Closed Bug 211523 Opened 21 years ago Closed 18 years ago

certutil unnecessarily requires login to verify cert signature

Categories

(NSS :: Tools, defect, P2)

Product:
NSS
Component:
Tools
Platform:
x86
Windows 2000
Type:
defect

Tracking

(Not tracked)

Status:
RESOLVED DUPLICATE of bug 326637

People

(Reporter: nelson, Assigned: rrelyea)

References

Details

I tried to verify a cert chain with a command like this one:

./certutil.exe -V -d dbdir -n "Server-Cert" -e -u R

certutil insisted that I login, but I didn't have the password for the key
DB, and so could not login.

However, using the debugger, I simply skipped the call to PK11_Authenticate
(certutil.c about line 2724), and then certutil completed the cert chain
verification without any problem.  

Clearly, the authentication was not actually necessary.  
So, why did certutil require it?  
The commend says it's for FIPS, but 
a) I'm not sure that it's really required for FIPS, and 
b) my token wasn't in FIPS mode.

An ordinary user couldn't have gotten past the authenticate call the way 
I did.  This is an issue, now that certutil is being shipped with 
certain products.
Seems that we should only call PK11_Authenticate when
the token is in FIPS mode, and then find out whether
it's really required for FIPS.
Bob,  
You've recently done work on NSS to eliminate unnecessary authentications.
This bug (one year old tomorrow) reports another instance of that problem,
and it is not fixed by your recent changes.
Please fix this bug also, as part of that work to eliminate unnecessary
authentications.
Is it perhaps the case that we force an authentication in order to extract certs
from all tokens, regardless of their friendly/non-friendly status ? Some of the
certs in the tokens might be necessary to complete the chain and verify it, eg.
the roots. Of course, our root cert module is friendly, so that's not an issue.
But if you had the root, say, in an HSM, perhaps the authentication would be
required.

The alternative would be to try to do the verification without auth, and if it
fails, do the auth and try again. Seems messy, though.
Depends on: 244907
> seems messy

But That's exactly what the fix for 244907 did.
Priority: -- → P2
Target Milestone: --- → 3.9.3
Assigned the bug to Bob.  Target NSS 3.10.
Assignee: wchang0222 → rrelyea0264
Target Milestone: 3.9.3 → 3.10
QA Contact: bishakhabanerjee → jason.m.reid
Target Milestone: 3.10 → 3.12
QA Contact: jason.m.reid → tools
This was fixed in bug 326637 . Marking duplicate.



*** This bug has been marked as a duplicate of 326637 ***
Status: NEW → RESOLVED
Closed: 18 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.