Add PKCS#11 3.2 attribute to NSSDB storage#310
Conversation
Jakuje
left a comment
Jakuje
left a comment
There was a problem hiding this comment.
I am wondering how the PQC algorithm tests worked before this with the NSS DB when the new attributes like Encapsulate, ParamSet and others could not have been stored in the database ....
Good q, I think they simply always use the sqlite database, we'll have to figure out how to make sure most test are also tried on nssdb, perhaps a build target that has only the nssdb ? |
Thats not how I wrote that. When nssdb is enabled, it should default to NSSDB, unless something changed since I did this: Line 191 in 461010b |
|
I think I changed that because at some point all CI jobs included nssdb, and that means sqlite was never tested, so I think I change something and then forgot about it. Maybe we should open a separate issue to follow up on this? |
|
Marking this as draft because I think we need to add at least a test that will upgrade a database with the new attributes and work correctly after doing that |
This catches up nssdb to the changes happenning in NSS upstream Signed-off-by: Simo Sorce <simo@redhat.com>
simo5
force-pushed
the
nss_p11_3.2
branch
2 times, most recently
from
c2660a7 to
9c17377
Compare
|
The |
|
Still keeping this in draft until I can get my hands on another test database generate by a new enough version of NSS that has the new attributes so I can ensure not only the upgrade path but also full compatibility with dbs generated by new NSS versions. |
| CKA_UNIQUE_ID, | ||
| CKA_COPYABLE, | ||
| CKA_DESTROYABLE, |
There was a problem hiding this comment.
please, make sure we have tests with these attributes executed with the new nss db
There was a problem hiding this comment.
why?
they are just regular attributes like any other
There was a problem hiding this comment.
I think we might have some tests for them that are either excluded with the nssdb backend and if not, we should test they make it through at all cases.
There was a problem hiding this comment.
I wonder if we should change the tests infra to look at an enve var in tests which will set what is the db to use for tests, and then have one of the builds test with forcing NSSDB on, thi way we have more control over what DB is used for testing regardless of how many DBs we've built into the binary ?
There was a problem hiding this comment.
We already have the tests forcing one type of DBs based on enabled features (currently just NSS and SQLite):
https://github.com/latchset/kryoptic/blob/main/src/tests/mod.rs#L191
all of the code initialization goes through this function
There was a problem hiding this comment.
Yes, but I think we should always pick sqlitedb by default, and have an environment variable to forcibly change the DB type, such that if the db type is not compiled and the variable is set it will error out as well.
This way we can be sure of what we are testing in CI, currently it is almost a guess which DB is tested and we can't test "the other" DB when multiple are compiled in which is not great because applications can chose which one to use and we are not testing if the behavior of "the other" dbs is not broken by config options enabled by whichever one is chosen at test time.
Implement a mechanism to check and upgrade the NSS SQLite database schema upon initialization. This change introduces a check that runs when the database is opened. It compares the columns in the `nssPublic` and `nssPrivate` tables against a list of known PKCS#11 attributes. If any columns for known attributes are missing, they are automatically added using `ALTER TABLE`. This ensures that existing databases can be seamlessly upgraded to support new attributes (e.g., from PKCS#11 3.2) without manual intervention. The logic for converting database rows to objects is also refactored to use a new column cache, improving efficiency and robustness. Signed-off-by: Simo Sorce <simo@redhat.com>
|
@Jakuje marking as ready to review because now I have a DB generated by NSSDB with the attributes we need (and a fix to handle a NSS bug ...) |
This was generated by NSS code and we use it to test compatibility woth NSS written DBs. Signed-off-by: Simo Sorce <simo@redhat.com>
Some versions of NSS have a bug where the CKA_PARAMETER_SET attribute is written to the database as a raw, platform-endian CK_ULONG (4 or 8 bytes) instead of the expected 4-byte big-endian database integer. This change adds a workaround to correctly read this attribute from malformed databases. It attempts to parse the stored blob as both a 32-bit and 64-bit integer, checking both little-endian and big-endian formats. Since the valid values for this attribute are small numbers, we can reliably recover the intended value, ensuring compatibility. Signed-off-by: Simo Sorce <simo@redhat.com>
2 participants
Description
This catches up nssdb to the changes happenning in NSS upstream
Fixes #307
Checklist
Reviewer's checklist: