Closed Bug 130747 Opened 22 years ago Closed 22 years ago

nCipher device not functioning properly with NSS 3.4

Categories

(NSS :: Libraries, defect, P1)

Product:
NSS
Component:
Libraries
Type:
defect

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: julien.pierre, Assigned: rrelyea)

References

Details

Attachments

(2 files, 1 obsolete file)

Handle old tokens which do not fill in partial templates.
837 bytes, patch
bugz
: review+
Details | Diff | Splinter Review
the last patch had a bug
2.20 KB, patch
rrelyea
: review+
Details | Diff | Splinter Review 
I tested an nCipher device with NSS 3.4 . Just using certutil, I can't list
certs on it.

(cert)/h/strange/export/home/jpierre/60/SunOS_5.8_depend/ns/server/work/B1/SunOS5.6_DBG.OBJ/alias{104}
certutil -d . -h userpin -L
Enter Password or Pin for "userpin":
(cert)/h/strange/export/home/jpierre/60/SunOS_5.8_depend/ns/server/work/B1/SunOS5.6_DBG.OBJ/alias{105}


If I revert to the NSS 3.3 version of certutil, I see the certs properly.

certutil -d . -h userpin -L
Enter Password or Pin for "userpin":
userpin:caSigningCert cert-cert                              cu,cu,c
userpin:ocspSigningCert cert-cert                            u,u, 
userpin:Server-Cert cert-cert                                u,u, 
(cert)/h/strange/export/home/jpierre/60/SunOS_5.8_depend/ns/server/work/B1/SunOS5.6_DBG.OBJ/alias{109}


Other programs are broken too, like pk12util, NES, etc. The token just doesn't
function properly with NSS 3.4 . This is using the current tip.
Priority: -- → P1
Target Milestone: --- → 3.4
Bob, could you take a look at this bug?  Thanks.
We need to fix this before 3.4 RTM.
Assignee: wtc → relyea
nCipher does not do partial template update (2.10 style), only 2.0 style. This
code detects templates entries have have just been skipped and tries to fill
them in singly.

We also have a problem that nCipher does not have public key objects, so all
the certs are read into the cache, but we don't know if they are user certs or
not because they get read in at init time before we log in. Once we log in, the
certs are stored in the cache as non-user certs.

Ian do you know a quick simple fix for this, otherwise I'll start digging on on
this one tomorrow.
The only way I can think of fixing that is to reset all the cert->trust values
for cached token certs when the token is logged in.  I'll look into that.
Bob, can you try this patch?
I did a new NSS build with both Bob's and Ian's patches.
I couldn't list the certs, though. certutil dumped core.

(cert)/u/jpierre/nss/34/mozilla/dist/SunOS5.8_DBG.OBJ/bin{79} certutil -d . -L 
-h userpin
Enter Password or Pin for "userpin":
Bus error (core dumped)
(cert)/u/jpierre/nss/34/mozilla/dist/SunOS5.8_DBG.OBJ/bin{80} dbx certutil core
Reading certutil
core file header read successfully
Reading ld.so.1
Reading libplc4.so
Reading libplds4.so
Reading libnspr4.so
Reading libthread.so.1
Reading libnsl.so.1
Reading libsocket.so.1
Reading librt.so.1
Reading libdl.so.1
Reading libc.so.1
Reading libpthread.so.1
Reading libmp.so.2
Reading libaio.so.1
Reading libc_psr.so.1
Reading libfreebl_hybrid_3.so
Reading libcknfast.so
Reading libgen.so.1
detected a multithreaded program
t@1 (l@1) terminated by signal BUS (invalid address alignment)
Current function is stan_GetCERTCertificate
  920       cc = (CERTCertificate *)dc->data;
(dbx) where
current thread: t@1
=>[1] stan_GetCERTCertificate(c = 0x2a84f8, forceUpdate = 0), line 920 in 
"pki3hack.c"
  [2] nssToken_UpdateTrustForCerts(token = 0x29fb70), line 298 in "pki3hack.c"
  [3] PK11_DoPassword(slot = 0x2a4238, loadCerts = 1, wincx = 0xffbef9f4), line 
1152 in "pk11slot.c"
  [4] PK11_Authenticate(slot = 0x2a4238, loadCerts = 1, wincx = 0xffbef9f4), 
line 837 in "pk11slot.c"
  [5] listCerts(handle = 0x29f7c8, name = (nil), slot = 0x2a4238, raw = 0, ascii 
= 0, outfile = 0x270218, pwarg = 0xffbef9f4), line 646 in "certutil.c"
  [6] ListCerts(handle = 0x29f7c8, name = (nil), slot = 0x2a4238, raw = 0, ascii 
= 0, outfile = 0x270218, pwdata = 0xffbef9f4), line 703 in "certutil.c"
  [7] main(argc = 6, argv = 0xffbefaac), line 2680 in "certutil.c"
(dbx) p cc
cc = 0x161388
(dbx) 

The crash was caused by attachment 74262 [details] [diff] [review], this fixes that patch.
Attachment #74262 - Attachment is obsolete: true
Building patched version now.

I do have some questions:
1) does STAN_GetCERTCertificate() increment the reference?
2) is the trust allocated out of the arena (if not are we leaking the trust when we
set it to NULL).

bob
Comment on attachment 74325 [details] [diff] [review]
the last patch had a bug

Assuming the semantics I described in comment 7 (trust allocated out of the
arena, STAN_GetCERTCertificate and stan_GetCERTCertificate don't return
references), the patch looks good, and more importantly, works.
Attachment #74325 - Flags: review+
Both of those assumptions are correct.  STAN_GetCERTCertificate is essentially a
"cast" from NSSCertificate to CERTCertificate.  It does not increment the ref
count.  And the cert's trust is allocated from the cert's arena.
Comment on attachment 74251 [details] [diff] [review]
Handle old tokens which do not fill in partial templates.

Perhaps in the future we could separate this out based on the PKCS#11 version
the module supports?  It would be easier to keep track of where we support
various versions that way.  For now, this looks good.
Attachment #74251 - Flags: review+
I think you can check in your patch. If you review mine we can close this bug out.

bob
my patch is checked in.
Bob checked in his patch too.  Marked the bug fixed.
Status: NEW → RESOLVED
Closed: 22 years ago
Resolution: --- → FIXED
Blocks: 131513
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: