1927096 - nss-3.106 fails tests (pk12util: PKCS12 decode not verified: SEC_ERROR_BAD_PASSWORD: The security password entered is incorrect.)

Status: RESOLVED FIXED

(NSS :: Test, defect, P5)

Description

[Joonas Niilola]

Attachment: nss-3.106:20241025-063247.log.xz

User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0

Steps to reproduce:

Run tests with NSS_CYCLES="standard" on nss-3.106.

Actual results:

3 tests fail,

pk12util: PKCS12 decode not verified: SEC_ERROR_BAD_PASSWORD: The security password entered is incorrect.
pk12util: PKCS12 decode not verified: SEC_ERROR_BAD_PASSWORD: The security password entered is incorrect.
tools.sh: #720: Fail to list private key with bad iterator  - FAILED
/var/tmp/portage/dev-libs/nss-3.106/work/nss-3.106/nss-abi_x86_64.amd64/dist/Linux6.6_x86_64_x86_64-pc-linux-gnu-gcc_glibc_PTH_64_OPT.OBJ/bin/pk12util -l /var/tmp/portage/dev-libs/nss-3.106/work/nss-3.106/nss-abi_x86_64.amd64/tests_results/security/localhost.1/tools/data/pbmac1-invalid-bad-salt.p12 -d ../tools/copydir -k ../tests.pw -W '1234'
pk12util: PKCS12 decode not verified: SEC_ERROR_BAD_PASSWORD: The security password entered is incorrect.
pk12util: PKCS12 decode not verified: SEC_ERROR_BAD_PASSWORD: The security password entered is incorrect.
Fail to list private key with bad salt val=17
tools.sh: #721: Fail to import private key with bad salt  - FAILED
/var/tmp/portage/dev-libs/nss-3.106/work/nss-3.106/nss-abi_x86_64.amd64/dist/Linux6.6_x86_64_x86_64-pc-linux-gnu-gcc_glibc_PTH_64_OPT.OBJ/bin/pk12util -l /var/tmp/portage/dev-libs/nss-3.106/work/nss-3.106/nss-abi_x86_64.amd64/tests_results/security/localhost.1/tools/data/pbmac1-invalid-no-length.p12 -d ../tools/copydir -k ../tests.pw -W '1234'
pk12util: PKCS12 decode not verified: SEC_ERROR_BAD_PASSWORD: The security password entered is incorrect.
pk12util: PKCS12 decode not verified: SEC_ERROR_BAD_PASSWORD: The security password entered is incorrect.
Fail to import private key with no length val=17
tools.sh: #722: Fail to import private key with no length  - FAILED
tools.sh: Create objsign cert -------------------------------
signtool -G "objectsigner" -d ../tools/signdir -p "nss"

...
...
...

Tests summary:
--------------
Passed:             6694
Failed:             3
Failed with core:   0
ASan failures:      0 
Unknown status:     12
TinderboxPrint:Unknown: 12

Full build log attached as compressed file.

Expected results:

Tests should pass. nss-3.105 still passes all tests with NSS_CYCLES="standard".

Comment 1

[Anna Weine]

Attachment: WIP: Bug 1927096 - pk12utils: change the behaviour of the decoder unicode

Comment 2

[John Schanck [:jschanck]]

Looks like after Bug 1826035 we return SEC_ERROR_BAD_PASSWORD instead of SEC_ERROR_INVALID_ARGS. The test should probably just be updated with the new expected value. I'm not sure why this didn't show up in nss-try runs.

joachim, can you take a look?

Comment 3

[Airat Makhmutov]

The same tests fail for me.

Comment 4

[joachim]

I did run the tests like this DOMSUF=local NSS_CYCLES=standard ./tests/all.sh and I did not observe that failure. However, I do compile NSS in FIPS mode so perhaps that makes a difference. I will try to compile/run a normal build.

Comment 5

[joachim]

After bisecting, I think the regression is caused by the following commit: https://hg.mozilla.org/projects/nss/rev/26d04d787d02e68c7f0752c16a113b7157ac9e3e. This seems more likely than the change in the KBKDF algorithms.

Comment 6

[John Schanck [:jschanck]]

Looks like you're right. Sorry about that!

Comment 7

[John Schanck [:jschanck]]

Attachment: Bug 1927096 - update expected error code in pk12util pbmac1 tests. r=rrelyea

Comment 8

[Joonas Niilola]

Can confirm this patch makes the tests pass with standard cycle again here. Thanks!

Comment 9

[Airat Makhmutov]

I confirm that the fix is working.

Comment 10

[John Schanck [:jschanck]]

https://hg.mozilla.org/projects/nss/rev/74feb03fe4f9efc0d5e5018b9a34376fc1261404