All users were logged out of Bugzilla on October 13th, 2018
I recently used an HSM that contains two real tokens and one virtual token. The virtual token is concentually the union of the two real tokens and an application only talks to the virtual token. In other words, an application only knows about the virtual token. However, NSS still knows about the two real tokens because the PKCS #11 module returns all three slots, and the administrative interface of the application may still need to operate on the real tokens. When an application logs into the virtual token, the two real tokens are also logged in automatically. This confuses NSS because NSS doesn't know that a token can be logged in "out of band". So, the things that NSS does when it logs into a token will not be done for these real tokens. Specifically, PK11_Authenticate on either of the real token won't call the PK11_DoPassword:nssTrustDomain_UpdateCachedTokenCerts sequence. The result is that the certs in the cache won't have the instances that live on the real tokens.
Isn't the purpose of the virtual token to obviate the physical tokens? Isn't the idea that the application deals with the virtual token, and ignores the physical tokens, and the virtual token directs activity to the virtual tokens as needed? If that is so, then why does the application need to concern itself with the physical tokens?
QA Contact: bishakhabanerjee → jason.m.reid
You need to log in before you can comment on or make changes to this bug.