Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1lP7xW-0005V5-5u for pgsql-hackers@arkaria.postgresql.org; Wed, 24 Mar 2021 18:10:22 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.92) (envelope-from ) id 1lP7xU-0002Yp-VE for pgsql-hackers@arkaria.postgresql.org; Wed, 24 Mar 2021 18:10:20 +0000 Received: from magus.postgresql.org ([2a02:c0:301:0:ffff::29]) by malur.postgresql.org with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1lP7xU-0002Yg-OO for pgsql-hackers@lists.postgresql.org; Wed, 24 Mar 2021 18:10:20 +0000 Received: from tamriel.snowman.net ([2001:470:e38f::11]) by magus.postgresql.org with esmtp (Exim 4.92) (envelope-from ) id 1lP7xR-0003nd-Qg for pgsql-hackers@lists.postgresql.org; Wed, 24 Mar 2021 18:10:20 +0000 Received: by tamriel.snowman.net (Postfix, from userid 1000) id 915485F799; Wed, 24 Mar 2021 14:10:16 -0400 (EDT) Date: Wed, 24 Mar 2021 14:10:16 -0400 From: Stephen Frost To: Jacob Champion Cc: "daniel@yesql.se" , "pgsql-hackers@lists.postgresql.org" , "hlinnaka@iki.fi" , "andrew.dunstan@2ndquadrant.com" , "thomas.munro@gmail.com" , "michael@paquier.xyz" , "andres@anarazel.de" Subject: Re: Support for NSS as a libpq TLS backend Message-ID: <20210324181016.GU20766@tamriel.snowman.net> References: <1b16041447d57b45ca273f41d26f6e298d756f99.camel@vmware.com> <04E81B50-ACE9-40D3-9C66-7041F969A958@yesql.se> <21FABD55-5F80-4D8B-B994-3DB81D8742EE@yesql.se> <20210321234950.GQ20766@tamriel.snowman.net> <743a11e6668bef648c7a53f862038e6b2fad3755.camel@vmware.com> <05da9d530ab01e6959bd50c993d590ad73575c21.camel@vmware.com> <20210324170036.GS20766@tamriel.snowman.net> <8f741a425fd135ca38a28063730715499f7f6445.camel@vmware.com> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="npUwkL/mvK+NrTY3" Content-Disposition: inline In-Reply-To: <8f741a425fd135ca38a28063730715499f7f6445.camel@vmware.com> User-Agent: Mutt/1.5.24 (2015-08-30) List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk --npUwkL/mvK+NrTY3 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Greetings, * Jacob Champion (pchampion@vmware.com) wrote: > On Wed, 2021-03-24 at 13:00 -0400, Stephen Frost wrote: > > * Jacob Champion (pchampion@vmware.com) wrote: > > > Right, but to clarify -- I was asking if *NSS* supports loading and > > > using separate certificate databases as part of its API. It seems like > > > the internals make it possible, but I don't see the public interfaces > > > to actually use those internals. > >=20 > > Yes, this is done using SECMOD_OpenUserDB, see: > >=20 > > https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/PKCS11_Fu= nctions#SECMOD_OpenUserDB >=20 > Ah, I had assumed that the DB-specific InitContext was using this > behind the scenes; apparently not. I will give that a try, thanks! >=20 > > also there's info here: > >=20 > > https://groups.google.com/g/mozilla.dev.tech.crypto/c/Xz6Emfcue0E > >=20 > > We should document that, as mentioned in the link above, the NSS find > > functions will find certs in all the opened databases. As this would > > all be under one application which is linked against libpq and passing > > in different values for ssl_database for different connections, this > > doesn't seem like it's really that much of an issue. >=20 > I could see this being a problem if two client certificate nicknames > collide across multiple in-use databases, maybe? Right, in such a case either cert might get returned and it's possible that the "wrong" one is returned and therefore the connection would end up failing, assuming that they aren't actually the same and just happen to be in both. Seems like we could use SECMOD_OpenUserDB() and then pass the result =66rom that into PK11_ListCertsInSlot() and scan through the certs in just the specified database to find the one we're looking for if we really feel compelled to try and address this risk. I've reached out to the NSS folks to see if they have any thoughts about the best way to address this. Thanks, Stephen --npUwkL/mvK+NrTY3 Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCgAGBQJgW4CIAAoJEO1sijiDR2RViWsQAK6xYJA+2yNsdHZvXjTBRuNp zux+jmY7QTKb2HoDm4gm30CaR9QX0RRPNAVhIWW0rz+PPeRqQ3dnfgeex/ExyvTF VLD/BCADofvCz2T/up8QuQ19b1/3syyauZjpBrjRp0HFECIAvIQjoQId4SKgUmAo 8sDVUQPDOa9UT8Kvxd+x2cM5TzkZsb/SZYnZOCbygdec9tD34aKNi+nNFA5oTkOr M/du1eVGuESE+wUnKtnx0CAE0QVKOThd+ak3QOMEWigFCnh6l7AoguF5PBcne9JG jn+BI1oAt1n3w3HHGeEUatpvsX/nfOFvUWG3I74ow/F8MyH4yXqh6p/rxi40Qrui uEab1t6AyBG/GwvxPYJRALkoyPEt0lVZNEx7S5ecYs/pXLe+Ezk63cltIrBQK7nY hQOK5m+D4VFT78N1pyJBpOcwkZCAmnQO5kbmfIVa1VO4IWxFE4mnkBV+dMDRh82M kJ9Hkv+b3xMoQSt5bRgHtYoVrdUUVA56ndcjbK7TOcQPQCO8sQcBzx6AkXjTYS1p WUUgAfO5Ptkay9N+7P2FChhsHI0ilBV9YriJkQKKtsgNM60136KfwP2pnPSPvioz GNGOjTt4n9UHlpNx2D2/t1x1wV7NK56PWfVfsf3XuRWTrNZlQGF+yHlgvtxlqfEe rXtfUCTlyaMuz6+cHE1G =pTgn -----END PGP SIGNATURE----- --npUwkL/mvK+NrTY3--