Closed
Bug 228881
Opened 21 years ago
Closed 6 months ago
Stan's trust domain cert cache does not properly handle tokens that may be logged in automatically.
Categories
(NSS :: Libraries, defect, P5)
Tracking
(Not tracked)
RESOLVED
INACTIVE
People
(Reporter: wtc, Unassigned)
Details
I recently used an HSM that contains two real tokens and one virtual token. The virtual token is concentually the union of the two real tokens and an application only talks to the virtual token. In other words, an application only knows about the virtual token. However, NSS still knows about the two real tokens because the PKCS #11 module returns all three slots, and the administrative interface of the application may still need to operate on the real tokens. When an application logs into the virtual token, the two real tokens are also logged in automatically. This confuses NSS because NSS doesn't know that a token can be logged in "out of band". So, the things that NSS does when it logs into a token will not be done for these real tokens. Specifically, PK11_Authenticate on either of the real token won't call the PK11_DoPassword:nssTrustDomain_UpdateCachedTokenCerts sequence. The result is that the certs in the cache won't have the instances that live on the real tokens.
Comment 1•21 years ago
|
||
Isn't the purpose of the virtual token to obviate the physical tokens? Isn't the idea that the application deals with the virtual token, and ignores the physical tokens, and the virtual token directs activity to the virtual tokens as needed? If that is so, then why does the application need to concern itself with the physical tokens?
Updated•19 years ago
|
QA Contact: bishakhabanerjee → jason.m.reid
Updated•18 years ago
|
QA Contact: jason.m.reid → libraries
Comment 2•2 years ago
|
||
The bug assignee didn't login in Bugzilla in the last 7 months, so the assignee is being reset.
Assignee: wtc → nobody
Updated•2 years ago
|
Severity: normal → S3
Updated•6 months ago
|
Status: NEW → RESOLVED
Closed: 6 months ago
Priority: -- → P5
Resolution: --- → INACTIVE
You need to log in
before you can comment on or make changes to this bug.
Description
•