Closed
Bug 130747
Opened 22 years ago
Closed 22 years ago
nCipher device not functioning properly with NSS 3.4
Categories
(NSS :: Libraries, defect, P1)
Tracking
(Not tracked)
RESOLVED
FIXED
3.4
People
(Reporter: julien.pierre, Assigned: rrelyea)
References
Details
Attachments
(2 files, 1 obsolete file)
837 bytes,
patch
|
bugz
:
review+
|
Details | Diff | Splinter Review |
2.20 KB,
patch
|
rrelyea
:
review+
|
Details | Diff | Splinter Review |
I tested an nCipher device with NSS 3.4 . Just using certutil, I can't list certs on it. (cert)/h/strange/export/home/jpierre/60/SunOS_5.8_depend/ns/server/work/B1/SunOS5.6_DBG.OBJ/alias{104} certutil -d . -h userpin -L Enter Password or Pin for "userpin": (cert)/h/strange/export/home/jpierre/60/SunOS_5.8_depend/ns/server/work/B1/SunOS5.6_DBG.OBJ/alias{105} If I revert to the NSS 3.3 version of certutil, I see the certs properly. certutil -d . -h userpin -L Enter Password or Pin for "userpin": userpin:caSigningCert cert-cert cu,cu,c userpin:ocspSigningCert cert-cert u,u, userpin:Server-Cert cert-cert u,u, (cert)/h/strange/export/home/jpierre/60/SunOS_5.8_depend/ns/server/work/B1/SunOS5.6_DBG.OBJ/alias{109} Other programs are broken too, like pk12util, NES, etc. The token just doesn't function properly with NSS 3.4 . This is using the current tip.
Reporter | ||
Updated•22 years ago
|
Priority: -- → P1
Target Milestone: --- → 3.4
Comment 1•22 years ago
|
||
Bob, could you take a look at this bug? Thanks. We need to fix this before 3.4 RTM.
Assignee: wtc → relyea
Assignee | ||
Comment 2•22 years ago
|
||
nCipher does not do partial template update (2.10 style), only 2.0 style. This code detects templates entries have have just been skipped and tries to fill them in singly. We also have a problem that nCipher does not have public key objects, so all the certs are read into the cache, but we don't know if they are user certs or not because they get read in at init time before we log in. Once we log in, the certs are stored in the cache as non-user certs. Ian do you know a quick simple fix for this, otherwise I'll start digging on on this one tomorrow.
Comment 3•22 years ago
|
||
The only way I can think of fixing that is to reset all the cert->trust values for cached token certs when the token is logged in. I'll look into that.
Comment 4•22 years ago
|
||
Bob, can you try this patch?
Reporter | ||
Comment 5•22 years ago
|
||
I did a new NSS build with both Bob's and Ian's patches. I couldn't list the certs, though. certutil dumped core. (cert)/u/jpierre/nss/34/mozilla/dist/SunOS5.8_DBG.OBJ/bin{79} certutil -d . -L -h userpin Enter Password or Pin for "userpin": Bus error (core dumped) (cert)/u/jpierre/nss/34/mozilla/dist/SunOS5.8_DBG.OBJ/bin{80} dbx certutil core Reading certutil core file header read successfully Reading ld.so.1 Reading libplc4.so Reading libplds4.so Reading libnspr4.so Reading libthread.so.1 Reading libnsl.so.1 Reading libsocket.so.1 Reading librt.so.1 Reading libdl.so.1 Reading libc.so.1 Reading libpthread.so.1 Reading libmp.so.2 Reading libaio.so.1 Reading libc_psr.so.1 Reading libfreebl_hybrid_3.so Reading libcknfast.so Reading libgen.so.1 detected a multithreaded program t@1 (l@1) terminated by signal BUS (invalid address alignment) Current function is stan_GetCERTCertificate 920 cc = (CERTCertificate *)dc->data; (dbx) where current thread: t@1 =>[1] stan_GetCERTCertificate(c = 0x2a84f8, forceUpdate = 0), line 920 in "pki3hack.c" [2] nssToken_UpdateTrustForCerts(token = 0x29fb70), line 298 in "pki3hack.c" [3] PK11_DoPassword(slot = 0x2a4238, loadCerts = 1, wincx = 0xffbef9f4), line 1152 in "pk11slot.c" [4] PK11_Authenticate(slot = 0x2a4238, loadCerts = 1, wincx = 0xffbef9f4), line 837 in "pk11slot.c" [5] listCerts(handle = 0x29f7c8, name = (nil), slot = 0x2a4238, raw = 0, ascii = 0, outfile = 0x270218, pwarg = 0xffbef9f4), line 646 in "certutil.c" [6] ListCerts(handle = 0x29f7c8, name = (nil), slot = 0x2a4238, raw = 0, ascii = 0, outfile = 0x270218, pwdata = 0xffbef9f4), line 703 in "certutil.c" [7] main(argc = 6, argv = 0xffbefaac), line 2680 in "certutil.c" (dbx) p cc cc = 0x161388 (dbx)
Comment 6•22 years ago
|
||
The crash was caused by attachment 74262 [details] [diff] [review], this fixes that patch.
Attachment #74262 -
Attachment is obsolete: true
Assignee | ||
Comment 7•22 years ago
|
||
Building patched version now. I do have some questions: 1) does STAN_GetCERTCertificate() increment the reference? 2) is the trust allocated out of the arena (if not are we leaking the trust when we set it to NULL). bob
Assignee | ||
Comment 8•22 years ago
|
||
Comment on attachment 74325 [details] [diff] [review] the last patch had a bug Assuming the semantics I described in comment 7 (trust allocated out of the arena, STAN_GetCERTCertificate and stan_GetCERTCertificate don't return references), the patch looks good, and more importantly, works.
Attachment #74325 -
Flags: review+
Comment 9•22 years ago
|
||
Both of those assumptions are correct. STAN_GetCERTCertificate is essentially a "cast" from NSSCertificate to CERTCertificate. It does not increment the ref count. And the cert's trust is allocated from the cert's arena.
Comment 10•22 years ago
|
||
Comment on attachment 74251 [details] [diff] [review] Handle old tokens which do not fill in partial templates. Perhaps in the future we could separate this out based on the PKCS#11 version the module supports? It would be easier to keep track of where we support various versions that way. For now, this looks good.
Attachment #74251 -
Flags: review+
Assignee | ||
Comment 11•22 years ago
|
||
I think you can check in your patch. If you review mine we can close this bug out. bob
Comment 12•22 years ago
|
||
my patch is checked in.
Comment 13•22 years ago
|
||
Bob checked in his patch too. Marked the bug fixed.
Status: NEW → RESOLVED
Closed: 22 years ago
Resolution: --- → FIXED
You need to log in
before you can comment on or make changes to this bug.
Description
•