Index: ./mozilla/security/nss/lib/pk11wrap/pk11load.c =================================================================== RCS file: /cvsroot/mozilla/security/nss/lib/pk11wrap/pk11load.c,v retrieving revision 1.30 retrieving revision 1.30.2.2 diff -u -p -r1.30 -r1.30.2.2 --- ./mozilla/security/nss/lib/pk11wrap/pk11load.c 30 Apr 2010 07:22:54 -0000 1.30 +++ ./mozilla/security/nss/lib/pk11wrap/pk11load.c 27 Jan 2011 01:35:46 -0000 1.30.2.2 @@ -178,8 +178,8 @@ secmod_handleReload(SECMODModule *oldMod char *oldModuleSpec; if (secmod_IsInternalKeySlot(newModule)) { - pk11_SetInternalKeySlot(slot); - } + pk11_SetInternalKeySlotIfFirst(slot); + } newID = slot->slotID; PK11_FreeSlot(slot); for (thisChild=children, thisID=ids; thisChild && *thisChild; @@ -550,6 +550,11 @@ secmod_LoadPKCS11Module(SECMODModule *mo /* look down the slot info table */ PK11_LoadSlotList(mod->slots[i],mod->slotInfo,mod->slotInfoCount); SECMOD_SetRootCerts(mod->slots[i],mod); + /* explicitly mark the internal slot as such if IsInternalKeySlot() + * is set */ + if (secmod_IsInternalKeySlot(mod) && (i == (mod->isFIPS ? 0 : 1))) { + pk11_SetInternalKeySlotIfFirst(mod->slots[i]); + } } mod->slotCount = slotCount; mod->slotInfoCount = 0; Index: ./mozilla/security/nss/lib/pk11wrap/pk11priv.h =================================================================== RCS file: /cvsroot/mozilla/security/nss/lib/pk11wrap/pk11priv.h,v retrieving revision 1.13 retrieving revision 1.13.2.2 diff -u -p -r1.13 -r1.13.2.2 --- ./mozilla/security/nss/lib/pk11wrap/pk11priv.h 27 Oct 2009 23:04:46 -0000 1.13 +++ ./mozilla/security/nss/lib/pk11wrap/pk11priv.h 27 Jan 2011 01:35:46 -0000 1.13.2.2 @@ -115,6 +115,7 @@ void PK11_InitSlot(SECMODModule *mod,CK_ PRBool PK11_NeedPWInitForSlot(PK11SlotInfo *slot); SECStatus PK11_ReadSlotCerts(PK11SlotInfo *slot); void pk11_SetInternalKeySlot(PK11SlotInfo *slot); +void pk11_SetInternalKeySlotIfFirst(PK11SlotInfo *slot); /********************************************************************* * Mechanism Mapping functions Index: ./mozilla/security/nss/lib/pk11wrap/pk11slot.c =================================================================== RCS file: /cvsroot/mozilla/security/nss/lib/pk11wrap/pk11slot.c,v retrieving revision 1.101 retrieving revision 1.101.2.3 diff -u -p -r1.101 -r1.101.2.3 --- ./mozilla/security/nss/lib/pk11wrap/pk11slot.c 3 Apr 2010 18:27:31 -0000 1.101 +++ ./mozilla/security/nss/lib/pk11wrap/pk11slot.c 27 Jan 2011 01:35:46 -0000 1.101.2.3 @@ -1349,7 +1349,7 @@ pk11_isRootSlot(PK11SlotInfo *slot) * times as tokens are removed and re-inserted. */ void -PK11_InitSlot(SECMODModule *mod,CK_SLOT_ID slotID,PK11SlotInfo *slot) +PK11_InitSlot(SECMODModule *mod, CK_SLOT_ID slotID, PK11SlotInfo *slot) { SECStatus rv; char *tmp; @@ -1726,6 +1726,12 @@ PK11_NeedUserInit(PK11SlotInfo *slot) } static PK11SlotInfo *pk11InternalKeySlot = NULL; + +/* + * Set a new default internal keyslot. If one has already been set, clear it. + * Passing NULL falls back to the NSS normally selected default internal key + * slot. + */ void pk11_SetInternalKeySlot(PK11SlotInfo *slot) { @@ -1735,6 +1741,20 @@ pk11_SetInternalKeySlot(PK11SlotInfo *sl pk11InternalKeySlot = slot ? PK11_ReferenceSlot(slot) : NULL; } +/* + * Set a new default internal keyslot if the normal key slot has not already + * been overridden. Subsequent calls to this function will be ignored unless + * pk11_SetInternalKeySlot is used to clear the current default. + */ +void +pk11_SetInternalKeySlotIfFirst(PK11SlotInfo *slot) +{ + if (pk11InternalKeySlot) { + return; + } + pk11InternalKeySlot = slot ? PK11_ReferenceSlot(slot) : NULL; +} + /* get the internal key slot. FIPS has only one slot for both key slots and * default slots */ Index: ./mozilla/security/nss/lib/sysinit/nsssysinit.c =================================================================== RCS file: /cvsroot/mozilla/security/nss/lib/sysinit/nsssysinit.c,v retrieving revision 1.2 retrieving revision 1.2.2.2 diff -u -p -r1.2 -r1.2.2.2 --- ./mozilla/security/nss/lib/sysinit/nsssysinit.c 6 Feb 2010 04:56:37 -0000 1.2 +++ ./mozilla/security/nss/lib/sysinit/nsssysinit.c 26 Jan 2011 00:52:31 -0000 1.2.2.2 @@ -221,16 +221,16 @@ getFIPSMode(void) * 2 for the key slot, and * 3 for the crypto operations slot fips */ -#define ORDER_FLAGS "trustOrder=75 cipherOrder=100" +#define CIPHER_ORDER_FLAGS "cipherOrder=100" #define SLOT_FLAGS \ "[slotFlags=RSA,RC4,RC2,DES,DH,SHA1,MD5,MD2,SSL,TLS,AES,RANDOM" \ " askpw=any timeout=30 ]" static const char *nssDefaultFlags = - ORDER_FLAGS " slotParams={0x00000001=" SLOT_FLAGS " } "; + CIPHER_ORDER_FLAGS " slotParams={0x00000001=" SLOT_FLAGS " } "; static const char *nssDefaultFIPSFlags = - ORDER_FLAGS " slotParams={0x00000003=" SLOT_FLAGS " } "; + CIPHER_ORDER_FLAGS " slotParams={0x00000003=" SLOT_FLAGS " } "; /* * This function builds the list of databases and modules to load, and sets @@ -270,7 +270,7 @@ get_list(char *filename, char *stripped_ "library= " "module=\"NSS User database\" " "parameters=\"configdir='sql:%s' %s tokenDescription='NSS user database'\" " - "NSS=\"%sflags=internal%s\"", + "NSS=\"trustOrder=75 %sflags=internal%s\"", userdb, stripped_parameters, nssflags, isFIPS ? ",FIPS" : ""); @@ -284,30 +284,6 @@ get_list(char *filename, char *stripped_ userdb, stripped_parameters); } -#if 0 - /* This doesn't actually work. If we register - both this and the sysdb (in either order) - then only one of them actually shows up */ - - /* Using a NULL filename as a Boolean flag to - * prevent registering both an application-defined - * db and the system db. rhbz #546211. - */ - PORT_Assert(filename); - if (sysdb && PL_CompareStrings(filename, sysdb)) - filename = NULL; - else if (userdb && PL_CompareStrings(filename, userdb)) - filename = NULL; - - if (filename && !userIsRoot()) { - module_list[next++] = PR_smprintf( - "library= " - "module=\"NSS database\" " - "parameters=\"configdir='sql:%s' tokenDescription='NSS database sql:%s'\" " - "NSS=\"%sflags=internal\"",filename, filename, nssflags); - } -#endif - /* now the system database (always read only unless it's root) */ if (sysdb) { const char *readonly = userCanModifySystemDB() ? "" : "flags=readonly"; @@ -315,7 +291,7 @@ get_list(char *filename, char *stripped_ "library= " "module=\"NSS system database\" " "parameters=\"configdir='sql:%s' tokenDescription='NSS system database' %s\" " - "NSS=\"%sflags=internal,critical\"",sysdb, readonly, nssflags); + "NSS=\"trustOrder=80 %sflags=internal,critical\"",sysdb, readonly, nssflags); } /* that was the last module */ @@ -372,9 +348,9 @@ overlapstrcpy(char *target, char *src) /* determine what options the user was trying to open this database with */ /* filename is the directory pointed to by configdir= */ -/* stripped is the rest of the paramters with configdir= stripped out */ +/* stripped is the rest of the parameters with configdir= stripped out */ static SECStatus -parse_paramters(char *parameters, char **filename, char **stripped) +parse_parameters(char *parameters, char **filename, char **stripped) { char *sourcePrev; char *sourceCurr; @@ -423,7 +399,7 @@ NSS_ReturnModuleSpecData(unsigned long f char **retString = NULL; SECStatus rv; - rv = parse_paramters(parameters, &filename, &stripped); + rv = parse_parameters(parameters, &filename, &stripped); if (rv != SECSuccess) { /* use defaults */ filename = getSystemDB();