Last Comment Bug 333090 - CKM_DH_PKCS_KEY_PAIR_GEN always fails
: CKM_DH_PKCS_KEY_PAIR_GEN always fails
Status: RESOLVED FIXED
:
Product: NSS
Classification: Components
Component: Libraries (show other bugs)
: 3.11.1
: All All
: P1 major (vote)
: 3.11.1
Assigned To: Nelson Bolyard (seldom reads bugmail)
:
Mentors:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2006-04-06 20:04 PDT by Andreas Sterbenz
Modified: 2006-04-07 23:25 PDT (History)
0 users
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---


Attachments
Patch against NSS_3_11_BRANCH (3.80 KB, patch)
2006-04-06 20:04 PDT, Andreas Sterbenz
nelson: review+
rrelyea: superreview+
Details | Diff | Splinter Review

Description Andreas Sterbenz 2006-04-06 20:04:04 PDT
Trying to generate a DH keypair using C_GenerateKeyPair() always fails in the pairwise consistency check if the attribute CKA_SIGN is not specified.

The problem is that sftk_handlePrivateKeyObject() assigns CKA_SIGN a default value of CK_TRUE for all keys (including DH). That causes sftk_PairwiseConsistencyCheck() to attempt a consistency check using signing, which of course fails for DH keys.

This used to work in earlier NSS releases. I believe a change in the consistency check has exposed this preexisting problem in sftk_handlePrivateKeyObject().
Comment 1 Andreas Sterbenz 2006-04-06 20:04:35 PDT
Created attachment 217527 [details] [diff] [review]
Patch against NSS_3_11_BRANCH
Comment 2 Nelson Bolyard (seldom reads bugmail) 2006-04-06 22:25:52 PDT
Comment on attachment 217527 [details] [diff] [review]
Patch against NSS_3_11_BRANCH

Andreas, you discovered this with some build of NSS 3.11.1.  I gather it was a build from the 3.11 branch.  Please confirm if it was a branch build, or trunk, and approximately when it was built.
Comment 3 Andreas Sterbenz 2006-04-06 23:44:11 PDT
(In reply to comment #2)
> (From update of attachment 217527 [details] [diff] [review] [edit])
> Andreas, you discovered this with some build of NSS 3.11.1.  I gather it was a
> build from the 3.11 branch.  Please confirm if it was a branch build, or trunk,
> and approximately when it was built.

Right. I reproduced this bug using a clean build of NSS_3_11_BRANCH pulled from CVS this evening. I had noticed it in earlier builds but did not have a chance to track it down.
Comment 4 Robert Relyea 2006-04-07 15:50:22 PDT
Comment on attachment 217527 [details] [diff] [review]
Patch against NSS_3_11_BRANCH

r+=relyea
Comment 5 Nelson Bolyard (seldom reads bugmail) 2006-04-07 22:06:57 PDT
For some reason, this patch did not apply cleanly to the trunk, even though
I could find no visible differences to the patched code between the 3.11
branch and the trunk. So I manually applied the patch to the trunk.  

Checking in pkcs11.c;  new revision: 1.121; previous revision: 1.120
Comment 6 Nelson Bolyard (seldom reads bugmail) 2006-04-07 23:25:31 PDT
Checked in on 3.11 branch
Checking in pkcs11.c; new revision: 1.112.2.6; previous revision: 1.112.2.5

Note You need to log in before you can comment on or make changes to this bug.