CKM_DH_PKCS_KEY_PAIR_GEN always fails

RESOLVED FIXED in 3.11.1

Status

NSS
Libraries
P1
major
RESOLVED FIXED
11 years ago
11 years ago

People

(Reporter: Andreas Sterbenz, Assigned: Nelson Bolyard (seldom reads bugmail))

Tracking

3.11.1
3.11.1

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(1 attachment)

3.80 KB, patch
Nelson Bolyard (seldom reads bugmail)
: review+
Robert Relyea
: superreview+
Details | Diff | Splinter Review
(Reporter)

Description

11 years ago
Trying to generate a DH keypair using C_GenerateKeyPair() always fails in the pairwise consistency check if the attribute CKA_SIGN is not specified.

The problem is that sftk_handlePrivateKeyObject() assigns CKA_SIGN a default value of CK_TRUE for all keys (including DH). That causes sftk_PairwiseConsistencyCheck() to attempt a consistency check using signing, which of course fails for DH keys.

This used to work in earlier NSS releases. I believe a change in the consistency check has exposed this preexisting problem in sftk_handlePrivateKeyObject().
(Reporter)

Comment 1

11 years ago
Created attachment 217527 [details] [diff] [review]
Patch against NSS_3_11_BRANCH
(Assignee)

Updated

11 years ago
Assignee: nobody → rrelyea
OS: Windows XP → All
Priority: -- → P1
Hardware: PC → All
(Assignee)

Comment 2

11 years ago
Comment on attachment 217527 [details] [diff] [review]
Patch against NSS_3_11_BRANCH

Andreas, you discovered this with some build of NSS 3.11.1.  I gather it was a build from the 3.11 branch.  Please confirm if it was a branch build, or trunk, and approximately when it was built.
Attachment #217527 - Flags: superreview?(rrelyea)
Attachment #217527 - Flags: review+
(Reporter)

Comment 3

11 years ago
(In reply to comment #2)
> (From update of attachment 217527 [details] [diff] [review] [edit])
> Andreas, you discovered this with some build of NSS 3.11.1.  I gather it was a
> build from the 3.11 branch.  Please confirm if it was a branch build, or trunk,
> and approximately when it was built.

Right. I reproduced this bug using a clean build of NSS_3_11_BRANCH pulled from CVS this evening. I had noticed it in earlier builds but did not have a chance to track it down.

Comment 4

11 years ago
Comment on attachment 217527 [details] [diff] [review]
Patch against NSS_3_11_BRANCH

r+=relyea
Attachment #217527 - Flags: superreview?(rrelyea) → superreview+
(Assignee)

Comment 5

11 years ago
For some reason, this patch did not apply cleanly to the trunk, even though
I could find no visible differences to the patched code between the 3.11
branch and the trunk. So I manually applied the patch to the trunk.  

Checking in pkcs11.c;  new revision: 1.121; previous revision: 1.120
(Assignee)

Comment 6

11 years ago
Checked in on 3.11 branch
Checking in pkcs11.c; new revision: 1.112.2.6; previous revision: 1.112.2.5
Assignee: rrelyea → nelson
(Assignee)

Updated

11 years ago
Status: NEW → RESOLVED
Last Resolved: 11 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.