Closed Bug 122100 Opened 23 years ago Closed 20 years ago

certutil (Object) Certificate Extension Not Found

Categories

(NSS :: Tools, defect, P3)

Product:
NSS
Component:
Tools
Version:
3.3.1
Platform:
x86
Windows 2000
Type:
defect

Tracking

(Not tracked)

Status:
RESOLVED WORKSFORME

People

(Reporter: murphye, Assigned: nelson)

Details

I am simply trying to make an Object CA Certificate. This is urgent, because I am going to be using this object certificate stuff in the new O'Reilly Mozilla Applications book. I am no NSS expert, so maybe I am doing something wrong here. However, Nelson Bolyard said this: "Any time you call a public NSS function and get back the error that reads Certificate Extension Not Found, please file a bug about it. That error code is intended to be an internal error, used internally by NSS. It is inappropriate for NSS to return that error to an external caller of a function that finds certificates. When you see that error, it essentially means that there is an error path in NSS that is failing to set the error code, allowing the previously set internal error to be returned to the user." Here is what I did: C:\nss\bin>certutil -S -s "CN=mozdev.org" -n "mozdev.org" -t ",,C" -x -d . -1 -2 -5 A random seed must be generated that will be used in the creation of your key. One of the easiest ways to create a random seed is to use the timing of keystrokes on a keyboard. To begin, type keys on the keyboard until this progress meter is full. DO NOT USE THE AUTOREPEAT FUNCTION ON YOUR KEYBOARD! Continue typing until the progress meter is full: |************************************************************| Finished. Press enter to continue: Enter Password or Pin for "NSS Certificate DB": Generating key. This may take a few moments... 0 - Digital Signature 1 - Non-repudiation 2 - Key encipherment 3 - Data encipherment 4 - Key agreement 5 - Cert signning key 6 - CRL signning key Other to finish 5 0 - Digital Signature 1 - Non-repudiation 2 - Key encipherment 3 - Data encipherment 4 - Key agreement 5 - Cert signning key 6 - CRL signning key Other to finish 9 Is this a critical extension [y/n]? n Is this a CA certificate [y/n]? y Enter the path length constraint, enter to skip [<0 for unlimited path]: Is this a critical extension [y/n]? n 0 - SSL Client 1 - SSL Server 2 - S/MIME 3 - Object Signing 4 - Reserved for futuer use 5 - SSL CA 6 - S/MIME CA 7 - Object Signing CA Other to finish 7 0 - SSL Client 1 - SSL Server 2 - S/MIME 3 - Object Signing 4 - Reserved for futuer use 5 - SSL CA 6 - S/MIME CA 7 - Object Signing CA Other to finish 9 Is this a critical extension [y/n]? n C:\nss\bin>certutil -S -n "certs.mozdev.org" -s "CN=certs.mozdev.org" -c "mozdev.org" -v 96 -t ",,C" -d . -1 -2 -5 A random seed must be generated that will be used in the creation of your key. One of the easiest ways to create a random seed is to use the timing of keystrokes on a keyboard. To begin, type keys on the keyboard until this progress meter is full. DO NOT USE THE AUTOREPEAT FUNCTION ON YOUR KEYBOARD! Continue typing until the progress meter is full: |************************************************************| Finished. Press enter to continue: Enter Password or Pin for "NSS Certificate DB": Generating key. This may take a few moments... 0 - Digital Signature 1 - Non-repudiation 2 - Key encipherment 3 - Data encipherment 4 - Key agreement 5 - Cert signning key 6 - CRL signning key Other to finish 5 0 - Digital Signature 1 - Non-repudiation 2 - Key encipherment 3 - Data encipherment 4 - Key agreement 5 - Cert signning key 6 - CRL signning key Other to finish 9 Is this a critical extension [y/n]? n Is this a CA certificate [y/n]? y Enter the path length constraint, enter to skip [<0 for unlimited path]: Is this a critical extension [y/n]? n 0 - SSL Client 1 - SSL Server 2 - S/MIME 3 - Object Signing 4 - Reserved for futuer use 5 - SSL CA 6 - S/MIME CA 7 - Object Signing CA Other to finish 7 0 - SSL Client 1 - SSL Server 2 - S/MIME 3 - Object Signing 4 - Reserved for futuer use 5 - SSL CA 6 - S/MIME CA 7 - Object Signing CA Other to finish 9 Is this a critical extension [y/n]? n certutil: unable to find issuer with nickname mozdev.org: Certificate extension not found. certutil: could not obtain certificate from file: Certificate extension not found.
If you could fix this, and make a new Windows build for me real quick, I would highly appreciate it.
Eric, Thank you very much for the bug report. In the next two weeks we will be busy working on the NSS 3.4 release. During this period we will try to respond to your questions in the mozilla.crypto newsgroup. Ian wrote in the newsgroup that he followed your steps and they worked with the tip (NSS 3.4), but it did not work with NSS 3.3.
See http://bugzilla.mozilla.org/show_bug.cgi?id=123296 for my next stage of my problems. I have marked this a blocker. Setting back to Normal because I got the CVS version of NSS to work with these commands, and can do what I need to now.
Severity: blocker → normal
Changed the QA contact to Bishakha.
QA Contact: sonja.mirtitsch → bishakhabanerjee
Assigned the bug to Ian. Ian, the goal of this bug is to find out *how* certutil emitted the error message "Certificate Extension Not Found" (which could be due to a user error) and fix NSS to handle the internal error and not return the error code to an external caller of a function that finds certificate.
Assignee: wtc → ian.mcgreer
Priority: -- → P2
Target Milestone: --- → 3.6
Priority: P2 → P3
Target Milestone: 3.6 → 3.7
I am able to reproduce this bug using the tip of the NSS_3_3_BRANCH and the following sequence of commands: mkdir CA certutil -N -d CA certutil -S -s "CN=mozdev.org" -n "mozdev.org" -t ",,C" -x -d CA -1 -2 -5 certutil -S -n "certs.mozdev.org" -s "CN=certs.mozdev.org" -c "mozdev.org" \ -v 96 -t ",,C" -d CA -1 -2 -5 with the interactive inputs given in the description above. Several observations: The first certutil -S succeeds, creating a cert with the nickname mozdev.org, as confirmed by certutil -L. But the second command fails to find that very cert. The stack trace at the time of the failure to find it is: pk11_FindObjectsByTemplate() line 212 PK11_FindObjectsFromNickname() line 1199 + 21 bytes PK11_FindCertFromNickname() line 1225 + 23 bytes SignCert() line 1684 + 13 bytes CreateCert() line 2019 + 29 bytes main() line 2667 + 106 bytes pk11_FindObjectsByTemplate gets back zero objects that match the template. The CRVs that come back from the token are all CR_OK, no error, just an empty result. pk11_FindObjectsByTemplate detects this, and returns NULL, but doesn't set an error code. PK11_FindObjectsFromNickname sets the returned count to zero, but doesn't set an error code. PK11_FindCertFromNickname() detects that the reutrned object handle is CK_INVALID_KEY, and returns NULL, but doesn't set any error code. So, when the code returns to SignCert, the error code has not been set, and so the printed error code is good ol' "Extension Not Found". Sigh. Now, there are two issues here: 1. Why doesn't this code find the cert that has just been created and that certutil -L lists? and 2. Which one(s) of the PK11 functions listed above should set an error code, and what error code should they set? Bob, any opinion? I am also going to see if this is reproducible with NSS on the trunk.
Taking bug. I tested with NSS 3.6+ (current trunk) and found that 1. The commands succeed. 2. The path is quite different, not using the PK11 functions named above, and 3. The new functions set the error NSS_ERROR_NOT_FOUND if no objects are returned. The new stack trace to the token's FindObjects method is called is: find_objects() line 423 find_objects_by_template() line 536 + 29 bytes nssToken_FindCertificatesByNickname() line 735 + 29 bytes PK11_FindCertFromNickname() line 1312 + 25 bytes SignCert() line 1625 + 13 bytes CreateCert() line 1963 + 29 bytes main() line 2636 + 106 bytes find_objects sets the error code when no objects are found. So, I conclude that a) if the PK11_ functions named in comment 6 above are no longer used, then this bug is resolved fixed. b) if any of those functions is still used, it probably should be changed to set error code NSS_ERROR_NOT_FOUND. Bob, Ian, do you know if any of those PK11 funcs named above are still used?
Assignee: ian.mcgreer → nelsonb
The error message printed for NSS_ERROR_NOT_FOUND is "security library error: bad database". Maybe it's time to fix that. Also, after returning that error, certutil crashes in CERT_DeleteCertificate, trying to create a stan cert for the incomplete CERTCertificate that it failed to create. There's another bug filed about that already.
Wait. NSS_ERROR_NOT_FOUND is a new NSS error, and isn't being passed to PORT_SetError. The error code that certutil displays when the cert is not found is SEC_ERROR_BAD_DATABASE. Unfortunately, that may be the closest thing NSS 3.x has to a "Cert not found" error. :(
Moved to target milestone 3.8 because the original NSS 3.7 release has been renamed 3.8.
Target Milestone: 3.7 → 3.8
Remove target milestone of 3.8, since these bugs didn't get into that release.
Target Milestone: 3.8 → ---
Julien, Ian, What should we do with this bug? This bug was reported against NSS 3.3.1 It may still be a bug on the 3.3 branch, but it was apparently fixed in NSS 3.4 and has not been reproducible on the trunk since then. Do you want to take this bug and test it for your NSS 3.3 branch? Or should we mark it fixed, or worksforme? or?
Glen, Are any of our customers complaining about this issue on 3.3 ?
We've been unable to reproduce this since 3.4 so it must have been accidentally fixed :) in 3.4
Status: NEW → RESOLVED
Closed: 20 years ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.