Closed
Bug 130747
Opened 24 years ago
Closed 24 years ago
nCipher device not functioning properly with NSS 3.4
Categories
(NSS :: Libraries, defect, P1)
Tracking
(Not tracked)
RESOLVED
FIXED
3.4
People
(Reporter: julien.pierre, Assigned: rrelyea)
References
Details
Attachments
(2 files, 1 obsolete file)
|
837 bytes,
patch
|
bugz
:
review+
|
Details | Diff | Splinter Review |
|
2.20 KB,
patch
|
rrelyea
:
review+
|
Details | Diff | Splinter Review |
I tested an nCipher device with NSS 3.4 . Just using certutil, I can't list
certs on it.
(cert)/h/strange/export/home/jpierre/60/SunOS_5.8_depend/ns/server/work/B1/SunOS5.6_DBG.OBJ/alias{104}
certutil -d . -h userpin -L
Enter Password or Pin for "userpin":
(cert)/h/strange/export/home/jpierre/60/SunOS_5.8_depend/ns/server/work/B1/SunOS5.6_DBG.OBJ/alias{105}
If I revert to the NSS 3.3 version of certutil, I see the certs properly.
certutil -d . -h userpin -L
Enter Password or Pin for "userpin":
userpin:caSigningCert cert-cert cu,cu,c
userpin:ocspSigningCert cert-cert u,u,
userpin:Server-Cert cert-cert u,u,
(cert)/h/strange/export/home/jpierre/60/SunOS_5.8_depend/ns/server/work/B1/SunOS5.6_DBG.OBJ/alias{109}
Other programs are broken too, like pk12util, NES, etc. The token just doesn't
function properly with NSS 3.4 . This is using the current tip.
| Reporter | ||
Updated•24 years ago
|
Priority: -- → P1
Target Milestone: --- → 3.4
Comment 1•24 years ago
|
||
Bob, could you take a look at this bug? Thanks.
We need to fix this before 3.4 RTM.
Assignee: wtc → relyea
| Assignee | ||
Comment 2•24 years ago
|
||
nCipher does not do partial template update (2.10 style), only 2.0 style. This
code detects templates entries have have just been skipped and tries to fill
them in singly.
We also have a problem that nCipher does not have public key objects, so all
the certs are read into the cache, but we don't know if they are user certs or
not because they get read in at init time before we log in. Once we log in, the
certs are stored in the cache as non-user certs.
Ian do you know a quick simple fix for this, otherwise I'll start digging on on
this one tomorrow.
Comment 3•24 years ago
|
||
The only way I can think of fixing that is to reset all the cert->trust values
for cached token certs when the token is logged in. I'll look into that.
Comment 4•24 years ago
|
||
Bob, can you try this patch?
| Reporter | ||
Comment 5•24 years ago
|
||
I did a new NSS build with both Bob's and Ian's patches.
I couldn't list the certs, though. certutil dumped core.
(cert)/u/jpierre/nss/34/mozilla/dist/SunOS5.8_DBG.OBJ/bin{79} certutil -d . -L
-h userpin
Enter Password or Pin for "userpin":
Bus error (core dumped)
(cert)/u/jpierre/nss/34/mozilla/dist/SunOS5.8_DBG.OBJ/bin{80} dbx certutil core
Reading certutil
core file header read successfully
Reading ld.so.1
Reading libplc4.so
Reading libplds4.so
Reading libnspr4.so
Reading libthread.so.1
Reading libnsl.so.1
Reading libsocket.so.1
Reading librt.so.1
Reading libdl.so.1
Reading libc.so.1
Reading libpthread.so.1
Reading libmp.so.2
Reading libaio.so.1
Reading libc_psr.so.1
Reading libfreebl_hybrid_3.so
Reading libcknfast.so
Reading libgen.so.1
detected a multithreaded program
t@1 (l@1) terminated by signal BUS (invalid address alignment)
Current function is stan_GetCERTCertificate
920 cc = (CERTCertificate *)dc->data;
(dbx) where
current thread: t@1
=>[1] stan_GetCERTCertificate(c = 0x2a84f8, forceUpdate = 0), line 920 in
"pki3hack.c"
[2] nssToken_UpdateTrustForCerts(token = 0x29fb70), line 298 in "pki3hack.c"
[3] PK11_DoPassword(slot = 0x2a4238, loadCerts = 1, wincx = 0xffbef9f4), line
1152 in "pk11slot.c"
[4] PK11_Authenticate(slot = 0x2a4238, loadCerts = 1, wincx = 0xffbef9f4),
line 837 in "pk11slot.c"
[5] listCerts(handle = 0x29f7c8, name = (nil), slot = 0x2a4238, raw = 0, ascii
= 0, outfile = 0x270218, pwarg = 0xffbef9f4), line 646 in "certutil.c"
[6] ListCerts(handle = 0x29f7c8, name = (nil), slot = 0x2a4238, raw = 0, ascii
= 0, outfile = 0x270218, pwdata = 0xffbef9f4), line 703 in "certutil.c"
[7] main(argc = 6, argv = 0xffbefaac), line 2680 in "certutil.c"
(dbx) p cc
cc = 0x161388
(dbx)
Comment 6•24 years ago
|
||
The crash was caused by attachment 74262 [details] [diff] [review], this fixes that patch.
Attachment #74262 -
Attachment is obsolete: true
| Assignee | ||
Comment 7•24 years ago
|
||
Building patched version now.
I do have some questions:
1) does STAN_GetCERTCertificate() increment the reference?
2) is the trust allocated out of the arena (if not are we leaking the trust when we
set it to NULL).
bob
| Assignee | ||
Comment 8•24 years ago
|
||
Comment on attachment 74325 [details] [diff] [review]
the last patch had a bug
Assuming the semantics I described in comment 7 (trust allocated out of the
arena, STAN_GetCERTCertificate and stan_GetCERTCertificate don't return
references), the patch looks good, and more importantly, works.
Attachment #74325 -
Flags: review+
Comment 9•24 years ago
|
||
Both of those assumptions are correct. STAN_GetCERTCertificate is essentially a
"cast" from NSSCertificate to CERTCertificate. It does not increment the ref
count. And the cert's trust is allocated from the cert's arena.
Comment 10•24 years ago
|
||
Comment on attachment 74251 [details] [diff] [review]
Handle old tokens which do not fill in partial templates.
Perhaps in the future we could separate this out based on the PKCS#11 version
the module supports? It would be easier to keep track of where we support
various versions that way. For now, this looks good.
Attachment #74251 -
Flags: review+
| Assignee | ||
Comment 11•24 years ago
|
||
I think you can check in your patch. If you review mine we can close this bug out.
bob
Comment 12•24 years ago
|
||
my patch is checked in.
Comment 13•24 years ago
|
||
Bob checked in his patch too. Marked the bug fixed.
Status: NEW → RESOLVED
Closed: 24 years ago
Resolution: --- → FIXED
You need to log in
before you can comment on or make changes to this bug.
Description
•