Closed
Bug 644201
Opened 13 years ago
Closed 6 months ago
Firefox fails to change any cert trust settings, potentially corrupted cert9.db ?
Categories
(NSS :: Libraries, defect, P5)
Tracking
(Not tracked)
RESOLVED
INVALID
People
(Reporter: KaiE, Unassigned)
References
Details
Attachments
(1 file)
|
6.06 KB,
patch
|
Details | Diff | Splinter Review |
I try this:
- open cert manager
- authorities tab
- click any CA, e.g. I tried "AddTrust External CA"
- click "edit trust"
- disable all checkboxes
- click OK
actual behaviour:
- nothing happens
- dialog remains open
- trust is not stored
This happens only with one cert9.db file.
This cert9.db file is quite old, but I use it daily.
It belongs to my primary Firefox profile for work purposes.
It has been migrated from old profiles long ago.
I have been using it in a shared configuration with Thunderbird.
I traced through NSS in order to find the point of failure.
#0 import_object (tok=0xa5618018, sessionOpt=0x0, objectTemplate=0xbfff782c, otsize=11) at devtoken.c:246
#1 0x0396dc38 in nssToken_ImportTrust (tok=0xa5618018, sessionOpt=0x0, certEncoding=0xa2b660a8, certIssuer=0xa2b660b0, certSerial=0xa2b660c0, serverAuth=nssTrustLevel_ValidDelegator, clientAuth=nssTrustLevel_ValidDelegator, codeSigning=
nssTrustLevel_ValidDelegator, emailProtection=nssTrustLevel_ValidDelegator, stepUpApproved=0, asTokenObject=1) at devtoken.c:1143
#2 0x0396aed6 in STAN_ChangeCertTrust (cc=0xa26bc010, trust=0xbfff79f8) at pki3hack.c:1165
#3 0x0395b50d in CERT_ChangeCertTrust (handle=0xa5614018, cert=0xa26bc010, trust=0xbfff79f8) at stanpcertdb.c:261
#4 0x01f16589 in nsNSSCertificateDB::SetCertTrust (this=0xa2ea7710, cert=0xa28f7580, type=1, trusted=0) at /plaindata/moz/mocent/mozilla/security/manager/ssl/src/nsNSSCertificateDB.cpp:1028
241 if (session == NULL) {
242 nss_SetError(NSS_ERROR_INVALID_ARGUMENT);
243 return NULL;
244 }
245 nssSession_EnterMonitor(session);
246 ckrv = CKAPI(epv)->C_CreateObject(session->handle,
247 objectTemplate, otsize,
248 &handle);
249 nssSession_ExitMonitor(session);
250 if (ckrv == CKR_OK) {
after line 246
(gdb) print ckrv
$25 = 257
=> return null, failure
cert9.db and key4.db have both read/write permissions.
FWIW, I am able to make other changes to the database, e.g. removing certificates.
In preparation to give you my cert9.db file for testing purposes,
I've removed all non-CA certs from the database using cert manager.
|
||
Comment 1•13 years ago
|
||
$25 = 257 = 0x101 = User not logged in. In the new database you can't change the trust if you aren't logged in. Did PSM get a 'not logged in' failure? certutil now prompts for a password if it get's this error when dealing with the certdb. bob
|
Reporter | |
Comment 2•13 years ago
|
||
(In reply to comment #1) > $25 = 257 = 0x101 = User not logged in. > > In the new database you can't change the trust if you aren't logged in. I didn't know about this new requirement! I confirm that Master password set + logged in => works However: Database without master password => does not work. > Did PSM get a 'not logged in' failure? I haven't seen anything. How would you expect this to be reported from NSS to PSM? If NSS requires that we're logged in, shouldn't NSS trigger the "authentication callback" that would bring up the prompt to login ?
|
|
Reporter | |
Comment 3•13 years ago
|
||
Bob, I made this quick patch for PSM with the following change: Prior to calling CERT_ChangeCertTrust, check if login is needed. If needed, call PK11_Authenticate. For "check if login is needed", I copied existing code from another PSM function. However, the patch does not help to fix this bug.
|
||
Updated•2 years ago
|
Severity: normal → S3
|
||
Updated•6 months ago
|
Severity: S3 → S4
Status: NEW → RESOLVED
Closed: 6 months ago
Priority: -- → P5
Resolution: --- → INVALID
You need to log in
before you can comment on or make changes to this bug.
Description
•