Closed Bug 644201 Opened 14 years ago Closed 1 year ago

Firefox fails to change any cert trust settings, potentially corrupted cert9.db ?

Categories

(NSS :: Libraries, defect, P5)

Product:
NSS
Component:
Libraries
Version:
3.12.10
Platform:
x86
Linux
Type:
defect

Tracking

(Not tracked)

Status:
RESOLVED INVALID

People

(Reporter: KaiE, Unassigned)

References

Details

Attachments

(1 file)

psm test patch
6.06 KB, patch
Details | Diff | Splinter Review
I try this: - open cert manager - authorities tab - click any CA, e.g. I tried "AddTrust External CA" - click "edit trust" - disable all checkboxes - click OK actual behaviour: - nothing happens - dialog remains open - trust is not stored This happens only with one cert9.db file. This cert9.db file is quite old, but I use it daily. It belongs to my primary Firefox profile for work purposes. It has been migrated from old profiles long ago. I have been using it in a shared configuration with Thunderbird. I traced through NSS in order to find the point of failure. #0 import_object (tok=0xa5618018, sessionOpt=0x0, objectTemplate=0xbfff782c, otsize=11) at devtoken.c:246 #1 0x0396dc38 in nssToken_ImportTrust (tok=0xa5618018, sessionOpt=0x0, certEncoding=0xa2b660a8, certIssuer=0xa2b660b0, certSerial=0xa2b660c0, serverAuth=nssTrustLevel_ValidDelegator, clientAuth=nssTrustLevel_ValidDelegator, codeSigning= nssTrustLevel_ValidDelegator, emailProtection=nssTrustLevel_ValidDelegator, stepUpApproved=0, asTokenObject=1) at devtoken.c:1143 #2 0x0396aed6 in STAN_ChangeCertTrust (cc=0xa26bc010, trust=0xbfff79f8) at pki3hack.c:1165 #3 0x0395b50d in CERT_ChangeCertTrust (handle=0xa5614018, cert=0xa26bc010, trust=0xbfff79f8) at stanpcertdb.c:261 #4 0x01f16589 in nsNSSCertificateDB::SetCertTrust (this=0xa2ea7710, cert=0xa28f7580, type=1, trusted=0) at /plaindata/moz/mocent/mozilla/security/manager/ssl/src/nsNSSCertificateDB.cpp:1028 241 if (session == NULL) { 242 nss_SetError(NSS_ERROR_INVALID_ARGUMENT); 243 return NULL; 244 } 245 nssSession_EnterMonitor(session); 246 ckrv = CKAPI(epv)->C_CreateObject(session->handle, 247 objectTemplate, otsize, 248 &handle); 249 nssSession_ExitMonitor(session); 250 if (ckrv == CKR_OK) { after line 246 (gdb) print ckrv $25 = 257 => return null, failure cert9.db and key4.db have both read/write permissions. FWIW, I am able to make other changes to the database, e.g. removing certificates. In preparation to give you my cert9.db file for testing purposes, I've removed all non-CA certs from the database using cert manager.
$25 = 257 = 0x101 = User not logged in. In the new database you can't change the trust if you aren't logged in. Did PSM get a 'not logged in' failure? certutil now prompts for a password if it get's this error when dealing with the certdb. bob
(In reply to comment #1) > $25 = 257 = 0x101 = User not logged in. > > In the new database you can't change the trust if you aren't logged in. I didn't know about this new requirement! I confirm that Master password set + logged in => works However: Database without master password => does not work. > Did PSM get a 'not logged in' failure? I haven't seen anything. How would you expect this to be reported from NSS to PSM? If NSS requires that we're logged in, shouldn't NSS trigger the "authentication callback" that would bring up the prompt to login ?
Attached patch psm test patchSplinter Review
Bob, I made this quick patch for PSM with the following change: Prior to calling CERT_ChangeCertTrust, check if login is needed. If needed, call PK11_Authenticate. For "check if login is needed", I copied existing code from another PSM function. However, the patch does not help to fix this bug.
Blocks: 645499
Severity: normal → S3
Severity: S3 → S4
Status: NEW → RESOLVED
Closed: 1 year ago
Priority: -- → P5
Resolution: --- → INVALID
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: