Closed Bug 136253 Opened 23 years ago Closed 23 years ago

Rainbow accelerator certificates are not visible

Categories

(NSS :: Libraries, defect, P1)

Sun
Solaris
defect

Tracking

(Not tracked)

RESOLVED FIXED

People

(Reporter: rcrit, Assigned: rrelyea)

Details

Attachments

(1 file)

Regression from NSS 3.3.1.

Using a Rainbow accelerator, installed certificates are not visible.

The module was added with:

modutil -add "ISG 2.0 Cryptoki Interface" -nocertdb -libfile
/usr/lib/libcryptoki22.so -dbdir . -mechanisms "RSA:DSA:DH"

A certificate was requested and installed using the NES 6.0 admin UI. In NES 6.0
the certificate is visible under Manage Certificates and using certutil.

The certificate is not visible to the NES 6.1 admin UI nor NSS 3.4 certutil.
Priority: -- → P1
Rob, can you tell me which machine I can go to with the rainbow card installed?

thanks,

bob
Status: UNCONFIRMED → NEW
Ever confirmed: true
OK, like nCipher, Rainbow is completely chocking on any attribute request that
has an unknown attribute.

Unlike nCipher, Rainbow is half implementing the spec. It's setting the length
field to -1 in this case: only it's setting it for *all* the attributes, not
just the one it doesn't like.

The resulting patch fixed the problem. It has an undesirable side effect of
causing multiple fetches of unknown attributes from perfectly compliant tokens,
however. This side effect should be functionally inocuous.

bob
Tip builds for testing are available at
/h/jordan/space2/nsstip/mozilla/dist/SunOS5.x_DBG.OBJ
where x is either 6 or 8 (both have the fix in them).

nss3.4 branch builds are
/h/jordan/sapce2/nsstip/mozills/dist/AIX4.3_DBG.OBJ

Comment on attachment 78369 [details] [diff] [review]
Handle yet another non-complient PKCS #11 token semantic

"Each standards-compliant token is compliant in the same way, each
non-compliant token is not compliant in its own way."

This looks like a low-risk solution.  Looks good to me.
Attachment #78369 - Flags: review+
Rainbow is looking at this problem in their driver. From my reading we have
simply relaxed the rules regarding the length check? So if they fix in their
driver the NSS patch won't have a negative impact, right?
Rob asked:
> So if they fix in their driver the NSS patch won't have a
> negative impact, right?

That's right.

This fix has been checked into the tip and the NSS_3_4_BRANCH
and will be in NSS 3.4.1.  Marked the bug fixed.
Status: NEW → RESOLVED
Closed: 23 years ago
Resolution: --- → FIXED
Target Milestone: --- → 3.4.1
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: