Open Bug 497672 Opened 15 years ago Updated 7 months ago

PK11_Authenticate fails with SEC_ERROR_IO on a database without a password initialized

Categories

(NSS :: Libraries, defect, P5)

Product:
NSS
Component:
Libraries
Type:
defect

Tracking

(Not tracked)

People

(Reporter: wtc, Unassigned)

Details

Attachments

(1 file)

nssinit.c: a program that calls NSS_InitReadWrite
339 bytes, text/plain
Details 
This bug is present in NSS 3.12.0 and the NSS trunk (3.12.4.1 Beta).

Here are the steps to reproduce this bug on Linux:

1. Do
     rm ~/.pki/nssdb/*
to remove all the NSS (shared) databases.

2. Compile and run the attached program nssinit.c to create NSS databases
without a password initialized.

3. Do
     certutil -d sql:/home/wtc/.pki/nssdb -K
to list the keys in the database.

I get the following error message:

$ certutil -d sql:/home/wtc/.pki/nssdb -K
certutil: Checking token "NSS Certificate DB" in slot "NSS User Private Key and Certificate Services"
certutil: could not authenticate to token NSS Certificate DB.: An I/O error occurred during security authorization.

The SEC_ERROR_IO error code is set here:

http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/security/nss/lib/pk11wrap/pk11auth.c&rev=1.9&mark=553-554#547

The call stack is:

(gdb) where
#0  PK11_DoPassword (slot=0x809fc48, loadCerts=1, wincx=0xffffd2cc)
    at pk11auth.c:554
#1  0xf7e445f6 in PK11_Authenticate (slot=0x809fc48, loadCerts=1, 
    wincx=0xffffd2cc) at pk11auth.c:319
#2  0x08051d14 in ListKeysInSlot (slot=0x809fc48, nickName=0x0, 
    keyType=nullKey, pwarg=0xffffd2cc) at certutil.c:782
#3  0x08052109 in ListKeys (slot=0x809fc48, nickName=0x0, index=0, 
    keyType=nullKey, dopriv=0, pwdata=0xffffd2cc) at certutil.c:873
#4  0x080567c2 in certutil_main (argc=4, argv=0xffffd674, initialize=1)
    at certutil.c:2565
#5  0x08057a4d in main (argc=1, argv=0x40000000) at certutil.c:2981

Note that we aren't getting SEC_ERROR_IO because of poor softoken error
reporting in this case.  SEC_ERROR_IO is set by the pk11wrap layer.

Is SEC_ERROR_IO the right error code for a token for which
PK11_NeedUserInit is true?
Trying to fiddle with some databases I still see this (v3.16.2):
> $ certutil -d "sql:." -K
> certutil: Checking token "NSS Certificate DB" in slot "NSS User Private Key and Certificate Services"
> certutil: could not authenticate to token NSS Certificate DB.: SEC_ERROR_IO: An I/O error occurred during security authorization.

Any workarounds?
sorry, actually the database was empty. Once I imported a pk with `pk12util` it now lists the keys
Severity: normal → S3
Severity: S3 → S4
Priority: -- → P5
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: