WIP: Initialize nss explicitly #6596

jo · 2025-02-14T13:35:25Z

Initialize NSS explicitly, rather than implicitly in NSS-using functions.

⚠️ depends on #6607 ⚠️

To have control over NSS initialization, it must be done explicitly. This pull request removes implicit initialization from the relevant methods and instead checks whether NSS has been initialized and throws an appropriate error if it has not.
Initialization can be done either directly via NSS.

BREAKING CHANGE:
you now need to call nss::ensure_initialized() before any calls to functions which depend on NSS. Watch out for CryptoError(Error(NSS error: NSS has not been initialized)).

Pull Request checklist

Breaking changes: This PR follows our breaking change policy
- This PR follows the breaking change policy:
  - This PR has no breaking API changes, or
  - There are corresponding PRs for our consumer applications that resolve the breaking changes and have been approved
Quality: This PR builds and tests run cleanly
- Note:
  - For changes that need extra cross-platform testing, consider adding [ci full] to the PR title.
  - If this pull request includes a breaking change, consider cutting a new release after merging.
Tests: This PR includes thorough tests or an explanation of why it does not
Changelog: This PR includes a changelog entry in CHANGELOG.md or an explanation of why it does not need one
- Any breaking changes to Swift or Kotlin binding APIs are noted explicitly
Dependencies: This PR follows our dependency management guidelines
- Any new dependencies are accompanied by a summary of the due diligence applied in selecting them.

Branch builds: add [firefox-android: branch-name] to the PR title.

bendk

I like this idea in general, the only question for me is how applications should initialize NSS.

components/logins/src/logins.udl

mhammond

Part of what I don't understand here is what initialization looks like when the "keydb" feature is enabled? Something like logins is eventually going to be used in both contexts, so how would that look? (Sorry if I missed this!)

components/support/rc_crypto/src/lib.rs

components/support/rc_crypto/nss/src/util.rs

jo · 2025-02-21T14:11:32Z

megazords/full/src/lib.rs

+// TODO: would be nice if we could write
+//  #[uniffi::export]
+//  pub use nss::ensure_initialized as ensure_nss_initialized;
+// instead.
+#[uniffi::export]
+pub fn ensure_nss_initialized() {
+    ensure_initialized()
+}
+


@bendk is there a way to do something like

#[uniffi::export] pub use nss::ensure_initialized as ensure_nss_initialized;

or a way to avoid wrapping the function?

There is https://mozilla.github.io/uniffi-rs/latest/proc_macro/functions.html#renaming-functions-methods-and-constructors, but I don't think that will actually work here :( So I don't think there is a good way, but it seems like a reasonable feature request!

doesn't look like there's already an issue filed for this, will do that

Thanks for filing that. IMO, we could extend the concept of "external types" to also support "external functions".

megazords/full/android/src/main/java/mozilla/appservices/Megazord.kt

CHANGELOG.md

megazords/full/android/src/main/java/mozilla/appservices/Megazord.kt

bendk · 2025-02-21T16:06:46Z

megazords/full/src/lib.rs

+// TODO: would be nice if we could write
+//  #[uniffi::export]
+//  pub use nss::ensure_initialized as ensure_nss_initialized;
+// instead.
+#[uniffi::export]
+pub fn ensure_nss_initialized() {
+    ensure_initialized()
+}
+


Thanks for filing that. IMO, we could extend the concept of "external types" to also support "external functions".

megazords/ios-rust/src/lib.rs

BREAKING CHANGE: you now need to call `nss::ensure_initialized()` before any calls to NSS functions, including dependants like rc_crypto or jwcrypto.

jo force-pushed the explicit-nss-initialization branch 11 times, most recently from e23748c to 6a74eca Compare February 18, 2025 14:15

bendk reviewed Feb 18, 2025

View reviewed changes

components/logins/src/logins.udl Outdated Show resolved Hide resolved

mhammond reviewed Feb 19, 2025

View reviewed changes

components/support/rc_crypto/src/lib.rs Outdated Show resolved Hide resolved

components/support/rc_crypto/nss/src/util.rs Show resolved Hide resolved

jo force-pushed the explicit-nss-initialization branch 12 times, most recently from 578d4e7 to 8b539bb Compare February 21, 2025 14:00

jo commented Feb 21, 2025

View reviewed changes

megazords/full/android/src/main/java/mozilla/appservices/Megazord.kt Show resolved Hide resolved

jo force-pushed the explicit-nss-initialization branch 3 times, most recently from 8a4bea3 to d6ef0ab Compare February 21, 2025 14:54

bendk reviewed Feb 21, 2025

View reviewed changes

Initialize nss explicitly

b1cd271

BREAKING CHANGE: you now need to call `nss::ensure_initialized()` before any calls to NSS functions, including dependants like rc_crypto or jwcrypto.

jo force-pushed the explicit-nss-initialization branch from d6ef0ab to b1cd271 Compare February 21, 2025 16:50

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

WIP: Initialize nss explicitly #6596

WIP: Initialize nss explicitly #6596

jo commented Feb 14, 2025 •

edited

Loading

bendk left a comment

mhammond left a comment

jo Feb 21, 2025

mhammond Feb 21, 2025

jo Feb 21, 2025

bendk Feb 21, 2025

bendk Feb 21, 2025

WIP: Initialize nss explicitly #6596

Are you sure you want to change the base?

WIP: Initialize nss explicitly #6596

Conversation

jo commented Feb 14, 2025 • edited Loading

Pull Request checklist

bendk left a comment

Choose a reason for hiding this comment

mhammond left a comment

Choose a reason for hiding this comment

jo Feb 21, 2025

Choose a reason for hiding this comment

mhammond Feb 21, 2025

Choose a reason for hiding this comment

jo Feb 21, 2025

Choose a reason for hiding this comment

bendk Feb 21, 2025

Choose a reason for hiding this comment

bendk Feb 21, 2025

Choose a reason for hiding this comment

jo commented Feb 14, 2025 •

edited

Loading