NSS keydb

[jo]

Add NSS functionality for key management, enabled via feature flag.

New feature flag keydb in rc_crypto/nss, which enables NSS key persistence: ensure_initialized_with_profile_dir(path: impl AsRef<Path>) initializes NSS with a profile directory and appropriate flags to persist keys (and certificates) in its internal PKCS11 software implementation.

New methods for dealing with primary password and key persistence, available within the keydb feature:

• authorization_with_primary_password_is_needed(): checks weather a primary password is set and needs to be authorized
• authorize_with_primary_password(primary_password: &str): method for authorizing NSS key store against a user-provided primary password
• get_or_create_aes256_key(name: &str): retrieve a key by name from the internal NSS key store. If none exists, create one, persist, and return.

Pull Request checklist

• Breaking changes: This PR follows our breaking change policy
  • This PR follows the breaking change policy:
    • This PR has no breaking API changes, or
    • There are corresponding PRs for our consumer applications that resolve the breaking changes and have been approved
• Quality: This PR builds and tests run cleanly
  • Note:
    • For changes that need extra cross-platform testing, consider adding [ci full] to the PR title.
    • If this pull request includes a breaking change, consider cutting a new release after merging.
• Tests: This PR includes thorough tests or an explanation of why it does not
• Changelog: This PR includes a changelog entry in CHANGELOG.md or an explanation of why it does not need one
  • Any breaking changes to Swift or Kotlin binding APIs are noted explicitly
• Dependencies: This PR follows our dependency management guidelines
  • Any new dependencies are accompanied by a summary of the due diligence applied in selecting them.

Branch builds: add [firefox-android: branch-name] to the PR title.

[mhammond]

This seems good to me. I'm mildly concerned about some of the unwrapping/panicing, but this is really your call. I do think you should wait a few days to let Ben have a look if possible and he has time, but I'm +1 on this.

[jo]

@mhammond , thanks for the review!

I think you have raised important points here, I will think again in detail about the error handling. I have mostly imitated the behavior of ensure_nss_initialized() here, but I absolutely agree, in some code paths we should not panic, because in particular file corruption can occur, or the directory may have disappeared.

@bendk , please wait a bit until I have incorporated Mark's feedback.

[jo]

I have now revised the implementation. The new method ensure_nss_initialized_with_profile_dir now returns a result containing any errors. It also checks, as @bendk mentioned recently, whether any previous calls have taken place with the same path.
Thanks again for your valuable feedback, @mhammond . Can you take another look at this and give us your opinion?

[jo]

btw I added the once_cell dependency because we already use it heavily throughout AS. Do I have to take any additional steps here?

[mhammond]

this looks great!

[bendk]

Looks great from my POV as well, I just had one documentation request.