to ship a libnssckbi.so file,
  however under a new name

- the drop-in replacement shipped by p11-kit is also shipped
  under a new name

- use the http://fedoraproject.org/wiki/Packaging:Alternatives
  approach that uses symbolic link to select one or the other.

- use a low priority number for libnssckbi.so shipped by NSS

- use a high priority number for the replacement shipped by p11-kit

In order to prepare for that new world, we should prepare the NSS package
as soon as possible to make use of the alternatives system.

This means, we need an update to NSS that:
- ships libnssckbi.so under a different name,
  I propose: libnssckbi.so
- setup symbolic links using the alternatives system.

I suspect this will be the only NSS-related change necessary for the new system feature.

I would like to ensure that things don't break when upgrading/downgrading between packages that ship libnssckbi.so as a full file, and those newer packages that ship it as a symbolic link.

For that reason, I already made experiments, and I have example .spec files including post/pre scripts, that seem to solve the problem for me.

Comment 1 Kai Engert (:kaie) (inactive account) 2013-02-26 15:13:48 UTC
In case you are interested, I would like you to be able to experiment with the proposed upgrade/downgrade solution, and to review the scripts. I'm therefore attaching the "dummy" packages I used for testing.

Comment 2 Kai Engert (:kaie) (inactive account) 2013-02-26 15:15:11 UTC
Created attachment 702958 [details]
a dummy.src.rpm, using NSS existing approach - regular lib.so

Comment 3 Kai Engert (:kaie) (inactive account) 2013-02-26 15:16:13 UTC
Created attachment 702959 [details]
a dummy.src.rpm, new proposed approach - lib.so as alternative symbolic link

Comment 4 Kai Engert (:kaie) (inactive account) 2013-03-05 15:01:14 UTC
Created attachment 705495 [details]
Patch for nss.spec

Comment 5 Kai Engert (:kaie) (inactive account) 2013-03-05 20:38:07 UTC
Comment on attachment 705495 [details]
Patch for nss.spec

bad patch

Comment 6 Kai Engert (:kaie) (inactive account) 2013-03-05 20:39:51 UTC
Created attachment 705665 [details]
Patch v2

Using this patch, we get the following files on a multiarch system:

[root@localhost ~]# ls -ld /usr/lib*/libnssckbi.so* /etc/alternatives/*nssckbi* /usr/lib*/nss/*.so
lrwxrwxrwx. 1 root root     26 Mar  5 15:28 /etc/alternatives/libnssckbi.so -> /usr/lib/nss/libnssckbi.so
lrwxrwxrwx. 1 root root     28 Mar  5 15:28 /etc/alternatives/libnssckbi.so.x86_64 -> /usr/lib64/nss/libnssckbi.so
lrwxrwxrwx. 1 root root     38 Mar  5 15:28 /usr/lib64/libnssckbi.so -> /etc/alternatives/libnssckbi.so.x86_64
-rwxr-xr-x. 1 root root 616568 Mar  5 15:13 /usr/lib64/nss/libnssckbi.so
lrwxrwxrwx. 1 root root     31 Mar  5 15:28 /usr/lib/libnssckbi.so -> /etc/alternatives/libnssckbi.so
-rwxr-xr-x. 1 root root 467308 Mar  5 15:13 /usr/lib/nss/libnssckbi.so

Comment 7 Kai Engert (:kaie) (inactive account) 2013-03-05 20:46:59 UTC
Scratch build with the patch:
http://koji.fedoraproject.org/koji/taskinfo?taskID=5082474

Comment 8 Kai Engert (:kaie) (inactive account) 2013-03-05 23:21:57 UTC
FYI, of course, the %check exit 0 isn't meant to get included.
I use it for quicker turnaround while working on the package scripts.

Comment 9 Stef Walter 2013-03-12 09:38:43 UTC
Ready for testing in rawhide.

Comment 10 David Woodhouse 2013-03-21 12:18:57 UTC
Some apps such as EVolution

Comment 11 David Woodhouse 2013-03-21 12:21:16 UTC
Oops. Some apps such as Evolution are already updated to use the NSS shared system database, finding certs and keys in /etc/pki/nssdb and then ~/.pki/nssdb.

Are we limiting our focus *only* to certs, for now? It would have been good to move all apps to the shared system database, and the new p11-kit modules could have been loaded from /etc/pki/nssdb/pkcs11.txt rather than needing a hacked nssckbi.so.

What *should* NSS-using applications be doing, ideally?

Comment 12 Stef Walter 2013-03-21 12:28:23 UTC
(In reply to comment #11)
> Oops. Some apps such as Evolution are already updated to use the NSS shared
> system database, finding certs and keys in /etc/pki/nssdb and then
> ~/.pki/nssdb.
> 
> Are we limiting our focus *only* to certs, for now? 

Yes for now.

> It would have been good
> to move all apps to the shared system database, and the new p11-kit modules
> could have been loaded from /etc/pki/nssdb/pkcs11.txt rather than needing a
> hacked nssckbi.so.

Perhaps. And we can still do that in the future. But realistically we weren't able to pull that off that as part of this first step.

> What *should* NSS-using applications be doing, ideally?

I would indeed like to see NSS use p11-kit to load the configured modules. In addition, you may be aware that libsoftoken usage of /etc/pki/nssdb is pretty broken, due to file locking DOSing from unprivileged users on the sqlite database.

Comment 13 Kai Engert (:kaie) (inactive account) 2013-03-21 12:42:07 UTC
(In reply to comment #11)> 
> Are we limiting our focus *only* to certs, for now? It would have been good
> to move all apps to the shared system database,

That's nontrivial, because applications decide which path they use, and we don't have migration code that works in all scenarios (in particular, if different passwords are set on app specific and shared location).

Comment 14 Kai Engert (:kaie) (inactive account) 2013-03-21 12:44:34 UTC
Solving the pkcs#11 config and obsoleting the old /etc/pki/nssdb is a separate task, we cannot do everything at once.

Comment 15 Fedora End Of Life 2013-04-03 20:32:19 UTC
This bug appears to have been reported against 'rawhide' during the Fedora 19 development cycle.
Changing version to '19'.

(As we did not run this process for some time, it could affect also pre-Fedora 19 development
cycle bugs. We are very sorry. It will help us with cleanup during Fedora 19 End Of Life. Thank you.)

More information and reason for this action is here:
https://fedoraproject.org/wiki/BugZappers/HouseKeeping/Fedora19

Comment 16 Stef Walter 2013-05-03 09:52:24 UTC
Kai, I believe this is complete right?

Comment 17 Kai Engert (:kaie) (inactive account) 2013-05-03 19:36:32 UTC
(In reply to comment #16)
> Kai, I believe this is complete right?

Yes, I think so, nss-3.14.3-10


Note You need to log in before you can comment on or make changes to this bug.