bug 1417677 - remove "security.use_sqldb" and always use the sqlite-backed NSS DBs r=jcj
authorDavid Keeler <dkeeler@mozilla.com>
Wed, 15 Nov 2017 15:24:58 -0800
changeset 437064 aea6154d26f3ad1fa48ed91c740b77bbb0cd3d37
parent 437063 f020bc218c8bfd79e98b246307ff361d6e253f81
child 437065 8a07d34a17b6e4116a6c7bbd7897c78375f91f62
push id117
push userfmarier@mozilla.com
push dateTue, 28 Nov 2017 20:17:16 +0000
reviewersjcj
bugs1417677
milestone59.0a1
bug 1417677 - remove "security.use_sqldb" and always use the sqlite-backed NSS DBs r=jcj MozReview-Commit-ID: 2qoJz5gDPyY
security/certverifier/NSSCertDBTrustDomain.cpp
security/manager/ssl/nsNSSComponent.cpp
security/manager/ssl/security-prefs.js
security/manager/ssl/tests/unit/test_db_format_pref_new.js
security/manager/ssl/tests/unit/test_db_format_pref_old.js
security/manager/ssl/tests/unit/test_sdr_preexisting_with_password.js
security/manager/ssl/tests/unit/xpcshell.ini
--- a/security/certverifier/NSSCertDBTrustDomain.cpp
+++ b/security/certverifier/NSSCertDBTrustDomain.cpp
@@ -14,17 +14,16 @@
 #include "OCSPVerificationTrustDomain.h"
 #include "PublicKeyPinningService.h"
 #include "cert.h"
 #include "certdb.h"
 #include "mozilla/Assertions.h"
 #include "mozilla/Casting.h"
 #include "mozilla/Move.h"
 #include "mozilla/PodOperations.h"
-#include "mozilla/Preferences.h"
 #include "mozilla/TimeStamp.h"
 #include "mozilla/Unused.h"
 #include "nsCRTGlue.h"
 #include "nsNSSCertificate.h"
 #include "nsServiceManagerUtils.h"
 #include "nsThreadUtils.h"
 #include "nss.h"
 #include "pk11pub.h"
@@ -1058,21 +1057,17 @@ InitializeNSS(const nsACString& dir, boo
   // "/usr/lib/nss/libnssckbi.so".
   uint32_t flags = NSS_INIT_NOROOTINIT | NSS_INIT_OPTIMIZESPACE;
   if (readOnly) {
     flags |= NSS_INIT_READONLY;
   }
   if (!loadPKCS11Modules) {
     flags |= NSS_INIT_NOMODDB;
   }
-  bool useSQLDB = Preferences::GetBool("security.use_sqldb", false);
-  nsAutoCString dbTypeAndDirectory;
-  if (useSQLDB) {
-    dbTypeAndDirectory.Append("sql:");
-  }
+  nsAutoCString dbTypeAndDirectory("sql:");
   dbTypeAndDirectory.Append(dir);
   MOZ_LOG(gCertVerifierLog, LogLevel::Debug,
           ("InitializeNSS(%s, %d, %d)", dbTypeAndDirectory.get(), readOnly,
            loadPKCS11Modules));
   SECStatus srv = NSS_Initialize(dbTypeAndDirectory.get(), "", "",
                                  SECMOD_DB, flags);
   if (srv != SECSuccess) {
     return srv;
--- a/security/manager/ssl/nsNSSComponent.cpp
+++ b/security/manager/ssl/nsNSSComponent.cpp
@@ -1850,19 +1850,21 @@ AttemptToRenamePKCS11ModuleDB(const nsAC
   }
   // This may fail on, e.g., a read-only file system. This would be unfortunate,
   // but again it isn't catastropic and we would want to fall back to
   // initializing NSS in no-DB mode.
   Unused << dbFile->MoveToNative(profileDir, destModuleDBFilename);
   return NS_OK;
 }
 
-// We may be using the legacy databases, in which case we need to use
-// "secmod.db". We may be using the sqlite-backed databases, in which case we
-// need to use "pkcs11.txt".
+// The platform now only uses the sqlite-backed databases, so we'll try to
+// rename "pkcs11.txt". However, if we're upgrading from a version that used the
+// old format, we need to try to rename the old "secmod.db" as well (if we were
+// to only rename "pkcs11.txt", initializing NSS will still fail due to the old
+// database being in FIPS mode).
 static nsresult
 AttemptToRenameBothPKCS11ModuleDBVersions(const nsACString& profilePath)
 {
   NS_NAMED_LITERAL_CSTRING(legacyModuleDBFilename, "secmod.db");
   NS_NAMED_LITERAL_CSTRING(sqlModuleDBFilename, "pkcs11.txt");
   nsresult rv = AttemptToRenamePKCS11ModuleDB(profilePath,
                                               legacyModuleDBFilename);
   if (NS_FAILED(rv)) {
--- a/security/manager/ssl/security-prefs.js
+++ b/security/manager/ssl/security-prefs.js
@@ -33,22 +33,16 @@ pref("security.ssl3.rsa_des_ede3_sha", t
 pref("security.content.signature.root_hash",
      "97:E8:BA:9C:F1:2F:B3:DE:53:CC:42:A4:E6:57:7E:D6:4D:F4:93:C2:47:B4:14:FE:A0:36:81:8D:38:23:56:0E");
 
 pref("security.default_personal_cert",   "Ask Every Time");
 pref("security.remember_cert_checkbox_default_setting", true);
 pref("security.ask_for_password",        0);
 pref("security.password_lifetime",       30);
 
-// If true, use the modern sqlite-backed certificate and key databases in NSS.
-// If false, use the default format. Currently the default in NSS is the old
-// BerkeleyDB format, but this will change in bug 1377940.
-// Changing this requires a restart to take effect.
-pref("security.use_sqldb", true);
-
 // The supported values of this pref are:
 // 0: disable detecting Family Safety mode and importing the root
 // 1: only attempt to detect Family Safety mode (don't import the root)
 // 2: detect Family Safety mode and import the root
 // (This is only relevant to Windows 8.1)
 pref("security.family_safety.mode", 2);
 
 pref("security.enterprise_roots.enabled", false);
--- a/security/manager/ssl/tests/unit/test_db_format_pref_new.js
+++ b/security/manager/ssl/tests/unit/test_db_format_pref_new.js
@@ -1,20 +1,19 @@
 // -*- indent-tabs-mode: nil; js-indent-level: 2 -*-
 // This Source Code Form is subject to the terms of the Mozilla Public
 // License, v. 2.0. If a copy of the MPL was not distributed with this
 // file, You can obtain one at http://mozilla.org/MPL/2.0/.
 "use strict";
 
-// Tests that if "security.use_sqldb" is set to true when PSM initializes,
-// we create the sqlite-backed certificate and key databases.
+// Tests that when PSM initializes, we create the sqlite-backed certificate and
+// key databases.
 
 function run_test() {
   let profileDir = do_get_profile();
-  Services.prefs.setBoolPref("security.use_sqldb", true);
   let certificateDBFile = profileDir.clone();
   certificateDBFile.append("cert9.db");
   ok(!certificateDBFile.exists(), "cert9.db should not exist beforehand");
   let keyDBFile = profileDir.clone();
   keyDBFile.append("key4.db");
   ok(!keyDBFile.exists(), "key4.db should not exist beforehand");
   // This should start PSM.
   Cc["@mozilla.org/psm;1"].getService(Ci.nsISupports);
deleted file mode 100644
--- a/security/manager/ssl/tests/unit/test_db_format_pref_old.js
+++ /dev/null
@@ -1,24 +0,0 @@
-// -*- indent-tabs-mode: nil; js-indent-level: 2 -*-
-// This Source Code Form is subject to the terms of the Mozilla Public
-// License, v. 2.0. If a copy of the MPL was not distributed with this
-// file, You can obtain one at http://mozilla.org/MPL/2.0/.
-"use strict";
-
-// Tests that if "security.use_sqldb" is set to false when PSM initializes,
-// we create the system-default certificate and key databases, which currently
-// use the old BerkeleyDB format. This will change in bug 1377940.
-
-function run_test() {
-  let profileDir = do_get_profile();
-  Services.prefs.setBoolPref("security.use_sqldb", false);
-  let certificateDBFile = profileDir.clone();
-  certificateDBFile.append("cert8.db");
-  ok(!certificateDBFile.exists(), "cert8.db should not exist beforehand");
-  let keyDBFile = profileDir.clone();
-  keyDBFile.append("key3.db");
-  ok(!keyDBFile.exists(), "key3.db should not exist beforehand");
-  // This should start PSM.
-  Cc["@mozilla.org/psm;1"].getService(Ci.nsISupports);
-  ok(certificateDBFile.exists(), "cert8.db should exist in the profile");
-  ok(keyDBFile.exists(), "key3.db should exist in the profile");
-}
--- a/security/manager/ssl/tests/unit/test_sdr_preexisting_with_password.js
+++ b/security/manager/ssl/tests/unit/test_sdr_preexisting_with_password.js
@@ -48,18 +48,16 @@ var gWindowWatcher = {
 function run_test() {
   let windowWatcherCID =
     MockRegistrar.register("@mozilla.org/embedcomp/window-watcher;1",
                            gWindowWatcher);
   do_register_cleanup(() => {
     MockRegistrar.unregister(windowWatcherCID);
   });
 
-  Services.prefs.setBoolPref("security.use_sqldb", true);
-
   let profile = do_get_profile();
   let keyDBFile = do_get_file("test_sdr_preexisting_with_password/key3.db");
   keyDBFile.copyTo(profile, "key3.db");
 
   let sdr = Cc["@mozilla.org/security/sdr;1"]
               .getService(Ci.nsISecretDecoderRing);
 
   let testcases = [
--- a/security/manager/ssl/tests/unit/xpcshell.ini
+++ b/security/manager/ssl/tests/unit/xpcshell.ini
@@ -71,21 +71,19 @@ skip-if = toolkit == 'android'
 [test_constructX509FromBase64.js]
 [test_content_signing.js]
 [test_ct.js]
 # Requires hard-coded debug-only data
 skip-if = !debug
 run-sequentially = hardcoded ports
 [test_datasignatureverifier.js]
 # Android always has and always will use the new format, so
-# these two tests don't apply.
+# this test doesn't apply.
 [test_db_format_pref_new.js]
 skip-if = toolkit == 'android'
-[test_db_format_pref_old.js]
-skip-if = toolkit == 'android'
 [test_der.js]
 [test_enterprise_roots.js]
 skip-if = os != 'win' # tests a Windows-specific feature
 [test_ev_certs.js]
 tags = blocklist
 run-sequentially = hardcoded ports
 [test_forget_about_site_security_headers.js]
 skip-if = toolkit == 'android'