certutil error message is vague when unable to create databases



14 years ago
4 years ago


(Reporter: jason.m.reid, Unassigned)



Firefox Tracking Flags

(Not tracked)




14 years ago
$ ls -al /tmp/toast
/tmp/toast: No such file or directory
$ certutil -N -d /tmp/toast
certutil: NSS_Initialize failed: An I/O error occurred during security

certutil should state something to the effect of "certutil: Unable to access
/tmp/toast." in the case of the certificate database location not existing
or being unable to access the location e.g. bad permissions instead of
the generic I/O error message.
QA Contact: bishakhabanerjee → jason.m.reid
Assignee: wtchang → nobody
QA Contact: jason.m.reid → tools
Priority: -- → P4

Comment 1

11 years ago
The error comes from a PKCS#11 module (softoken) and there is no specific reason for file access issues. Technically PKCS#11 modules don't even have to use files. So I don't think we can fix this. The best we could do would be to have a better default message.

The mapping of PKCS#11 error numbers onto NSS error codes is way too coarse.
Far too many errors map to SEC_ERROR_IO, which is the error code reported 
here.  The mapping of PKCS11 error codes into NSS error codes should also
take into account the PKCS11 function that failed.  It would be far better
to report that C_Initialize failed than some generic IO error.

I think this is a real bug, and worthy of fixing.  It would reduce the number
of inquiries that NSS developers must answer if the error codes were actually 
descriptive of the problems.  

Comment 3

11 years ago
Actually the PKCS #11 errors are pretty coarse in this case.

On the other hand, we have special error codes for issues opening the database, I don't know why one of these aren't being used. (though it's most likely to say something like "can't open certdb", and not include any information about what the underlying perror is().

You need to log in before you can comment on or make changes to this bug.