Closed
Bug 450836
Opened 16 years ago
Closed 16 years ago
Unable to delete a certificate in a Solaris metaslot with certutil -D
Categories
(NSS :: Libraries, defect)
Tracking
(Not tracked)
RESOLVED
INVALID
People
(Reporter: nelson, Unassigned)
Details
(Whiteboard: CR 6609549)
Attachments
(1 file)
8.96 KB,
text/plain
|
Details |
Received the following report by email from a Solaris 10 user: Unable to delete a certificate which I had added in a metaslot. #certutil -L -d . -h "Sun Metaslot" Enter Password or Pin for "Sun Metaslot": Sun Metaslot:Server-Cert u,u,u #certutil -D -d . -n "Sun Metaslot:Server-Cert" Enter Password or Pin for "Sun Metaslot": certutil: unable to delete certificate: security library: bad database. # uname -a SunOS ... 5.10 Generic_118833-24 sun4v sparc SUNW,Sun-Fire-T200 Steps to reproduce: 1) Login as root 2) Clean up #rm -rf /.sunw 3) set pin #pktool setpin 4) add libpkcs11.so #modutil -dbdir . -add "Solaris Crypto Framework" -libfile /usr/lib/libpkcs11.so -mechanisms RSA 5) enable the module #modutil -enable "Solaris Crypto Framework" -dbdir . 6) Disable certain mechanisms #cryptoadm disable provider=/usr/lib/security/\$ISA/pkcs11_softtoken.so mechanism=CKM_SSL3_PRE_MASTER_KEY_GEN,CKM_SSL3_MASTER_KEY_DERIVE,CKM_SSL3_KEY_AND_MAC_DERIVE,CKM_SSL3_MASTER_KEY_DERIVE_DH,CKM_SSL3_MD5_MAC,CKM_SSL3_SHA1_MAC 7) create a self signed cert in "Sun Metaslot" #certutil -S -n "Server-Cert" -x -t u,u,u -s "CN=xyz.red.iplanet.com" -d . -x -h "Sun Metaslot" Enter Password or Pin for "Sun Metaslot": A random seed must be generated that will be used in the creation of your key. One of the easiest ways to create a random seed is to use the timing of keystrokes on a keyboard. To begin, type keys on the keyboard until this progress meter is full. DO NOT USE THE AUTOREPEAT FUNCTION ON YOUR KEYBOARD! Continue typing until the progress meter is full: |************************************************************| Finished. Press enter to continue: Generating key. This may take a few moments... # 8) List the certificate #certutil -L -d . -h "Sun Metaslot" Enter Password or Pin for "Sun Metaslot": Sun Metaslot:Server-Cert u,u,u 9) Try deleting it doesn't work. #certutil -D -d . -n "Sun Metaslot:Server-Cert" Enter Password or Pin for "Sun Metaslot": certutil: unable to delete certificate: security library: bad database. A workaround exists using solaris program pktool. pktool works as shown below. # ../../bin/certutil -L -d . -h "Sun Metaslot" Enter Password or Pin for "Sun Metaslot": Sun Metaslot:Server-Cert u,u,u # ../../bin/certutil -D -d . -n "Sun Metaslot:Server-Cert" Enter Password or Pin for "Sun Metaslot": certutil: unable to delete certificate: security library: bad database. # pktool delete label=Server-Cert Enter token passphrase: Object #1 "Server-Cert" successfully deleted. # # ../../bin/certutil -L -d . -h "Sun Metaslot" Enter Password or Pin for "Sun Metaslot": #
Reporter | ||
Comment 1•16 years ago
|
||
It would be helpful to know: a) how was that certificate created (or imported) in the metaslot token? b) with what version of NSS was the problem reproduced?
Whiteboard: CR 6609549
Reporter | ||
Comment 2•16 years ago
|
||
What kind of public key did the cert in question have? Was it a cert with an ECC public key, by any chance?
# uname -a SunOS ... 5.10 Generic_118833-24 sun4v sparc SUNW,Sun-Fire-T200 Steps to reproduce: 1) Login as root 2) Clean up #rm -rf /.sunw 3) set pin #pktool setpin 4) add libpkcs11.so #modutil -dbdir . -add "Solaris Crypto Framework" -libfile /usr/lib/libpkcs11.so -mechanisms RSA 5) enable the module #modutil -enable "Solaris Crypto Framework" -dbdir . 6) Disable certain mechanisms #cryptoadm disable provider=/usr/lib/security/\$ISA/pkcs11_softtoken.so mechanism=CKM_SSL3_PRE_MASTER_KEY_GEN,CKM_SSL3_MASTER_KEY_DERIVE,CKM_SSL3_KEY_AND_MAC_DERIVE,CKM_SSL3_MASTER_KEY_DERIVE_DH,CKM_SSL3_MD5_MAC,CKM_SSL3_SHA1_MAC 7) create a self signed cert in "Sun Metaslot" #certutil -S -n "Server-Cert" -x -t u,u,u -s "CN=xyz.red.iplanet.com" -d . -x -h "Sun Metaslot" Enter Password or Pin for "Sun Metaslot": A random seed must be generated that will be used in the creation of your key. One of the easiest ways to create a random seed is to use the timing of keystrokes on a keyboard. To begin, type keys on the keyboard until this progress meter is full. DO NOT USE THE AUTOREPEAT FUNCTION ON YOUR KEYBOARD! Continue typing until the progress meter is full: |************************************************************| Finished. Press enter to continue: Generating key. This may take a few moments... # 8) List the certificate #certutil -L -d . -h "Sun Metaslot" Enter Password or Pin for "Sun Metaslot": Sun Metaslot:Server-Cert u,u,u 9) Try deleting it doesn't work. #certutil -D -d . -n "Sun Metaslot:Server-Cert" Enter Password or Pin for "Sun Metaslot": certutil: unable to delete certificate: security library: bad database.
I do not remember any more details. You can close the bug if you can not reproduce it.
Reporter | ||
Comment 7•16 years ago
|
||
I was able to reproduce the problem while tracing the PKCS#11 interface to the module in question. The trace log shows that we established a read-write session, and then tried to destroy the cert object, and the module returned error 0xb5 which is CKR_SESSION_READ_ONLY . Here is the relevant trace log excerpt: : C_OpenSession : slotID = 0x0 : flags = 0x6 : pApplication = 0x855d0 : Notify = 0xff1f14f0 : phSession = 0xffbfef28 : *phSession = 0x55270 : rv = 0x0 : C_DestroyObject : hSession = 0x55270 : hObject = 0x962b8 : rv = 0xb5 This appears to be a bug in the PKCS#11 module, not in NSS.
Reporter | ||
Comment 8•16 years ago
|
||
Here are more relevant excerpts from the trace log: : C_FindObjectsInit : hSession = 0x55050 : pTemplate = 0xffbff014 : ulCount = 3 : CKA_LABEL = Server-Cert [11] : CKA_TOKEN = CK_TRUE [1] : CKA_CLASS = CKO_CERTIFICATE [4] : rv = 0x0 : C_FindObjects : hSession = 0x55050 : phObject = 0xffbfeee0 : ulMaxObjectCount = 16 : pulObjectCount = 0xffbfef24 : *pulObjectCount = 0x1 : phObject[0] = 0x962b8 : rv = 0x0 : C_FindObjectsFinal : hSession = 0x55050 : rv = 0x0 : C_GetAttributeValue : hSession = 0x55050 : hObject = 0x962b8 : pTemplate = 0xffbfedc4 : ulCount = 2 : CKA_TOKEN = CK_TRUE [1] : CKA_LABEL = Server-Cert [11] : rv = 0x0
Reporter | ||
Comment 9•16 years ago
|
||
I'm resolving this "invalid" because, while there is a reproducible bug, it appears not to be an NSS bug. If that changes, I'll reopen this.
Status: UNCONFIRMED → RESOLVED
Closed: 16 years ago
Resolution: --- → INVALID
You need to log in
before you can comment on or make changes to this bug.
Description
•