Bug in PK11_ListPrivKeysInSlot

RESOLVED FIXED in 3.11.8

Status

NSS
Libraries
P2
normal
RESOLVED FIXED
11 years ago
11 years ago

People

(Reporter: Tom Mraz, Assigned: Julien Pierre)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(1 attachment)

(Reporter)

Description

11 years ago
There is a mistake in PK11_ListPrivKeysInSlot making it not to find private keys by nickname:

2074     if (nickname) {
2075         len = PORT_Strlen(nickname)-1;
2076         PK11_SETATTRS(attrs, CKA_LABEL, nickname, len); attrs++;
2077     }

In the code above the -1 should be removed.
The -1 is a bug, (and I think there be another bug about that already),
but private key objects typically don't have useful CKA_LABELs.
This is because keys are generated well before the certs are available
and the nicknames are generally derived from the cert contents.
So, by the time the cert arrives, the priv key is already created without
a useful nickname.

If you look at how other NSS programs fine private keys from nicknames,
you'll notice that they find a cert object with the nickname, and then find 
the private key object whose CKA_ID matches the CKA_ID of the cert. 
(Reporter)

Comment 2

11 years ago
I'm using NSS for ssh keys and certs are meaningless there but I know about the problem you wrote and I'll workaround it some way or another.

Comment 3

11 years ago
Nelson, should we go ahead and fix the bug?

Do you want me to attach a patch?
This bug is a duplicate of Bug 353714, which notes that there are other
problems with that function than merely this one off-by-one issue.  

Kai and Tom, feel free to attach a patch (or patches) to Bug 353714 
that address the issues reported there.
Status: NEW → RESOLVED
Last Resolved: 11 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 353714
(Reporter)

Comment 5

11 years ago
I'd rather leave this bug for the off by one issue as the other bug mentions another issues which I don't know about.
Status: RESOLVED → REOPENED
Resolution: DUPLICATE → ---
(Reporter)

Comment 6

11 years ago
Created attachment 265930 [details] [diff] [review]
Patch for the off-by-one for ListPubKeys and ListPrivKeys functions

Comment 7

11 years ago
Comment on attachment 265930 [details] [diff] [review]
Patch for the off-by-one for ListPubKeys and ListPrivKeys functions

r=wtc.
Attachment #265930 - Flags: review+

Comment 8

11 years ago
Comment on attachment 265930 [details] [diff] [review]
Patch for the off-by-one for ListPubKeys and ListPrivKeys functions

r+ for the 3.11 branch once it opens again.
Attachment #265930 - Flags: superreview+
(Assignee)

Comment 9

11 years ago
Fixed on the trunk :

Checking in pk11akey.c;
/cvsroot/mozilla/security/nss/lib/pk11wrap/pk11akey.c,v  <--  pk11akey.c
new revision: 1.18; previous revision: 1.17
done

And on the NSS_3_11_BRANCH :

Checking in pk11akey.c;
/cvsroot/mozilla/security/nss/lib/pk11wrap/pk11akey.c,v  <--  pk11akey.c
new revision: 1.9.2.7; previous revision: 1.9.2.6
done
Assignee: nobody → julien.pierre.boogz
Status: REOPENED → NEW
OS: Linux → All
Priority: -- → P2
Hardware: PC → All
Target Milestone: --- → 3.11.8
(Assignee)

Updated

11 years ago
Status: NEW → RESOLVED
Last Resolved: 11 years ago11 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.