Closed Bug 307130 Opened 19 years ago Closed 4 years ago

InitPIN fails for PKCS#11 slots, since logging in as SO fails with CKR_SESSION_READ_ONLY_EXISTS

Categories

(NSS :: Libraries, defect)

Product:
NSS
Component:
Libraries
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED INACTIVE

People

(Reporter: Stefan.Neis, Assigned: rrelyea)

Details

User-Agent:       Mozilla/5.0 (OS/2; U; Warp 4.5; de-AT; rv:1.7.11) Gecko/20050728
Build Identifier: Mozilla/5.0 (OS/2; U; Warp 4.5; de-AT; rv:1.7.11) Gecko/20050728

I'm not exactly sure, I'm looking at the correct source file 
(security/nss/lib/pk11wrap/pk11slot.c), but assuming I am, there's a problem
with  function PK11_InitPin in said file: According to my logging, initially a
read only session with the token is opened that apparently is never really
closed, if your token supports more than a single session. Now, within
PK11_InitPin, PK11_GetRWSession is called, however (if your token supports
several sessions), this only means an additional session is opened. Next,
C_Login(rwsession, CKU_SO,...) is called. However, according to PKCS#11, this
should fail with CKR_SESSION_READ_ONLY_EXISTS, if any read only session exists -
and since the read-only-session wasn't explicitly closed, such a session exists,
and so PK11_InitPin always returns with an error message before C_InitPIN is
ever called.

If you agree with my diagnosis, I could submit a patch which would e.g. add a
parameter to PK11_GetRWSession to indicate whether or not the read only session
should be closed no matter what und use that from PK11_InitPin.

OTOH, I don't really see what's the point in keeping that read-only session
open all the and why not _always_ close it after getting the rw session instead
of doing so only if no additional session is available - that would presumably
be an even simpler fix...


Reproducible: Always

Steps to Reproduce:
1. Try to change the password of an "empty chipcard" (i.e. token is initialized,
but not yet the user PIN) from the page showing all the cryptographic modules.

Actual Results:  
After pressing the OK button there a short period of activity, then the same
dialog for changing the "master password" is reenabled and the PIN is unchanged

Expected Results:  
PIN should have been created, as I assume (after looking at the source code) the
function for changing the PIN ends up calling PK11_InitPin in
security/nss/lib/pk11wrap/pk11slot.c which IMHO has the problem explained under
details. If I'm looking at a totally wrong file please give me a hint where I
need to look ...
->NSS i think
Assignee: kaie.bugs → wtchang
Component: Security: PSM → Libraries
Product: Core → NSS
QA Contact: jason.m.reid
Version: Trunk → unspecified
Bob, could you take a look at this bug report?  Thanks.
Assignee: wtchang → rrelyea
Bob, this is the PKCS #11 SO user login bug we told
you about in last week's NSS meeting.
QA Contact: jason.m.reid → libraries
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
Status: ASSIGNED → RESOLVED
Closed: 4 years ago
QA Contact: jjones
Resolution: --- → INACTIVE
You need to log in before you can comment on or make changes to this bug.