If you think a bug might affect users in the 57 release, please set the correct tracking and status flags for Release Management.

Unable to delete a certificate in a Solaris metaslot with certutil -D

RESOLVED INVALID

Status

NSS
Libraries
RESOLVED INVALID
9 years ago
9 years ago

People

(Reporter: Nelson Bolyard (seldom reads bugmail), Unassigned)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: CR 6609549)

Attachments

(1 attachment)

Received the following report by email from a Solaris 10 user:

Unable to delete a certificate which I had added in a metaslot.    
#certutil -L -d . -h "Sun Metaslot"
Enter Password or Pin for "Sun Metaslot":
Sun Metaslot:Server-Cert                                     u,u,u

#certutil -D -d . -n "Sun Metaslot:Server-Cert"
Enter Password or Pin for "Sun Metaslot":
certutil: unable to delete certificate: security library: bad database.
   
# uname -a
SunOS ... 5.10 Generic_118833-24 sun4v sparc SUNW,Sun-Fire-T200

Steps to reproduce:
1) Login as root

2) Clean up
#rm -rf /.sunw

3) set pin
#pktool setpin

4) add libpkcs11.so
#modutil  -dbdir . -add "Solaris Crypto Framework" -libfile /usr/lib/libpkcs11.so -mechanisms RSA

5) enable the module
#modutil -enable "Solaris Crypto Framework" -dbdir .

6) Disable certain mechanisms
#cryptoadm disable  provider=/usr/lib/security/\$ISA/pkcs11_softtoken.so mechanism=CKM_SSL3_PRE_MASTER_KEY_GEN,CKM_SSL3_MASTER_KEY_DERIVE,CKM_SSL3_KEY_AND_MAC_DERIVE,CKM_SSL3_MASTER_KEY_DERIVE_DH,CKM_SSL3_MD5_MAC,CKM_SSL3_SHA1_MAC

7) create a self signed cert in "Sun Metaslot"
#certutil -S -n "Server-Cert" -x -t u,u,u -s "CN=xyz.red.iplanet.com"  -d . -x -h "Sun Metaslot"
Enter Password or Pin for "Sun Metaslot":

A random seed must be generated that will be used in the
creation of your key.  One of the easiest ways to create a
random seed is to use the timing of keystrokes on a keyboard.

To begin, type keys on the keyboard until this progress meter
is full.  DO NOT USE THE AUTOREPEAT FUNCTION ON YOUR KEYBOARD!


Continue typing until the progress meter is full:

|************************************************************|

Finished.  Press enter to continue:


Generating key.  This may take a few moments...
#

8) List the certificate
#certutil -L -d . -h "Sun Metaslot"
Enter Password or Pin for "Sun Metaslot":
Sun Metaslot:Server-Cert                                     u,u,u

9) Try deleting it doesn't work.
#certutil -D -d . -n "Sun Metaslot:Server-Cert"
Enter Password or Pin for "Sun Metaslot":
certutil: unable to delete certificate: security library: bad database.


A workaround exists using solaris program pktool.
pktool works as shown below. 

# ../../bin/certutil -L -d . -h "Sun Metaslot"
Enter Password or Pin for "Sun Metaslot":
Sun Metaslot:Server-Cert                                     u,u,u

# ../../bin/certutil  -D -d . -n "Sun Metaslot:Server-Cert"
Enter Password or Pin for "Sun Metaslot":
certutil: unable to delete certificate: security library: bad database.

# pktool delete label=Server-Cert
Enter token passphrase:
Object #1 "Server-Cert" successfully deleted.
#
# ../../bin/certutil -L -d . -h "Sun Metaslot"
Enter Password or Pin for "Sun Metaslot":
#
It would be helpful to know:
a) how was that certificate created (or imported) in the metaslot token?
b) with what version of NSS was the problem reproduced?
Whiteboard: CR 6609549
What kind of public key did the cert in question have?
Was it a cert with an ECC public key, by any chance?

Comment 3

9 years ago
# uname -a
SunOS ... 5.10 Generic_118833-24 sun4v sparc SUNW,Sun-Fire-T200

Steps to reproduce:
1) Login as root

2) Clean up
#rm -rf /.sunw

3) set pin
#pktool setpin

4) add libpkcs11.so
#modutil  -dbdir . -add "Solaris Crypto Framework" -libfile /usr/lib/libpkcs11.so -mechanisms RSA

5) enable the module
#modutil -enable "Solaris Crypto Framework" -dbdir .

6) Disable certain mechanisms
#cryptoadm disable  provider=/usr/lib/security/\$ISA/pkcs11_softtoken.so mechanism=CKM_SSL3_PRE_MASTER_KEY_GEN,CKM_SSL3_MASTER_KEY_DERIVE,CKM_SSL3_KEY_AND_MAC_DERIVE,CKM_SSL3_MASTER_KEY_DERIVE_DH,CKM_SSL3_MD5_MAC,CKM_SSL3_SHA1_MAC

7) create a self signed cert in "Sun Metaslot"
#certutil -S -n "Server-Cert" -x -t u,u,u -s "CN=xyz.red.iplanet.com"  -d . -x -h "Sun Metaslot"
Enter Password or Pin for "Sun Metaslot":

A random seed must be generated that will be used in the
creation of your key.  One of the easiest ways to create a
random seed is to use the timing of keystrokes on a keyboard.

To begin, type keys on the keyboard until this progress meter
is full.  DO NOT USE THE AUTOREPEAT FUNCTION ON YOUR KEYBOARD!


Continue typing until the progress meter is full:

|************************************************************|

Finished.  Press enter to continue:


Generating key.  This may take a few moments...
#

8) List the certificate
#certutil -L -d . -h "Sun Metaslot"
Enter Password or Pin for "Sun Metaslot":
Sun Metaslot:Server-Cert                                     u,u,u

9) Try deleting it doesn't work.
#certutil -D -d . -n "Sun Metaslot:Server-Cert"
Enter Password or Pin for "Sun Metaslot":
certutil: unable to delete certificate: security library: bad database.

Comment 4

9 years ago
I do not remember any more details. You can close the bug if you can not reproduce it.
comment 3 appears to be a copy of comment 0.  Why?

Comment 6

9 years ago
Accidental. There is no way to delete comments !! 
Created attachment 334969 [details]
NSS PKCS11 trace log from the certutil -D command

I was able to reproduce the problem while tracing the PKCS#11 interface
to the module in question.  The trace log shows that we established 
a read-write session, and then tried to destroy the cert object, and
the module returned error 0xb5 which is CKR_SESSION_READ_ONLY .

Here is the relevant trace log excerpt:
: C_OpenSession
:   slotID = 0x0
:   flags = 0x6
:   pApplication = 0x855d0
:   Notify = 0xff1f14f0
:   phSession = 0xffbfef28
:   *phSession = 0x55270
:   rv = 0x0
: C_DestroyObject
:   hSession = 0x55270
:   hObject = 0x962b8
:   rv = 0xb5

This appears to be a bug in the PKCS#11 module, not in NSS.
Here are more relevant excerpts from the trace log:

: C_FindObjectsInit
:   hSession = 0x55050
:   pTemplate = 0xffbff014
:   ulCount = 3
:     CKA_LABEL = Server-Cert [11]
:     CKA_TOKEN = CK_TRUE [1]
:     CKA_CLASS = CKO_CERTIFICATE [4]
:   rv = 0x0
: C_FindObjects
:   hSession = 0x55050
:   phObject = 0xffbfeee0
:   ulMaxObjectCount = 16
:   pulObjectCount = 0xffbfef24
:   *pulObjectCount = 0x1
:   phObject[0] = 0x962b8
:   rv = 0x0
: C_FindObjectsFinal
:   hSession = 0x55050
:   rv = 0x0

: C_GetAttributeValue
:   hSession = 0x55050
:   hObject = 0x962b8
:   pTemplate = 0xffbfedc4
:   ulCount = 2
:     CKA_TOKEN = CK_TRUE [1]
:     CKA_LABEL = Server-Cert [11]
:   rv = 0x0

I'm resolving this "invalid" because, while there is a reproducible bug,
it appears not to be an NSS bug.  If that changes, I'll reopen this.
Status: UNCONFIRMED → RESOLVED
Last Resolved: 9 years ago
Resolution: --- → INVALID
You need to log in before you can comment on or make changes to this bug.