Unfortunately what you are trying to do is not yet quite as easy as one
would like.
The basic problem is DBM 1.54 (based on Berkeley db 1.85) does not have
multi-process access control. When multiple applications try to open the
database bad things can happen. Most NSS users get around this by either
1) running all the apps that use a particular database live in the same
process. 2) have multiple apps open the databases R/O, and restart if
the databases are are modified.
The strategy you've taken will leave you open to database corruption if
your app and certutil/crlutil happen to open the database at the same time.
To get around this problem I know of three viable options, all of them
require a fair amount of coding on your part, however:
1) Route your updates through your application. This is what
mozilla/netscape 6,7 does. With this method not only is there less
probelm with database corruption, but you also know there isn't problems
with local cache consistancy.
2) Write your own PKCS #11 module to export trusted certs and CRL's.
There are tools to do this in security/lib/nss/ckfw. Unfortunately there
isn't a lot of documentation on how to write one of these modules. The
code has been used by some netscape servers to do this kind of function.
It is also used by netscape products to provide the 'builtin' root module.
3) Install your own database that has R/W access over multiple
databases. This code is new (only in tip builds of NSS), and is still
being tested, and has not been documented yet.
I know these aren't great options, but these are how other netscape/aol
products that I know of try to solve the problem you described.
bob
Jeff Vandegrift wrote:
> I need to update an NSS cert/crl database (e.g. using the certutil and
> crlutil utilities) AND have these changes seen by a running NSS-based
> application.
>
> The best I've been able to do is to execute the following sequence to
> shutdown NSS and restart it. I leave the PR infrastructure alone,
> which is already running.
>
> {
> // shutdown NSS, but leave PR up
>
> CERT_ClosePermCertDB ( certDBHandle ) ;
>
> NSS_Shutdown() ;
>
> // Note: resync with *.db files will take place when NSS restarts
>
> // restart NSS, PR is already up
>
> rv = NSS_Initialize ( SECU_ConfigDirectory("./"), "", "",
> "secmod.db", NSS_INIT_FORCEOPEN ) ;
>
> certDBHandle = CERT_GetDefaultCertDB() ;
>
> slot = PK11_GetInternalKeySlot() ;
> }
>
> I also attempted to execute the ->sync() function associated with the
> database; I suspect this is a "sync to file" only and is not intended
> to "sync from file". In any case, it did not have the effect I wanted.
>
> ??? Is there any other way to sync an NSS app with changes made to the
> underlying database _files_ ???
>
> - Jeff Vandegrift
>
