Closed Bug 301528 Opened 19 years ago Closed 17 years ago

RSA certificate request succeeds even when underlying pkcs11 module returns error

Categories

(NSS :: Libraries, defect, P3)

Product:
NSS
Component:
Libraries
Type:
defect

Tracking

(Not tracked)

Status:
RESOLVED FIXED
Milestone:
3.11.8

People

(Reporter: ccmartin, Assigned: julien.pierre)

Details

Attachments

(1 file)

Check input argument
922 bytes, patch
nelson
: review+
rrelyea
: superreview+
Details | Diff | Splinter Review 
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.2) Gecko/20040804 Netscape/7.2 (ax)
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.10) Gecko/20050716 Firefox/1.0.6

When making RSA certificate request using hardware pkcs11 token, the request
successes even though the token reported failure.


Reproducible: Always

Actual Results:  
Certificate request successful

Expected Results:  
Firefox reports keygen failure


  in seamonkey/ security/ nss/ cmd/ certcgi/ certcgi.c 
   privkey should be checked for null after keygen

510             slot = PK11_GetBestSlot(CKM_DSA_KEY_PAIR_GEN, NULL);
511             privkey = PK11_GenerateKeyPair(slot, CKM_DSA_KEY_PAIR_GEN, 
512                                            pqgParams,&pubkey, PR_FALSE, 
513                                            PR_TRUE, NULL);
514         } else {
515             privkey = SECKEY_CreateRSAPrivateKey(keySizeInBits, &pubkey, NULL);
516         }
517         privkeys[which_priv_key] = privkey;
518         spki = SECKEY_CreateSubjectPublicKeyInfo(pubkey);
519     } else {
520         spki = SECKEY_ConvertAndDecodePublicKeyAndChallenge(key, challenge, 
521                                                             NULL);
522         if (spki == NULL) {
523             error_out("ERROR: Unable to decode Public Key and Challenge
String");
524         }
525     }


  in seamonkey/ security/ nss/ lib/ cryptohi/ seckey.c 

   param pubk should be checked for null before use

1590 SECKEY_CreateSubjectPublicKeyInfo(SECKEYPublicKey *pubk)
1591 {
1592     CERTSubjectPublicKeyInfo *spki;
1593     PRArenaPool *arena;
1594     SECItem params = { siBuffer, NULL, 0 };
...
1608         switch(pubk->keyType) {
Assignee: nobody → wtchang
Component: Security → Libraries
Product: Firefox → NSS
QA Contact: firefox → jason.m.reid
Assignee: wtchang → nobody
QA Contact: jason.m.reid → libraries
The bug in certcgi is real, but certcgi is not being actively maintained.
The bug is seckey is worth fixing, though it is worth noting that most NSS functions don't check for argument validity.
Status: UNCONFIRMED → NEW
Ever confirmed: true
OS: Windows XP → All
Hardware: PC → All
Assignee: nobody → julien.pierre.boogz

        Attachment #266871 -
        Flags: superreview?(rrelyea)

        Attachment #266871 -
        Flags: review?(nelson)

    
  
Priority: -- → P3
Target Milestone: --- → 3.11.8

    
    

    
  
Comment on attachment 266871 [details] [diff] [review]
Check input argument

r=nelson

        Attachment #266871 -
        Flags: review?(nelson) → review+

    
    

    
  
Martin, when you experienced this bug, was your PKCS#11 token being used
by the browser?  Or was it being used by a CGI program that was run by a 
web server?  

Based on the information in comment 0, I would say that one of two things
happened.  They are:

1) you tried to generate some certs with a web server that was running the 
certcgi CGI program.  There was a PKCS#11 module in use by the CGI program.
When the RSA Key generation (done by the CGI program) failed, the CGI 
program crashed (which would not appear to be a success).  

2. You tried to generate a certificate request with FireFox, with a PKCS#11
token being used by FireFox.  The KeyGen failed in the token being used by
FireFox, but the transaction appeared to complete successfully.  You tried
to find the responsible code, and found code in certcgi that you thought was
part of FireFox, but isn't.

I suspect the latter, because if the certcgi program crashed, it would not
appear to be a success.  but in comment 0, you say it appeared to succeed.

So, I think we need to find out where (in which program) the failure really
occurred (browser, or certcgi), and then plan a resolution based on that
information.

    
    

    
  
Comment on attachment 266871 [details] [diff] [review]
Check input argument

r+= rrelyea

        Attachment #266871 -
        Flags: superreview?(rrelyea) → superreview+

    
    

    
  
Nelson, Bob, thanks for the reviews.

I checked this in to NSS_3_11_BRANCH :
Checking in seckey.c;
/cvsroot/mozilla/security/nss/lib/cryptohi/seckey.c,v  <--  seckey.c
new revision: 1.36.2.8; previous revision: 1.36.2.7
done

And to the trunk :
Checking in seckey.c;
/cvsroot/mozilla/security/nss/lib/cryptohi/seckey.c,v  <--  seckey.c
new revision: 1.44; previous revision: 1.43
done

Status: NEW → RESOLVED
Closed: 17 years ago
Resolution: --- → FIXED
Summary: RSA certificate request successful even underlining pkcs11 module returned error → RSA certificate request succeeds even when underlying pkcs11 module returns error

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: