> On 25 Mar 2021, at 00:56, Jacob Champion <pchampion@vmware.com> wrote:
> Databases that are opened *after* the first one are given their own separate slots. Any certificates that are part of
thosedatabases seemingly can't be referenced directly by nickname. They have to be prefixed by their token name -- a
namewhich you don't have if you used NSS_InitContext() to create the database. You have to use SECMOD_OpenUserDB()
instead.This explains some strange failures I was seeing in local testing, where the order of InitContext determined
whetherour client certificate selection succeeded or failed.
Sorry for the latency is responding, but I'm now back from parental leave.
AFAICT the tokenname for the database can be set with the dbTokenDescription
member in the NSSInitParameters struct passed to NSS_InitContext() (documented
in nss.h). Using this we can avoid the messier SECMOD machinery and use the
token in the auth callback to refer to the database we loaded. I hacked this
up in my local tree (rebased patchset coming soon) and it seems to work as
intended.
--
Daniel Gustafsson https://vmware.com/