Closed Bug 297531 Opened 20 years ago Closed 19 years ago

Signing a mail call PKCS#11 functions incorrect

Categories

(NSS :: Libraries, defect)

Product:
NSS
Component:
Libraries
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED INVALID

People

(Reporter: jnem6403, Assigned: rrelyea)

Details

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; cs-CZ; rv:1.7.6) Gecko/20050318 Firefox/1.0.2
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.6) Gecko/20040113

Mozilla mail opens a session, finds objects like certificates and private keys.
It finds a key object handle that will be used for signing a mail. Than opens
another session and try to use the same key handle (but in other session!) to
sign the mail. This is wrong and CKR_KEY_HANDLE_INVALID is a result of
C_SignInit call. Than Mozilla shows a small error message dialog that does dot
describe the problem very well.

Reproducible: Always

Steps to Reproduce:
1. Get any PKCS#11 library that can log PKCS#11 function calls
2. Install it to Mozilla nad select a certificate for signing mails
3. Try to send a signed mail
4. See PKCS#11 log

Actual Results:  
Dialog about wrong certificates. (with my PKCS#11 library)

Expected Results:  
Sign the e-mail. (Or at least dialog - "Can not find the key in the second
session.")

I tryed to find some information about session and object handles in PKCS#11 in
original documentation and i think you (application) can not expect that
identical objects in different sessions has identical handles. Even if I am not
right, you should display an error dialog with much more describing informations.
Bob, could you take a look at this?  Thanks.
Assignee: wtchang → rrelyea
This is perfectly valid pkcs #11 usage, which should be clear from section 6.7.7
of the PKCS #11 spec.

This is a common mistake among vendors new to PKCS #11, made particularly
troublesome by the names we give objects: The Name 'Session Object' seems to
imply that the object is only visible by the session that created it. This is
not so. All objects are visible globally on all sessions within a given slot.
This is true whether or not the object is a session object or a token object.
Status: UNCONFIRMED → RESOLVED
Closed: 19 years ago
Resolution: --- → INVALID
BTW, NSS does allow you to log calls to PKCS #11 modules without resorting to
finding special logging PKCS #11 modules. You will need a debug build. Set the
environment variable NSS_DEBUG_PKCS11_MODULE to the name you called your library
when you loaded it into NSS (or firefox/thunberbird/mozilla). This works pretty
well for single process things. Multi process apps tend to stomp on each other
in the log.

Also, continue to report issues you see where it looks like NSS is not following
the spec. There have been instances in the past where NSS was out of spec and
vendors "just made things work", then ran into trouble when we made NSS conform
to the spec.

bob
NSS's PKCS #11 logging facility is documented in this
technical note:
http://www.mozilla.org/projects/security/pki/nss/tech-notes/tn2.html
You need to log in before you can comment on or make changes to this bug.