Closed
Bug 111078
Opened 23 years ago
Closed 22 years ago
Deleting certs from ActivCard leaves key material on the token.
Categories
(NSS :: Libraries, defect, P2)
Tracking
(Not tracked)
RESOLVED
FIXED
3.4
People
(Reporter: ssaux, Assigned: wtc)
References
Details
Attachments
(1 file)
Use the browser to delete dual key certs from an ActivCard token. Close the browser. Open the card using the ActivCard utility. The utility shows that there are still keys on the card. If you delete certs using the utility everyting goes away. Note that it doesn't matter whether the certs were generated on the card or imported from a p12 file.
Reporter | ||
Updated•23 years ago
|
Priority: -- → P2
Target Milestone: --- → 2.2
Comment 2•23 years ago
|
||
WFM with an iButton. Deleting a 1K dual cert from AOL deletes the cert, and it does not display in the Admin Utility.
Reporter | ||
Comment 3•23 years ago
|
||
copy activCard contact.
PSM calls C_DestroyObject for the certificate and the public key, but does not calls C_DestroyObject for the private key, thus the private key is not destroyed.
Comment 5•23 years ago
|
||
Question: Stephan, do you have copies of those certs in your NSS database? NSS does not destroy the key if it still finds certificates associated with that key. This can happen one of two ways: 1) the card still reports the existance of a cert with the same CKA_ID, or 2) we find a cert with the same subject in the database. I believe the latter is a bug in NSS, which I'll supply a patch for. I want to make sure the former is not happening as well. bob
Comment 6•23 years ago
|
||
This code is used for 2 things: extracting a public key from a private key, and deciding if we are going to delete the private key from a token. The former 1) is only used by out utilities 2) has fallbacks if the cert is not found and 3) is depending on code that was likely to find the wrong cert anyway (the code deleted in the patch). For the former we want to succede only if we don't find any certs in the token we are searching.
Assignee | ||
Comment 7•23 years ago
|
||
Comment on attachment 71977 [details] [diff] [review] Don't lookup the certs elsewhere if we can't find them on the token This patch is fine. It may be a good idea to call PORT_SetError(SSL_ERROR_NO_CERTIFICATE); before returning NULL, but I am not sure if that's the right error code.
Reporter | ||
Updated•22 years ago
|
Comment 8•22 years ago
|
||
So Bob has a patch and Wan-Teh likes the patch. Will you check it in? The patch is completely within NSS, so it looks like a NSS bug. Reassining to NSS.
Assignee: ssaux → wtc
Component: Client Library → Libraries
Product: PSM → NSS
QA Contact: junruh → bishakhabanerjee
Target Milestone: 2.2 → ---
Version: 2.1 → unspecified
Comment 9•22 years ago
|
||
This patch has been in NSS since Feb 2002. As such is has already been moved into NSS 3.5 long ago. I think the bug was left open waiting for a tag move.
Status: NEW → RESOLVED
Closed: 22 years ago
Resolution: --- → FIXED
Assignee | ||
Comment 10•22 years ago
|
||
Bob is right. This bug is fixed in rev. 1.64 of mozilla/security/nss/lib/pk11wrap/pk11cert.c.
Target Milestone: --- → 3.4
Version: unspecified → 3.3.1
You need to log in
before you can comment on or make changes to this bug.
Description
•