Using a Schlumberger E-gate token on Windows 2000 and Muscle PKCS#11 drivers, I'm getting a problem where as soon as my token is inserted, all certs disappear from PSM in Mozilla. If I close the "Manage certs" and "preference" windows, unplug the token, then go back to preferences/manage certs, then things start to work again. This is a case where the driver is in an odd state and NSS doesn't handle it correctly.
As discussed in our meeting earlier today, this is most likely a problem with PK11_ListCerts, as none of the tabs in PSM shows any certs.
I have confirmed that PK11_ListCerts is returning an empty cert list in Mozilla when my token is plugged in. The first argument passed in is 0, PK11CertListUnique. Once I unplug the token, all is fine. I am going to dig deeper.
The problem is not fully reproducible while stepping through the debugger. However, when I debug step-by-step or pause for breakpoints, the problem disappears, and the built-in and softoken certs show up in PSM, even with the hardware token inserted. The only way to debug this problem is to guess and set breakpoints in various error cases, and try over and over again. I have found that the error occurs at the following point : nssToken_TraverseCertificates(NSSTokenStr * 0x02cc0660, nssSessionStr * 0x02a413b8, int 2, int (nssCryptokiInstanceStr *, void *)* 0x03d347ef collector(nssCryptokiInstanceStr *, void *), void * 0x03635ec0) line 1683 NSSTrustDomain_TraverseCertificates(NSSTrustDomainStr * 0x02a411d0, int (NSSCertificateStr *, void *)* 0x03cf4318 pk11ListCertCallback(NSSCertificateStr *, void *), void * 0x0012edf4) line 1052 + 26 bytes PK11_ListCerts(int 0, void * 0x02c8e4e8) line 3415 + 18 bytes The error occurs at line 1679 in devtoken.c . This is a call to C_FindObjectsInit on the MUSCLE_PKCS11.DLL module. As a result, the function exits. The error is propagated all the way to the top, and PK11_ListCerts returns an empty list.
FYI, the CK_RV is 179, or 0xB3 . This means CKR_SESSION_HANDLE_INVALID . I have generated a patch which resolves the problem. The fix is to ignore the failure of one token to iterate its certs and loop to the next one.
Checking in trustdomain.c; /cvsroot/mozilla/security/nss/lib/pki/trustdomain.c,v <-- trustdomain.c new revision: 1.48; previous revision: 1.47 done
Status: NEW → RESOLVED
Last Resolved: 15 years ago
Resolution: --- → FIXED
Summary: NSS can get in odd state with misbehaving hardware tokens → PK11_ListCerts may return no certs with misbehaving hardware tokens
Attachment #118738 - Flags: superreview?(rrelyea0264) → superreview+
You need to log in before you can comment on or make changes to this bug.