Re: [Pki-devel] [PATCH] 198-203 patches to address multiple issues in KeyResource server and client code.

On 2/24/2014 4:20 PM, John Magne wrote: > I'll piggy back on this ACK. Just a few comments interspersed. > >> Patch #199: >> >> 2. The error message probably should just say "Directory already >> exists". The end user should not see a variable name in the error >> message. If the program ends with this error the user would know that an >> existing database causes a conflict, so either they will remove it or >> use a different path or overwrite it with a flag. > > For this db exists already? Is this really the end of the world? > Could we just go ahead and open it for them and move on? For instance > nss now has the notion of a completely common db where one could > conceivably just add to it. Not sure how up-to-date this page is, but here's what it says: https://wiki.mozilla.org/NSS_Library_Init "We intended to go to a single user/machine configuration for most applications and libraries, ... One problem with this approach is that not all NSS applications run on systems which will have a 'system configured' NSS. In addition, there are still cases where the user may want to keep multiple different configurations for testing ..." I think there would be cases where the client wants to use a separate database and make sure it's not overwriting an existing one. >> 7. Can these 3 invocations be combined: >> >> cryptoutil.NSSCryptoUtil.setup_database( >> certdb_dir, certdb_password, over_write=True) >> crypto = cryptoutil.NSSCryptoUtil(certdb_dir, certdb_password) >> crypto.initialize_db() >> >> into this? > > I agree with this, if it's feasible. This way they don't have to worry about > initializing anything, they just put in the params to identify the db. As discussed with Ade, it might not be possible now since importing the transport cert is done using certutil instead of python-nss. Since the nss database can't be shared among multiple processes, the import has to be done first using certutil, then python-nss can intialize the database after that. Ideally the import has to be done with python-nss as well, but we don't know if the functionality is exposed in python-nss.