Closed Bug 138626 Opened 22 years ago Closed 22 years ago

Deleted certs delivered by PK11_ListCerts

Categories

(NSS :: Libraries, defect)

Product:
NSS
Component:
Libraries
Platform:
x86
All
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: KaiE, Assigned: bugz)

References

Details

(Whiteboard: [adt2 RTM])

Attachments

(1 file)

remove deleted certs from cache
680 bytes, patch
Details | Diff | Splinter Review 
Delete a user cert using PK11_DeleteTokenCertAndKey.
Use PK11_ListCerts(PK11CertListUser) to obtain a list of all user certs.
Actual behaviour: The result list contains the deleted cert.
Blocks: 129067
adding adt and nsbeta1 so that it makes it into rtm.
Keywords: nsbeta1+
Whiteboard: [adt2]
I've seen this behavior, and it is always for the same reason -- the cert has
been leaked.  PSM has code that delays the actual deletion of the cert until the
last reference goes away.  Additionally, if there are references to the cert, it
will show up in NSS's cache.

What you should look at is the refCount of the cert, and try to find the leak.

Actually, I just looked at the nsNSSCertificate destructor.  It does not call
CERT_DestroyCertificate after calling PK11_DeleteTokenCertAndKey when
mPermDelete is true.
So there is 2 issues here:
1) the cert is leaked.
2) delete should remove the cert from the cache, even if it is leaked.

bob
Is this fixed - Bug 129067 has been fixed and verified.
> Is this fixed - Bug 129067 has been fixed and verified.

Charles, no. This is a tracking bug for the NSS component.

Bug 129067 uses a workaround for this bug, but this bug has not yet been fixed.

Assigned the bug to Bob.
Assignee: wtc → relyea
patch checked in
Thanks for the patch.
I was curious to see whether this patch alone is sufficient to fix bug 129067,
but it is not. But I believe you expected that, because you believe we have
leaks in PSM.

Ian, how can I look at the refCount of a CERT_Certificate from the code? My
impression is that the direct refcount member is not the real refcount.

Assigned the bug to Ian.
Assignee: relyea → ian.mcgreer
Ah, blimey.  I forgot PK11_DeleteTokenCertAndKey is a different code path than
SEC_DeletePermCertificate (sigh).

You can find the actual refCount in cert->nssCertificate->object.refCount.
I must correct myself.  PK11_DeleteTokenCertAndKey *does* call
SEC_DeletePermCertificate, so my patch should get the cert out of the cache.
Changed the QA contact to Bishakha.
QA Contact: sonja.mirtitsch → bishakhabanerjee
I'm marking this fixed, because Wan-Teh today landed this patch together with
other changes on the NSS_CLIENT_TAG.
Status: NEW → RESOLVED
Closed: 22 years ago
Resolution: --- → FIXED
Set target milestone to NSS 3.5.
Target Milestone: --- → 3.5
Does this need to be checked into the 1.0 branch? If yes, please nominate for
checkin with adt1.0.1 and Mozilla1.0.1 keywords.
Whiteboard: [adt2] → [adt2 RTM]
Yes, this needs to be checked into the 1.0 branch.

Added the adt1.0.1 and mozilla1.0.1 keywords.
Keywords: adt1.0.1, mozilla1.0.1
Blocks: 145836
Keywords: adt1.0.1, mozilla1.0.1fixed1.0.1
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: