Closed Bug 316925 Opened 19 years ago Closed 17 years ago

Key export does not work on tokens with non-sensitive keys that can't wrap.

Categories

(NSS :: Libraries, defect, P1)

defect

Tracking

(Not tracked)

RESOLVED FIXED
3.11.7

People

(Reporter: rrelyea, Assigned: rrelyea)

Details

Attachments

(2 files)

If a token can't wrap, NSS will fail to import a key.

This is for 2 reasons 1) export call tries to move the pbe key, but does not try to move the private key if moving the pbe key failes, and 2) the kea code will erroneously return success of moving a key, even if it winds up 'moving' it to the wrong token.

patch comming.
This should handle every case that's doable except the case where the key is not sensitive, the pbe key could be moved, but the token couldn't wrap the private key.
Attachment #203481 - Flags: review?(kengert)
Priority: -- → P1
Target Milestone: --- → 3.12
Attachment #203481 - Flags: review?(kengert) → review+
Checking in pk11akey.c;
/cvsroot/mozilla/security/nss/lib/pk11wrap/pk11akey.c,v  <--  pk11akey.c
new revision: 1.10; previous revision: 1.9
done
Checking in pk11kea.c;
/cvsroot/mozilla/security/nss/lib/pk11wrap/pk11kea.c,v  <--  pk11kea.c
new revision: 1.10; previous revision: 1.9
done
Status: NEW → RESOLVED
Closed: 19 years ago
Resolution: --- → FIXED
This was only fixed on trunk, not branch.
Do we want this fix in NSS 3.11.1 ??  
Need to know now.
It would be a nice to have for 3.11. I wouldn't stop shiip 3.11 if it didn't have it.

bob
try to make it into 3.11.7
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
Target Milestone: 3.12 → 3.11.7
Attachment #203481 - Flags: superreview?(wtchang)
Comment on attachment 203481 [details] [diff] [review]
Patch to solve problem with exporting keys.

r=wtc.

In pk11akey.c, if we move the comment "couldn't import
the wrapping key, couldn't export the private key, we
are done" before the pk11_loadPrivKey call, it'll be
easier to understand what we are trying to do there.
Right now this high-level description is in the error
handling code, which is a little late.

If you move the comment, it needs to be changed to
something like:

  couldn't import the wrapping key, try exporting the
  private key

You may even combine this comment with the comment

  If the key isn't in the private key slot, move it

before the pk11_CopyToSlot call.
Attachment #203481 - Flags: superreview?(wtchang) → superreview+
QA Contact: jason.m.reid → libraries
OS: Windows XP → All
Kai, this patch has had 2 reviews for almost 2 months now. 
Would you consider checking it in for Bob, in time for NSS 3.11.7 ?
Bob agreed that I can go ahead and land the patch.

I propose I land the patch as is into the 3.11 branch.

I propose I attach another trunk patch to fix the comment, to ensure you're happy with it.
Fixed on 3.11 branch for 3.11.7

Checking in pk11akey.c;
/cvsroot/mozilla/security/nss/lib/pk11wrap/pk11akey.c,v  <--  pk11akey.c
new revision: 1.9.2.6; previous revision: 1.9.2.5
done
Checking in pk11kea.c;
/cvsroot/mozilla/security/nss/lib/pk11wrap/pk11kea.c,v  <--  pk11kea.c
new revision: 1.9.28.2; previous revision: 1.9.28.1
done
Attachment #263062 - Flags: review?(wtc)
Attachment #263062 - Flags: review?(wtc) → review+
It appears this bug is fixed on trunk and branch now.
So, I am marking this bug fixed.  

If you disagree, pls reopen.
Status: REOPENED → RESOLVED
Closed: 19 years ago17 years ago
Resolution: --- → FIXED
I checked in the enhanced comment to the NSS trunk (only).

Checking in pk11akey.c;
/cvsroot/mozilla/security/nss/lib/pk11wrap/pk11akey.c,v  <--  pk11akey.c
new revision: 1.16; previous revision: 1.15
done
You need to log in before you can comment on or make changes to this bug.