223494 - cmsutil signing does not work with hardware tokens

Status: RESOLVED FIXED

(NSS :: Libraries, defect)

Description

[Julien Pierre]

When trying to use cmsutil today, it would not find the certificate for signing
on my hardware token. It appears that the password is not being passed down in
all cases. Even with softoken this would be a problem in theory, except that the
CERT_FindUserCertByUsage function may be able to find certs marked "user"
without actually opening the key db.

I will attach a patch that resolved the problem with my token.

Comment 1

[Julien Pierre]

Attachment: fix password issues

Comment 2

[Nelson Bolyard (seldom reads bugmail)]

Julien, is your token not a "friendly" token? (friendly means one that will
allow you to search certificates even when not logged in)

Comment 3

[Julien Pierre]

Nelson,

No, the token won't present any certs over PKCS#11 unless logged in.

Comment 4

[Wan-Teh Chang]

Comment on attachment 133999 [details] [diff] [review]
fix password issues

r=wtc.	This patch looks correct as far as I can tell.
I'd like either Bob or Nelson to do a second review
because I'm not familiar with CERT_FindUserCertByUsage
and PK11_SetPasswordFunc.

One suggested change: declare the following as 'static':

>+secuPWData pwdata = { PW_NONE, 0 };
>+PK11PasswordFunc pwcb = NULL;
>+void *pwcb_arg = NULL;

Actually I don't think pwcb and pwcb_arg are that useful.
Why don't we just pass SECU_GetModulePassword and &pwdata
as arguments to NSS_CMSDecoder_Start and NSS_CMSEncoder_Start?

Comment 5

[Julien Pierre]

Thanks for the reviews, Wan-Teh and Bob.

I made the variables static and checked this in to the tip.

Checking in cmsutil.c;
/cvsroot/mozilla/security/nss/cmd/smimetools/cmsutil.c,v  <--  cmsutil.c
new revision: 1.43; previous revision: 1.42