Closed Bug 199227 Opened 21 years ago Closed 21 years ago

PK11_ListCerts may return no certs with misbehaving hardware tokens

Categories

(NSS :: Libraries, defect)

Product:
NSS
Component:
Libraries
Platform:
x86
Windows 2000
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: julien.pierre, Assigned: julien.pierre)

Details

Attachments

(1 file)

Continue iterating tokens even if one fails
555 bytes, patch
bugz
: review+
rrelyea
: superreview+
Details | Diff | Splinter Review 
Using a Schlumberger E-gate token on Windows 2000 and Muscle PKCS#11 drivers,
I'm getting a problem where as soon as my token is inserted, all certs disappear
from PSM in Mozilla. 

If I close the "Manage certs" and "preference" windows, unplug the token, then
go back to preferences/manage certs, then things start to work again.

This is a case where the driver is in an odd state and NSS doesn't handle it
correctly.
As discussed in our meeting earlier today, this is most likely a problem with
PK11_ListCerts, as none of the tabs in PSM shows any certs.

I have confirmed that PK11_ListCerts is returning an empty cert list in Mozilla
when my token is plugged in.

The first argument passed in is 0, PK11CertListUnique.
Once I unplug the token, all is fine.

I am going to dig deeper.

The problem is not fully reproducible while stepping through the debugger.
However, when I debug step-by-step or pause for breakpoints, the problem
disappears, and the built-in and softoken certs show up in PSM, even with the
hardware token inserted.

The only way to debug this problem is to guess and set breakpoints in various
error cases, and try over and over again.

I have found that the error occurs at the following point :

nssToken_TraverseCertificates(NSSTokenStr * 0x02cc0660, nssSessionStr *
0x02a413b8, int 2, int (nssCryptokiInstanceStr *, void *)* 0x03d347ef
collector(nssCryptokiInstanceStr *, void *), void * 0x03635ec0) line 1683
NSSTrustDomain_TraverseCertificates(NSSTrustDomainStr * 0x02a411d0, int
(NSSCertificateStr *, void *)* 0x03cf4318 pk11ListCertCallback(NSSCertificateStr
*, void *), void * 0x0012edf4) line 1052 + 26 bytes
PK11_ListCerts(int 0, void * 0x02c8e4e8) line 3415 + 18 bytes

The error occurs at line 1679 in devtoken.c . This is a call to
C_FindObjectsInit on the MUSCLE_PKCS11.DLL module.

As a result, the function exits. The error is propagated all the way to the top,
and PK11_ListCerts returns an empty list.

FYI, the CK_RV is 179, or 0xB3 . This means CKR_SESSION_HANDLE_INVALID .
I have generated a patch which resolves the problem. The fix is to ignore the
failure of one token to iterate its certs and loop to the next one.
Attachment #118738 - Attachment description: Continue iterating tokens even if one falis → Continue iterating tokens even if one fails
Attachment #118738 - Flags: superreview?(relyea)
Attachment #118738 - Flags: review?(ian.mcgreer)
Checking in trustdomain.c;
/cvsroot/mozilla/security/nss/lib/pki/trustdomain.c,v  <--  trustdomain.c
new revision: 1.48; previous revision: 1.47
done
Status: NEW → RESOLVED
Closed: 21 years ago
Resolution: --- → FIXED
Summary: NSS can get in odd state with misbehaving hardware tokens → PK11_ListCerts may return no certs with misbehaving hardware tokens
Attachment #118738 - Flags: review?(ian.mcgreer) → review+
Attachment #118738 - Flags: superreview?(rrelyea0264) → superreview+
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: