PK11_ListCerts may return no certs with misbehaving hardware tokens



15 years ago
15 years ago


(Reporter: Julien Pierre, Assigned: Julien Pierre)


Windows 2000

Firefox Tracking Flags

(Not tracked)



(1 attachment)



15 years ago
Using a Schlumberger E-gate token on Windows 2000 and Muscle PKCS#11 drivers,
I'm getting a problem where as soon as my token is inserted, all certs disappear
from PSM in Mozilla. 

If I close the "Manage certs" and "preference" windows, unplug the token, then
go back to preferences/manage certs, then things start to work again.

This is a case where the driver is in an odd state and NSS doesn't handle it

Comment 1

15 years ago
As discussed in our meeting earlier today, this is most likely a problem with
PK11_ListCerts, as none of the tabs in PSM shows any certs.

Comment 2

15 years ago
I have confirmed that PK11_ListCerts is returning an empty cert list in Mozilla
when my token is plugged in.

The first argument passed in is 0, PK11CertListUnique.
Once I unplug the token, all is fine.

I am going to dig deeper.

Comment 3

15 years ago
The problem is not fully reproducible while stepping through the debugger.
However, when I debug step-by-step or pause for breakpoints, the problem
disappears, and the built-in and softoken certs show up in PSM, even with the
hardware token inserted.

The only way to debug this problem is to guess and set breakpoints in various
error cases, and try over and over again.

I have found that the error occurs at the following point :

nssToken_TraverseCertificates(NSSTokenStr * 0x02cc0660, nssSessionStr *
0x02a413b8, int 2, int (nssCryptokiInstanceStr *, void *)* 0x03d347ef
collector(nssCryptokiInstanceStr *, void *), void * 0x03635ec0) line 1683
NSSTrustDomain_TraverseCertificates(NSSTrustDomainStr * 0x02a411d0, int
(NSSCertificateStr *, void *)* 0x03cf4318 pk11ListCertCallback(NSSCertificateStr
*, void *), void * 0x0012edf4) line 1052 + 26 bytes
PK11_ListCerts(int 0, void * 0x02c8e4e8) line 3415 + 18 bytes

The error occurs at line 1679 in devtoken.c . This is a call to
C_FindObjectsInit on the MUSCLE_PKCS11.DLL module.

As a result, the function exits. The error is propagated all the way to the top,
and PK11_ListCerts returns an empty list.

Comment 4

15 years ago
FYI, the CK_RV is 179, or 0xB3 . This means CKR_SESSION_HANDLE_INVALID .
I have generated a patch which resolves the problem. The fix is to ignore the
failure of one token to iterate its certs and loop to the next one.

Comment 5

15 years ago
Created attachment 118738 [details] [diff] [review]
Continue iterating tokens even if one fails


15 years ago
Attachment #118738 - Attachment description: Continue iterating tokens even if one falis → Continue iterating tokens even if one fails
Attachment #118738 - Flags: superreview?(relyea)
Attachment #118738 - Flags: review?(ian.mcgreer)

Comment 6

15 years ago
Checking in trustdomain.c;
/cvsroot/mozilla/security/nss/lib/pki/trustdomain.c,v  <--  trustdomain.c
new revision: 1.48; previous revision: 1.47
Last Resolved: 15 years ago
Resolution: --- → FIXED
Summary: NSS can get in odd state with misbehaving hardware tokens → PK11_ListCerts may return no certs with misbehaving hardware tokens


15 years ago
Attachment #118738 - Flags: review?(ian.mcgreer) → review+


15 years ago
Attachment #118738 - Flags: superreview?(rrelyea0264) → superreview+
You need to log in before you can comment on or make changes to this bug.