On Wednesday, 24 January 2018 16:31:26 CET Renato Alves wrote:
> Hi everyone,
>
> In the past, libnss could be directly initialized by simply pointing the
> code to a location containing 'cert8.db' and 'key3.db'. This is the basis
> of
https://github.com/unode/firefox_decrypt a small tool I authored myself
> with the help of several contributors.
>
> With Firefox 59 key.db and cert.db were modified to use an SQLite format
> instead of Berkley DB format. After this change, direct initialization of
> NSS is no longer possible (tested with older NSS and the latest 3.35). The
> latest NSS reports "SEC_ERROR_LEGACY_DATABASE: The certificate/key database
> is in an old, unsupported format.". The use of "old" in the error message
> is a little misleading.
yes, the message is misleading
> With that said, is there any other way to initialize libnss to be able to
> decode Firefox's profile credentials or is this feature no longer
> supported?
yes, the DBM database format is deprecated and will be removed in some time.
There are multiple bugs in it that nobody is willing to fix and it is
inherently insecure to use it with multiple applications that modify it at the
same time. SQL database does allow safe parallel accesses and uses maintained
code. Thus the switch.
I'm afraid the tool will have to be modified to support the SQL format now.
As an upside, it will now be safe to use it with Firefox running, provided all
the necessary locking is performed.
--
Regards,
Hubert Kario
Senior Quality Engineer, QE BaseOS Security team
Web:
www.cz.redhat.com
Red Hat Czech s.r.o., Purkyňova 115, 612 00 Brno, Czech Republic