Bug 915818 - Preparing NSS for SharedSystemCertificates
Preparing NSS for SharedSystemCertificates
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: nss (Show other bugs)
19
Unspecified Unspecified
high Severity unspecified
: ---
: ---
Assigned To: Kai Engert (:kaie)
Fedora Extras Quality Assurance
:
Depends On:
Blocks: 466626 959179
  Show dependency treegraph
 
Reported: 2013-02-26 10:09 EST by Kai Engert (:kaie)
Modified: 2013-05-03 15:36 EDT (History)
7 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 959179 (view as bug list)
Environment:
Last Closed: 2013-05-03 15:36:32 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
a dummy.src.rpm, using NSS existing approach - regular lib.so (1.96 KB, application/octet-stream)
2013-02-26 10:15 EST, Kai Engert (:kaie)
no flags Details
a dummy.src.rpm, new proposed approach - lib.so as alternative symbolic link (2.40 KB, application/octet-stream)
2013-02-26 10:16 EST, Kai Engert (:kaie)
no flags Details
Patch for nss.spec (3.43 KB, patch)
2013-03-05 10:01 EST, Kai Engert (:kaie)
no flags Details | Diff
Patch v2 (3.95 KB, patch)
2013-03-05 15:39 EST, Kai Engert (:kaie)
no flags Details | Diff

  None (edit)
Description Kai Engert (:kaie) 2013-02-26 10:09:46 EST
This is a preparation task for
https://fedoraproject.org/wiki/Features/SharedSystemCertificates

For Fedora 19, we want to introduce a drop-in replacement for libnssckbi.so

The drop in replacement will likely be contained in the p11-kit.rpm package.

We want:
- NSS continues to ship a libnssckbi.so file,
  however under a new name

- the drop-in replacement shipped by p11-kit is also shipped
  under a new name

- use the http://fedoraproject.org/wiki/Packaging:Alternatives
  approach that uses symbolic link to select one or the other.

- use a low priority number for libnssckbi.so shipped by NSS

- use a high priority number for the replacement shipped by p11-kit

In order to prepare for that new world, we should prepare the NSS package
as soon as possible to make use of the alternatives system.

This means, we need an update to NSS that:
- ships libnssckbi.so under a different name,
  I propose: libnssckbi.so
- setup symbolic links using the alternatives system.

I suspect this will be the only NSS-related change necessary for the new system feature.

I would like to ensure that things don't break when upgrading/downgrading between packages that ship libnssckbi.so as a full file, and those newer packages that ship it as a symbolic link.

For that reason, I already made experiments, and I have example .spec files including post/pre scripts, that seem to solve the problem for me.
Comment 1 Kai Engert (:kaie) 2013-02-26 10:13:48 EST
In case you are interested, I would like you to be able to experiment with the proposed upgrade/downgrade solution, and to review the scripts. I'm therefore attaching the "dummy" packages I used for testing.
Comment 2 Kai Engert (:kaie) 2013-02-26 10:15:11 EST
Created attachment 702958 [details]
a dummy.src.rpm, using NSS existing approach - regular lib.so
Comment 3 Kai Engert (:kaie) 2013-02-26 10:16:13 EST
Created attachment 702959 [details]
a dummy.src.rpm, new proposed approach - lib.so as alternative symbolic link
Comment 4 Kai Engert (:kaie) 2013-03-05 10:01:14 EST
Created attachment 705495 [details]
Patch for nss.spec
Comment 5 Kai Engert (:kaie) 2013-03-05 15:38:07 EST
Comment on attachment 705495 [details]
Patch for nss.spec

bad patch
Comment 6 Kai Engert (:kaie) 2013-03-05 15:39:51 EST
Created attachment 705665 [details]
Patch v2

Using this patch, we get the following files on a multiarch system:

[root@localhost ~]# ls -ld /usr/lib*/libnssckbi.so* /etc/alternatives/*nssckbi* /usr/lib*/nss/*.so
lrwxrwxrwx. 1 root root     26 Mar  5 15:28 /etc/alternatives/libnssckbi.so -> /usr/lib/nss/libnssckbi.so
lrwxrwxrwx. 1 root root     28 Mar  5 15:28 /etc/alternatives/libnssckbi.so.x86_64 -> /usr/lib64/nss/libnssckbi.so
lrwxrwxrwx. 1 root root     38 Mar  5 15:28 /usr/lib64/libnssckbi.so -> /etc/alternatives/libnssckbi.so.x86_64
-rwxr-xr-x. 1 root root 616568 Mar  5 15:13 /usr/lib64/nss/libnssckbi.so
lrwxrwxrwx. 1 root root     31 Mar  5 15:28 /usr/lib/libnssckbi.so -> /etc/alternatives/libnssckbi.so
-rwxr-xr-x. 1 root root 467308 Mar  5 15:13 /usr/lib/nss/libnssckbi.so
Comment 7 Kai Engert (:kaie) 2013-03-05 15:46:59 EST
Scratch build with the patch:
http://koji.fedoraproject.org/koji/taskinfo?taskID=5082474
Comment 8 Kai Engert (:kaie) 2013-03-05 18:21:57 EST
FYI, of course, the %check exit 0 isn't meant to get included.
I use it for quicker turnaround while working on the package scripts.
Comment 9 Stef Walter 2013-03-12 05:38:43 EDT
Ready for testing in rawhide.
Comment 10 David Woodhouse 2013-03-21 08:18:57 EDT
Some apps such as EVolution
Comment 11 David Woodhouse 2013-03-21 08:21:16 EDT
Oops. Some apps such as Evolution are already updated to use the NSS shared system database, finding certs and keys in /etc/pki/nssdb and then ~/.pki/nssdb.

Are we limiting our focus *only* to certs, for now? It would have been good to move all apps to the shared system database, and the new p11-kit modules could have been loaded from /etc/pki/nssdb/pkcs11.txt rather than needing a hacked nssckbi.so.

What *should* NSS-using applications be doing, ideally?
Comment 12 Stef Walter 2013-03-21 08:28:23 EDT
(In reply to comment #11)
> Oops. Some apps such as Evolution are already updated to use the NSS shared
> system database, finding certs and keys in /etc/pki/nssdb and then
> ~/.pki/nssdb.
> 
> Are we limiting our focus *only* to certs, for now? 

Yes for now.

> It would have been good
> to move all apps to the shared system database, and the new p11-kit modules
> could have been loaded from /etc/pki/nssdb/pkcs11.txt rather than needing a
> hacked nssckbi.so.

Perhaps. And we can still do that in the future. But realistically we weren't able to pull that off that as part of this first step.

> What *should* NSS-using applications be doing, ideally?

I would indeed like to see NSS use p11-kit to load the configured modules. In addition, you may be aware that libsoftoken usage of /etc/pki/nssdb is pretty broken, due to file locking DOSing from unprivileged users on the sqlite database.
Comment 13 Kai Engert (:kaie) 2013-03-21 08:42:07 EDT
(In reply to comment #11)> 
> Are we limiting our focus *only* to certs, for now? It would have been good
> to move all apps to the shared system database,

That's nontrivial, because applications decide which path they use, and we don't have migration code that works in all scenarios (in particular, if different passwords are set on app specific and shared location).
Comment 14 Kai Engert (:kaie) 2013-03-21 08:44:34 EDT
Solving the pkcs#11 config and obsoleting the old /etc/pki/nssdb is a separate task, we cannot do everything at once.
Comment 15 Fedora End Of Life 2013-04-03 16:32:19 EDT
This bug appears to have been reported against 'rawhide' during the Fedora 19 development cycle.
Changing version to '19'.

(As we did not run this process for some time, it could affect also pre-Fedora 19 development
cycle bugs. We are very sorry. It will help us with cleanup during Fedora 19 End Of Life. Thank you.)

More information and reason for this action is here:
https://fedoraproject.org/wiki/BugZappers/HouseKeeping/Fedora19
Comment 16 Stef Walter 2013-05-03 05:52:24 EDT
Kai, I believe this is complete right?
Comment 17 Kai Engert (:kaie) 2013-05-03 15:36:32 EDT
(In reply to comment #16)
> Kai, I believe this is complete right?

Yes, I think so, nss-3.14.3-10

Note You need to log in before you can comment on or make changes to this bug.