Closed Bug 166894 Opened 22 years ago Closed 22 years ago

Changing trust on a token cert causes a failure.

Categories

(NSS :: Libraries, defect, P1)

Product:
NSS
Component:
Libraries
Version:
3.4.2
Platform:
x86
Windows 2000
Type:
defect

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: rrelyea, Assigned: rrelyea)

Details

(Whiteboard: [3.4.3])

Attachments

(5 files, 1 obsolete file)

Handle Trust Change corner cases. (for NSS_3_4_BRANCH)
2.78 KB, patch
bugz
: review+
Details | Diff | Splinter Review
Incremental patch (for NSS_3_4_BRANCH)
900 bytes, patch
bugz
: review+
Details | Diff | Splinter Review
Destroy nssTrust before returning from STAN_ChangeCertTrust (for NSS_3_4_BRANCH)
1.96 KB, patch
Details | Diff | Splinter Review
Destroy nssTrust before returning from STAN_ChangeCertTrust (for the tip of NSS)
1.52 KB, patch
rrelyea
: review+
Details | Diff | Splinter Review
Store trust in internal token if trust in target token fails. (for the tip of NSS)
1.97 KB, patch
wtc
: review+
Details | Diff | Splinter Review
If you have a cert in a token that's writable, but does not support trust objects, then we may get a failure when trying to change the trust on that token.
This patch is for NSS 3.4. In consists of two pieces: part 1, translate the current NSS 3.6 fixes for handling changing trust on a certificate if it lives in multiple tokens to NSS 3.4. This is the code around stan_GetTokenTrust(). Part 2 needs to be included in NSS 3.6. It is the code around the failure to import trust case. In this case the R/W token we selected does not understand trust objects, we move the cert to the internal token (which does understand trust objects), then change the trust there.
Ian, could you review this patch (remember it's against NSS 3.4.2 branch). thanks, bob
This incremental patch should be applied on top of Bob's patch to fix a bug in his patch.
Comment on attachment 97968 [details] [diff] [review] Handle Trust Change corner cases. (for NSS_3_4_BRANCH) reviewed this as major part of patch, next patch also required I never thought so little code could be so confusing :)
Attachment #97968 - Flags: review+
Comment on attachment 97976 [details] [diff] [review] Incremental patch (for NSS_3_4_BRANCH) good catch, wtc
Attachment #97976 - Flags: review+
Version: 3.4.2 → 3.6
Target Milestone: --- → 3.4.3
Version: 3.6 → 3.4.2
In STAN_ChangeCertTrust, we are not always destroying 'nssTrust' before returning. This seems like a memory leak on those code paths. This patch adds a 'done' label to the function and we return from the function by 'goto done'. This ensures that 'nssTrust' is destroyed before returning. Please review this patch. This patch is against the NSS_3_4_BRANCH. The tip needs a similar patch. Thanks.
Attachment #99575 - Attachment description: Destroy nssTrust before returning from STAN_ChangeCertTrust → Destroy nssTrust before returning from STAN_ChangeCertTrust (for NSS_3_4_BRANCH)
This patch is the NSS tip equivalent of 97968, and should be targeted for NSS 3.6.
With 3.4 partion fixed, not targetting 3.6
Target Milestone: 3.4.3 → 3.6
With 3.4 partion fixed, now targetting 3.6
Attachment #99577 - Flags: review+
The merge of mine and Wan-Teh's patches should be straight forward. The don't modify any common code. The only addition would be my new: if (!newInstance) { return PR_FAILURE; } should become: if (!newInstance) { nssrv = PR_FAILURE; goto done; } bob
Thanks, Bob, for the code review. I've checked in my patches (to destroy nssTrust before returning from STAN_ChangeCertTrust) on the tip and NSS_3_4_BRANCH. Are you waiting for a code review of your patch?
Yes.
Comment on attachment 100025 [details] [diff] [review] Store trust in internal token if trust in target token fails. (for the tip of NSS) I verified that this is the equivalent of attachment 97968 [details] [diff] [review] for the tip. (Remember to make the 'goto done' change because my patch is already checked in.) It would be nice if Ian could also review this patch. Question: the code on the tip does this: newInstance = nssToken_ImportCertificate(...); if (!newInstance) { return PR_FAILURE; } nssPKIObject_AddInstance(&c->object, newInstance); newInstance = nssToken_ImportTrust(...); If nssToken_ImportTrust fails, do we need to destroy the instance that was added to c->object by the preceding nssPKIObject_AddInstance call?
Attachment #100025 - Flags: review+
I can answer that. No -- that instance was for a certificate, and was added to the PKICertificate. The variable is then reused for a trust object. If the trust import fails, that does not change the fact that the cert import already succeeded, and therefore a new cert instance was created on the token.
The whole purpose of importing the cert to some other token is so that we can import the trust to the same token. So, if the trust import fails, it seems that we should also undo the cert import.
Sure -- I didn't look at the rest of the code. I thought, based on the fragment you showed, that you were wondering whether the memory occupied by newInstance needed to be freed. That is not the case. However, if the trust import fails, the actual cert instance should be deleted via nssToken_DeleteStoredObject first need to call nssPKIObject_RemoveInstanceForToken to get rid of the cert's reference to the instance).
I have the order reversed. This is maybe a bit confusing (it is to me now, anyway), but you call nssToken_DeleteStoredObject and then nssPKIObject_RemoveInstanceForToken.
Per my last two comments, this patch is a better way to handle the case described. First of all, there were no callers of nssPKIObject_RemoveInstanceForToken, secondly, I can think of no reason to call that function other than to delete the instance. So I combined the two operations into one function. This should be called to delete the cert instance if the trust import fails.
Priority: -- → P1
Severity: normal → blocker
Thomas, could you try /u/wtc/thomask/mozilla (debug and optimized builds for Solaris 8) on a hardware token? That source tree has Bob's patch for NSS 3.6. Thanks.
I'm a little worried about blindly deleting the cert on import failure. I'm not so sure that in the current code, that we don't try to import the cert even if it has already been imported. In that case if we delete the cert we delete an entry that was already there. On the other hand, if we import the cert, but fail to set the trust, we haven't harmed anything. The cert is in the db or token, but it shouldn't interfere with operations. I think we should put ian's patch in longer term (3.7) as long as we can convince ourselves that the import is unique (or add code to guarrentee it is unique), and we're able to get some testing against the new code. bob
The blocking part of this bug has been checked in, I vote we move the last part out to 3.7, as long as Thomas is able to test with this patch. bob
I opened bug 171969 about the final matter. We should close this bug.
Marking fixed. The remaining issue has been reported in a separate bug targetted for 3.7. Leaving the target on this bug as 3.6 so that it shows up on any attempt to list the fixed in 3.6
Status: NEW → RESOLVED
Closed: 22 years ago
Resolution: --- → FIXED
Whiteboard: [3.4.3]
Comment on attachment 100574 [details] [diff] [review] delete specific token instances from objects Marked the patch obsolete. The issue addressed by this patch is now bug 171969.
Attachment #100574 - Attachment is obsolete: true
Attachment #100025 - Attachment description: Store trust in internal token if trust in target token fails. → Store trust in internal token if trust in target token fails. (for the tip of NSS)
Attachment #97968 - Attachment description: Handle Trust Change corner cases. → Handle Trust Change corner cases. (for NSS_3_4_BRANCH)
Attachment #97976 - Attachment description: Incremental patch → Incremental patch (for NSS_3_4_BRANCH)
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: