[API CHANGE] Move NSS profile handling into NSS service

While developing the patchset for tdf#127909, I broke the
certificate path dialog, because I wasn't aware, that the
NSSInitializer service has to use the same logic to auto-
select the users profile, then the dialog. So currently you
have to keep the complex service and dialog auto-select
logic in sync.

To prevent this error, this moves all the profile auto-selection
and enumeration into the NSSInitializer service. What I also
stumbled over is the particular lifecycle of the NSS library
initialization in the NSS service. This is just done, when the
first user calls some crypto function. As a result it's actually
possible to change the path setting without restarting
LibreOffice. But since the NSS deninitialization is run as an
atexit handler, this setting can't be changed after the init.

What is currently missing is any indication inside the dialog of
the currently active NSS setting in comparison to any later user
selection, if the user doesn't restart LibreOffice as requested.

Change-Id: I886962777958c363abeb0ec91fc8a35cbd39eb98
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/97668
Tested-by: Jenkins
Reviewed-by: Jan-Marek Glogowski <glogow@fbihome.de>

9 files changed, 295 insertions, 89 deletions

diff --git a/cui/source/options/certpath.cxx b/cui/source/options/certpath.cxx
index 630f5e0710fe..ae7a75859c79 100644
--- a/cui/source/options/certpath.cxx
+++ b/cui/source/options/certpath.cxx
@@ -14,6 +14,7 @@
 #include <tools/diagnose_ex.h>
 #include "certpath.hxx"
 
+#include <com/sun/star/xml/crypto/NSSInitializer.hpp>
 #include <com/sun/star/mozilla/MozillaBootstrap.hpp>
 #include <com/sun/star/ui/dialogs/ExecutableDialogResults.hpp>
 #include <com/sun/star/ui/dialogs/FolderPicker.hpp>
@@ -37,64 +38,56 @@ CertPathDialog::CertPathDialog(weld::Window* pParent)
 
     m_xManualButton->connect_clicked( LINK( this, CertPathDialog, ManualHdl_Impl ) );
     m_xOKButton->connect_clicked( LINK( this, CertPathDialog, OKHdl_Impl ) );
+}
+
+void CertPathDialog::Init()
+{
+    m_xCertPathList->clear();
+    m_xCertPathList->set_sensitive(true);
 
     try
     {
-        // In the reverse order of preference for the default selected profile
-        mozilla::MozillaProductType const productTypes[3] = {
-            mozilla::MozillaProductType_Thunderbird,
-            mozilla::MozillaProductType_Firefox,
-            mozilla::MozillaProductType_Mozilla };
-        const char* const productNames[3] = {
-            "thunderbird",
-            "firefox",
-            "mozilla" };
-        bool bSelected = false;
+        uno::Reference<uno::XComponentContext> xContext = comphelper::getProcessComponentContext();
+        uno::Reference<xml::crypto::XNSSInitializer> xCipherContextSupplier = xml::crypto::NSSInitializer::create(xContext);
 
-        uno::Reference<mozilla::XMozillaBootstrap> xMozillaBootstrap = mozilla::MozillaBootstrap::create( comphelper::getProcessComponentContext() );
+        OUString sActivePath = xCipherContextSupplier->getNSSPath();
+        auto aProductList = xCipherContextSupplier->getNSSProfiles();
 
-        for (sal_Int32 i = 0; i < sal_Int32(SAL_N_ELEMENTS(productTypes)); ++i)
+        // these map to the integer values of mozilla::MozillaProductType
+        const char* const productNames[4] = {
+            "",
+            "mozilla",
+            "firefox",
+            "thunderbird"
+        };
+
+        for (const auto& rNSSProfile : std::as_const(aProductList))
         {
-            sal_Int32 nProfileCount = xMozillaBootstrap->getProfileCount(productTypes[i]);
-            if (nProfileCount <= 0)
-                continue;
-            OUString sDefaultProfile = xMozillaBootstrap->getDefaultProfile(productTypes[i]);
-            uno::Sequence<OUString> aProfileList(nProfileCount);
-#ifndef NDEBUG
-            sal_Int32 nListLen =
-#endif
-                 xMozillaBootstrap->getProfileList(productTypes[i], aProfileList);
-            assert((nProfileCount == nListLen) && (nListLen == aProfileList.getLength()));
-
-            for (const auto& sProfileName : std::as_const(aProfileList))
+            if (rNSSProfile.Type == mozilla::MozillaProductType_Default)
             {
-                OUString sEntry = OUString::createFromAscii(productNames[i]) + ":" + sProfileName;
-                OUString sProfilePath = xMozillaBootstrap->getProfilePath(productTypes[i], sProfileName);
-                const bool bSelectDefaultProfile = !bSelected && sProfileName == sDefaultProfile;
-                AddCertPath(sEntry, sProfilePath, bSelectDefaultProfile);
-                if (bSelectDefaultProfile)
-                    bSelected = true;
+                if (rNSSProfile.Name == "MOZILLA_CERTIFICATE_FOLDER" && !rNSSProfile.Path.isEmpty())
+                {
+                    AddCertPath("$MOZILLA_CERTIFICATE_FOLDER", rNSSProfile.Path);
+                    m_xCertPathList->set_sensitive(false);
+                }
+                else if (rNSSProfile.Name == "MANUAL")
+                    AddManualCertPath(rNSSProfile.Path);
+            }
+            else
+            {
+                OUString sEntry = OUString::createFromAscii(
+                    productNames[static_cast<int>(rNSSProfile.Type)]) + ":" + rNSSProfile.Name;
+                AddCertPath(sEntry, rNSSProfile.Path, rNSSProfile.Path == sActivePath);
             }
         }
-    }
-    catch (const uno::Exception&)
-    {
-    }
 
-    try
-    {
-        AddManualCertPath(officecfg::Office::Common::Security::Scripting::CertDir::get().value_or(OUString()));
-        if (m_sManualPath.isEmpty())
-            AddManualCertPath(officecfg::Office::Common::Security::Scripting::ManualCertDir::get(), false);
+        OUString sManualCertPath = officecfg::Office::Common::Security::Scripting::ManualCertDir::get();
+        if (!sManualCertPath.isEmpty())
+            AddManualCertPath(sManualCertPath, false);
     }
-    catch (const uno::Exception &)
+    catch (const uno::Exception&)
     {
-        TOOLS_WARN_EXCEPTION("cui.options", "CertPathDialog::CertPathDialog()");
     }
-
-    const char* pEnv = getenv("MOZILLA_CERTIFICATE_FOLDER");
-    if (pEnv)
-        AddCertPath("$MOZILLA_CERTIFICATE_FOLDER", OUString(pEnv, strlen(pEnv), osl_getThreadTextEncoding()));
 }
 
 void CertPathDialog::AddManualCertPath(const OUString& sUserSetCertPath, bool bSelect)
@@ -102,7 +95,6 @@ void CertPathDialog::AddManualCertPath(const OUString& sUserSetCertPath, bool bS
     if (sUserSetCertPath.isEmpty())
         return;
 
-    // check existence
     ::osl::DirectoryItem aUserPathItem;
     OUString sUserSetCertURLPath;
     osl::FileBase::getFileURLFromSystemPath(sUserSetCertPath, sUserSetCertURLPath);
@@ -121,8 +113,9 @@ IMPL_LINK_NOARG(CertPathDialog, OKHdl_Impl, weld::Button&, void)
     {
         std::shared_ptr< comphelper::ConfigurationChanges > batch(
             comphelper::ConfigurationChanges::create());
+        const int nEntry = m_xCertPathList->get_selected_index();
         officecfg::Office::Common::Security::Scripting::CertDir::set(
-            getDirectory(), batch);
+            nEntry == -1 ? OUString() : m_xCertPathList->get_id(nEntry), batch);
         officecfg::Office::Common::Security::Scripting::ManualCertDir::set(m_sManualPath, batch);
         batch->commit();
     }
@@ -134,12 +127,25 @@ IMPL_LINK_NOARG(CertPathDialog, OKHdl_Impl, weld::Button&, void)
     m_xDialog->response(RET_OK);
 }
 
-OUString CertPathDialog::getDirectory() const
+bool CertPathDialog::isActiveServicePath() const
 {
     int nEntry = m_xCertPathList->get_selected_index();
     if (nEntry == -1)
-        return OUString();
-    return m_xCertPathList->get_id(nEntry);
+        return true;
+
+    try
+    {
+        uno::Reference<uno::XComponentContext> xContext = comphelper::getProcessComponentContext();
+        uno::Reference<xml::crypto::XNSSInitializer> xCipherContextSupplier = xml::crypto::NSSInitializer::create(xContext);
+
+        if (!xCipherContextSupplier->getIsNSSinitialized())
+            return true;
+        return (xCipherContextSupplier->getNSSPath() == m_xCertPathList->get_id(nEntry));
+    }
+    catch (const uno::Exception&)
+    {
+         return false;
+    }
 }
 
 CertPathDialog::~CertPathDialog()
diff --git a/cui/source/options/certpath.hxx b/cui/source/options/certpath.hxx
index 75d53ae10100..50addc1e8357 100644
--- a/cui/source/options/certpath.hxx
+++ b/cui/source/options/certpath.hxx
@@ -32,7 +32,11 @@ public:
     explicit CertPathDialog(weld::Window* pParent);
     virtual ~CertPathDialog() override;
 
-    OUString getDirectory() const;
+    void Init();
+
+    // returns true, if the service currently uses the selected path or is not initialized
+    // yet and therefore has no active NSS path.
+    bool isActiveServicePath() const;
 };
 
 /* vim:set shiftwidth=4 softtabstop=4 expandtab: */
diff --git a/cui/source/options/optinet2.cxx b/cui/source/options/optinet2.cxx
index c78b94f6e543..35d9b1a2299d 100644
--- a/cui/source/options/optinet2.cxx
+++ b/cui/source/options/optinet2.cxx
@@ -675,11 +675,9 @@ IMPL_LINK_NOARG(SvxSecurityTabPage, CertPathPBHdl, weld::Button&, void)
 {
     if (!mpCertPathDlg)
         mpCertPathDlg.reset(new CertPathDialog(GetFrameWeld()));
+    mpCertPathDlg->Init();
 
-    OUString sOrig = mpCertPathDlg->getDirectory();
-    short nRet = mpCertPathDlg->run();
-
-    if (nRet == RET_OK && sOrig != mpCertPathDlg->getDirectory())
+    if (mpCertPathDlg->run() == RET_OK && !mpCertPathDlg->isActiveServicePath())
     {
         SolarMutexGuard aGuard;
         if (svtools::executeRestartDialog(comphelper::getProcessComponentContext(), nullptr, svtools::RESTART_REASON_ADDING_PATH))
diff --git a/offapi/UnoApi_offapi.mk b/offapi/UnoApi_offapi.mk
index 2003e4eaaa2a..ad073f8b8f9f 100644
--- a/offapi/UnoApi_offapi.mk
+++ b/offapi/UnoApi_offapi.mk
@@ -462,6 +462,7 @@ $(eval $(call gb_UnoApi_add_idlfiles_nohdl,offapi,com/sun/star/xforms,\
 ))
 $(eval $(call gb_UnoApi_add_idlfiles_nohdl,offapi,com/sun/star/xml/crypto,\
 	NSSInitializer \
+	NSSProfile \
 	SecurityEnvironment \
 	SEInitializer \
 	GPGSEInitializer \
diff --git a/offapi/com/sun/star/xml/crypto/NSSInitializer.idl b/offapi/com/sun/star/xml/crypto/NSSInitializer.idl
index 9eea7b1701eb..7eb857596afb 100644
--- a/offapi/com/sun/star/xml/crypto/NSSInitializer.idl
+++ b/offapi/com/sun/star/xml/crypto/NSSInitializer.idl
@@ -25,6 +25,14 @@
 module com { module sun { module star { module xml { module crypto {
 
 /**
+    This service has a particular lifecycle. If you create an instance,
+    the NSS backend is not initialized, until some of the crypto functions
+    are called. As a result you can effectively change the user setting to
+    the NSS path until NSS is really used.
+
+    After the first usage you have to restart LibreOffice to activate a new
+    NSS path.
+
     @since LibreOffice 4.0
  */
 service NSSInitializer : XNSSInitializer;
diff --git a/offapi/com/sun/star/xml/crypto/NSSProfile.idl b/offapi/com/sun/star/xml/crypto/NSSProfile.idl
new file mode 100644
index 000000000000..4ac4a39c0b52
--- /dev/null
+++ b/offapi/com/sun/star/xml/crypto/NSSProfile.idl
@@ -0,0 +1,54 @@
+/* -*- Mode: C++; tab-width: 4; indent-tabs-mode: nil; c-basic-offset: 4 -*- */
+/*
+ * This file is part of the LibreOffice project.
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * This file incorporates work covered by the following license notice:
+ *
+ *   Licensed to the Apache Software Foundation (ASF) under one or more
+ *   contributor license agreements. See the NOTICE file distributed
+ *   with this work for additional information regarding copyright
+ *   ownership. The ASF licenses this file to you under the Apache
+ *   License, Version 2.0 (the "License"); you may not use this file
+ *   except in compliance with the License. You may obtain a copy of
+ *   the License at http://www.apache.org/licenses/LICENSE-2.0 .
+ */
+
+#ifndef __com_sun_star_xml_crypto_NSSProfile_idl_
+#define __com_sun_star_xml_crypto_NSSProfile_idl_
+
+#include <com/sun/star/mozilla/MozillaProductType.idl>
+
+module com { module sun { module star { module xml { module crypto {
+
+/**
+    @since LibreOffice 7.1
+ */
+struct NSSProfile {
+    /** the name of the NSS profile
+
+        Normally the name will reflect the name of the Mozilla profile. But the
+        profile list also contains the following special enties: MANUAL and
+        MOZILLA_CERTIFICATE_FOLDER.
+        These will have a product type of MozillaProductType::Default and might
+        have an empty path, if that value is not available.
+     */
+    string Name;
+
+    /** the path to the NSS databases
+     */
+    string Path;
+
+    /** the type of the NSS profile
+     */
+    ::com::sun::star::mozilla::MozillaProductType Type;
+};
+
+} ; } ; } ; } ; } ;
+
+#endif
+
+/* vim:set shiftwidth=4 softtabstop=4 expandtab: */
diff --git a/offapi/com/sun/star/xml/crypto/XNSSInitializer.idl b/offapi/com/sun/star/xml/crypto/XNSSInitializer.idl
index 36f7ce3585a0..a6ff1ab7b3fa 100644
--- a/offapi/com/sun/star/xml/crypto/XNSSInitializer.idl
+++ b/offapi/com/sun/star/xml/crypto/XNSSInitializer.idl
@@ -22,6 +22,8 @@
 
 #include <com/sun/star/xml/crypto/XCipherContextSupplier.idl>
 #include <com/sun/star/xml/crypto/XDigestContextSupplier.idl>
+#include <com/sun/star/xml/crypto/NSSProfile.idl>
+#include <com/sun/star/xml/lang/XInitialization.idl>
 
 module com { module sun { module star { module xml { module crypto {
 
@@ -31,6 +33,32 @@ module com { module sun { module star { module xml { module crypto {
 interface XNSSInitializer {
     interface ::com::sun::star::xml::crypto::XDigestContextSupplier;
     interface ::com::sun::star::xml::crypto::XCipherContextSupplier;
+
+    /** the current path to the NSS databases
+
+        This attribute returns the current setting, based on the user selection
+        or automatic detection. This value can change until someone uses NSS
+        crypto functions, because just then LibreOffice initializes the NSS
+        library and the value stays fixed until LibreOffice is restarted!
+
+        @since LibreOffice 7.1
+     */
+    [attribute, readonly] string NSSPath;
+
+    /** the state of the NSS initialization
+
+        This attribute returns true, if the NSS library is initialized.
+
+        @see NSSPath
+        @since LibreOffice 7.1
+     */
+    [attribute, readonly] boolean IsNSSinitialized;
+
+    /** get the current profile list
+
+        @since LibreOffice 7.1
+     */
+    sequence<NSSProfile> getNSSProfiles();
 };
 
 } ; } ; } ; } ; } ;
diff --git a/xmlsecurity/source/xmlsec/nss/nssinitializer.cxx b/xmlsecurity/source/xmlsec/nss/nssinitializer.cxx
index d64ea10a05a0..c43abe14569f 100644
--- a/xmlsecurity/source/xmlsec/nss/nssinitializer.cxx
+++ b/xmlsecurity/source/xmlsec/nss/nssinitializer.cxx
@@ -21,6 +21,7 @@
 #include <com/sun/star/mozilla/XMozillaBootstrap.hpp>
 #include <com/sun/star/xml/crypto/DigestID.hpp>
 #include <com/sun/star/xml/crypto/CipherID.hpp>
+#include <com/sun/star/xml/crypto/NSSInitializer.hpp>
 #include <com/sun/star/uno/XComponentContext.hpp>
 #include <cppuhelper/supportsservice.hxx>
 #include <officecfg/Office/Common.hxx>
@@ -33,6 +34,7 @@
 #include <tools/diagnose_ex.h>
 #include <unotools/tempfile.hxx>
 #include <salhelper/singletonref.hxx>
+#include <comphelper/sequence.hxx>
 
 #include <nss/nssinitializer.hxx>
 
@@ -144,8 +146,35 @@ void deleteRootsModule()
     }
 }
 
-OString getMozillaCurrentProfile( const css::uno::Reference< css::uno::XComponentContext > &rxContext )
+#endif
+
+bool lcl_pathExists(const OUString& sPath)
 {
+    if (sPath.isEmpty())
+        return false;
+
+    ::osl::DirectoryItem aPathItem;
+    OUString sURL;
+    osl::FileBase::getFileURLFromSystemPath(sPath, sURL);
+    if (::osl::FileBase::E_None == ::osl::DirectoryItem::get(sURL, aPathItem))
+    {
+        ::osl::FileStatus aStatus = osl_FileStatus_Mask_Validate;
+        if (::osl::FileBase::E_None == aPathItem.getFileStatus(aStatus))
+            return true;
+    }
+
+    return false;
+}
+
+} // namespace
+
+OUString ONSSInitializer::getMozillaCurrentProfile(const css::uno::Reference< css::uno::XComponentContext > &rxContext, bool bSetActive)
+{
+    if (m_bIsNSSinitialized)
+         return m_sNSSPath;
+    if (bSetActive)
+        m_bIsNSSinitialized = true;
+
     // first, try to get the profile from "MOZILLA_CERTIFICATE_FOLDER"
     const char* pEnv = getenv("MOZILLA_CERTIFICATE_FOLDER");
     if (pEnv)
@@ -153,30 +182,33 @@ OString getMozillaCurrentProfile( const css::uno::Reference< css::uno::XComponen
         SAL_INFO(
             "xmlsecurity.xmlsec",
             "Using Mozilla profile from MOZILLA_CERTIFICATE_FOLDER=" << pEnv);
-        return pEnv;
+        m_sNSSPath = OStringToOUString(pEnv, osl_getThreadTextEncoding());
     }
 
     // second, try to get saved user-preference
-    try
+    if (m_sNSSPath.isEmpty())
     {
-        OUString sUserSetCertPath =
-            officecfg::Office::Common::Security::Scripting::CertDir::get().value_or(OUString());
+        try
+        {
+            OUString sUserSetCertPath =
+                officecfg::Office::Common::Security::Scripting::CertDir::get().value_or(OUString());
 
-        if (!sUserSetCertPath.isEmpty())
+            if (lcl_pathExists(sUserSetCertPath))
+            {
+                SAL_INFO(
+                    "xmlsecurity.xmlsec",
+                    "Using Mozilla profile from /org.openoffice.Office.Common/"
+                        "Security/Scripting/CertDir: " << sUserSetCertPath);
+                m_sNSSPath = sUserSetCertPath;
+            }
+        }
+        catch (const uno::Exception &)
         {
-            SAL_INFO(
-                "xmlsecurity.xmlsec",
-                "Using Mozilla profile from /org.openoffice.Office.Common/"
-                    "Security/Scripting/CertDir: " << sUserSetCertPath);
-            return OUStringToOString(sUserSetCertPath, osl_getThreadTextEncoding());
+            TOOLS_WARN_EXCEPTION("xmlsecurity.xmlsec", "getMozillaCurrentProfile:");
         }
     }
-    catch (const uno::Exception &)
-    {
-        TOOLS_WARN_EXCEPTION("xmlsecurity.xmlsec", "getMozillaCurrentProfile:");
-    }
 
-    // third, dig around to see if there's one available
+    // third, dig around to see if there's one default available
     mozilla::MozillaProductType productTypes[3] = {
         mozilla::MozillaProductType_Thunderbird,
         mozilla::MozillaProductType_Firefox,
@@ -196,20 +228,95 @@ OString getMozillaCurrentProfile( const css::uno::Reference< css::uno::XComponen
 
             if (!profile.isEmpty())
             {
-                OUString sProfilePath = xMozillaBootstrap->getProfilePath( productTypes[i], profile );
-                SAL_INFO(
-                    "xmlsecurity.xmlsec",
-                    "Using Mozilla profile " << sProfilePath);
-                return OUStringToOString(sProfilePath, osl_getThreadTextEncoding());
+                OUString sProfilePath = xMozillaBootstrap->getProfilePath(productTypes[i], profile);
+                if (m_sNSSPath.isEmpty())
+                {
+                    SAL_INFO("xmlsecurity.xmlsec", "Using Mozilla profile " << sProfilePath);
+                    m_sNSSPath = sProfilePath;
+                }
+                break;
             }
         }
     }
 
-    SAL_INFO("xmlsecurity.xmlsec", "No Mozilla profile found");
-    return OString();
+    SAL_INFO_IF(m_sNSSPath.isEmpty(), "xmlsecurity.xmlsec", "No Mozilla profile found");
+    return m_sNSSPath;
 }
 
-#endif
+css::uno::Sequence<css::xml::crypto::NSSProfile> SAL_CALL ONSSInitializer::getNSSProfiles()
+{
+    ONSSInitializer::getMozillaCurrentProfile(m_xContext);
+
+    std::vector<xml::crypto::NSSProfile> aProfileList;
+    aProfileList.reserve(10);
+
+    mozilla::MozillaProductType productTypes[3] = {
+        mozilla::MozillaProductType_Thunderbird,
+        mozilla::MozillaProductType_Firefox,
+        mozilla::MozillaProductType_Mozilla };
+
+    uno::Reference<uno::XInterface> xInstance = m_xContext->getServiceManager()->createInstanceWithContext("com.sun.star.mozilla.MozillaBootstrap", m_xContext);
+    OSL_ENSURE(xInstance.is(), "failed to create instance" );
+
+    uno::Reference<mozilla::XMozillaBootstrap> xMozillaBootstrap(xInstance,uno::UNO_QUERY);
+
+    if (xMozillaBootstrap.is())
+    {
+        for (int i=0; i<int(SAL_N_ELEMENTS(productTypes)); ++i)
+        {
+            uno::Sequence<OUString> aProductProfileList;
+            xMozillaBootstrap->getProfileList(productTypes[i], aProductProfileList);
+            for (const auto& sProfile : std::as_const(aProductProfileList))
+                aProfileList.push_back({sProfile, xMozillaBootstrap->getProfilePath(productTypes[i], sProfile), productTypes[i]});
+        }
+    }
+
+    OUString sUserSelect;
+    try
+    {
+        sUserSelect = officecfg::Office::Common::Security::Scripting::CertDir::get().value_or(OUString());;
+        if (!lcl_pathExists(sUserSelect))
+            sUserSelect = OUString();
+    }
+    catch (const uno::Exception &)
+    {
+        TOOLS_WARN_EXCEPTION("xmlsecurity.xmlsec", "getMozillaCurrentProfile:");
+    }
+    aProfileList.push_back({"MANUAL", sUserSelect, mozilla::MozillaProductType_Default});
+
+    const char* pEnv = getenv("MOZILLA_CERTIFICATE_FOLDER");
+    aProfileList.push_back({"MOZILLA_CERTIFICATE_FOLDER",
+                            pEnv ? OStringToOUString(pEnv, osl_getThreadTextEncoding()) : OUString(),
+                            mozilla::MozillaProductType_Default});
+
+    return comphelper::containerToSequence(aProfileList);
+}
+
+bool ONSSInitializer::m_bIsNSSinitialized = false;
+OUString ONSSInitializer::m_sNSSPath;
+
+OUString SAL_CALL ONSSInitializer::getNSSPath()
+{
+    ONSSInitializer::getMozillaCurrentProfile(m_xContext);
+    return m_sNSSPath;
+};
+
+sal_Bool SAL_CALL ONSSInitializer::getIsNSSinitialized()
+{
+    return m_bIsNSSinitialized;
+}
+
+ONSSInitializer::ONSSInitializer(const css::uno::Reference< css::uno::XComponentContext > &rxContext)
+    : m_xContext(rxContext)
+{
+}
+
+ONSSInitializer::ONSSInitializer()
+{
+}
+
+namespace
+{
 
 //Older versions of Firefox (FF), for example FF2, and Thunderbird (TB) 2 write
 //the roots certificate module (libnssckbi.so), which they use, into the
@@ -238,7 +345,7 @@ bool nsscrypto_initialize(css::uno::Reference<css::uno::XComponentContext> const
     OString sCertDir;
 
 #ifdef XMLSEC_CRYPTO_NSS
-    sCertDir = getMozillaCurrentProfile(rxContext);
+    sCertDir = OUStringToOString(ONSSInitializer::getMozillaCurrentProfile(rxContext, true), osl_getThreadTextEncoding());
 #else
     (void) rxContext;
 #endif
@@ -402,11 +509,6 @@ extern "C" void nsscrypto_finalize()
     (*getInitNSSPrivate())->reset();
 }
 
-ONSSInitializer::ONSSInitializer(
-    const css::uno::Reference< css::uno::XComponentContext > &rxContext)
-    :m_xContext( rxContext )
-{
-}
 
 ONSSInitializer::~ONSSInitializer()
 {
diff --git a/xmlsecurity/source/xmlsec/nss/nssinitializer.hxx b/xmlsecurity/source/xmlsec/nss/nssinitializer.hxx
index 7e1b7ff50537..2dcd821c020d 100644
--- a/xmlsecurity/source/xmlsec/nss/nssinitializer.hxx
+++ b/xmlsecurity/source/xmlsec/nss/nssinitializer.hxx
@@ -37,15 +37,22 @@ class ONSSInitializer : public cppu::WeakImplHelper
 {
 protected:
     css::uno::Reference< css::uno::XComponentContext > m_xContext;
+    static OUString m_sNSSPath;
+    static bool m_bIsNSSinitialized;
 
-    ONSSInitializer()
-    {}
+    ONSSInitializer();
 
 public:
     explicit ONSSInitializer(const css::uno::Reference<css::uno::XComponentContext> &rxContext);
     virtual ~ONSSInitializer() override;
 
     static bool initNSS( const css::uno::Reference< css::uno::XComponentContext > &rxContext );
+    static OUString getMozillaCurrentProfile(const css::uno::Reference< css::uno::XComponentContext > &rxContext, bool bSetActive = false);
+
+    /* XNSSInitializer */
+    virtual OUString SAL_CALL getNSSPath() override;
+    virtual sal_Bool SAL_CALL getIsNSSinitialized() override;
+    virtual css::uno::Sequence<css::xml::crypto::NSSProfile> SAL_CALL getNSSProfiles() override;
 
     /* XDigestContextSupplier */
     virtual css::uno::Reference< css::xml::crypto::XDigestContext > SAL_CALL getDigestContext( ::sal_Int32 nDigestID, const css::uno::Sequence< css::beans::NamedValue >& aParams ) override;
@@ -55,9 +62,7 @@ public:
 
     /* XServiceInfo */
     virtual OUString SAL_CALL getImplementationName() override;
-
     virtual sal_Bool SAL_CALL supportsService( const OUString& ServiceName ) override;
-
     virtual css::uno::Sequence< OUString > SAL_CALL getSupportedServiceNames() override;
 };