Closed Bug 455554 Opened 16 years ago Closed 16 years ago

invalid OCSP signer cert when smart card is plugged in

Categories

(NSS :: Libraries, defect)

Product:
NSS
Component:
Libraries
Version:
3.12.1
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
major

Tracking

(Not tracked)

Status:
RESOLVED INVALID

People

(Reporter: nelson, Unassigned)

Details

SeaMonkey trunk, using NSS 3.12.1.1 

When I have my Aladdin smart card (USB fob) plugged in, and I visit 
https://www.startssl.com/ I am told that the OCSP signing cert is invalid.
This is repeatable.  The "try again" button always produces the same result.

If I unplug the smart card, and click the "try again" button, I can visit 
the page without any problem.  

This bug will probably turn out to be a duplicate of bug 444974.
I strongly suspect this is related to bug 444850, which fixes a similar bug
that occurs in the presence of misbehaving PKCS#11 modules.  

The cause of this problem may (or may not) also be the cause of bug 454406.
I can now reproduce this in the debugger.  
It is not related to the fixes committed for bug 444850.  
I had suspected it was a regression due to that bug fix.  It is not.

For reasons not yet clear, the Aladdin PKCS#11 module's slots are all 
listed as the preferred ("default") slots for RSA computations, which 
means that NSS is attempting to do ALL the RSA operations, including
verification of signatures on certificates, in the Aladdin PKCS#11 module
for my smart card token.  It only does this when the token is present,
not when the token is absent, which explains why removing the card makes
the problem cease.

Every second time that NSS attempts to import an RSA public key as a new
"session" (temporary, not persistent) object into the smart card slot, the
operation fails with error 0xd1, CKR_TEMPLATE_INCONSISTENT.  The first 
attempt succeeds, the second attempt fails, the third attempt succeeds, 
the fourth attempt fails, and so on.  This causes every other certificate
signature checked to be found to be bad.  That is probably a defect in the
Aladdin PKCS#11 module.  

But the question is: why does NSS have the Aladdin PKCS#11 slots listed as
"default" slots for RSA operations?  I will investigate that next.
Perhaps not related, but which driver version are you using?
Modutil reports that the PKCS#11 module has 
Default Mechanism Flags: RSA:DES

I wonder how that happened.
Eddy, in answer to your question in comment 2, modutil reports:

Name: eToken
Library file: eTPKCS11.DLL
Manufacturer: Aladdin Ltd.
Description: eToken PKCS#11
PKCS #11 Version 2.1
Library Version: 4.0
Cipher Enable Flags: None
Default Mechanism Flags: RSA:DES

Windows reports for that file:
File Version   4.0.43.0
The command
modutil -dbdir "$DBDIR" -undefault eToken -mechanisms RSA:DES
reported it had succeeded, and then crashed.  :( 
Probably a strict reference count assertion botch.
It does appear to have succeeded.
/Nelson is getting updated drivers/ (just in case)
OK, using modutil, I removed the "default mechanism flags" from this module,
and that cured this problem.  Although I do not recall having set those 
flags, I still think it is a very likely explanation that I did so, and have
merely forgotten it.  :)  

I'm willing to reject this bug report as invalid.  It's no fault of NSS if 
the user (me) sets the default mechanism flags badly.  :)  

But I still think that bug 444974 may conceivably have a similar cause.  
I will ask the reporters of that bug to test this hypothesis with modutil.
Status: NEW → RESOLVED
Closed: 16 years ago
Resolution: --- → INVALID
You need to log in before you can comment on or make changes to this bug.