Open Bug 644201 Opened 9 years ago Updated 6 years ago

Firefox fails to change any cert trust settings, potentially corrupted cert9.db ?


(NSS :: Libraries, defect)

Not set


(Not tracked)


(Reporter: KaiE, Unassigned)




(1 file)

I try this:
- open cert manager
- authorities tab
- click any CA, e.g. I tried "AddTrust External CA"
- click "edit trust"
- disable all checkboxes
- click OK

actual behaviour:
- nothing happens
- dialog remains open
- trust is not stored

This happens only with one cert9.db file.
This cert9.db file is quite old, but I use it daily.
It belongs to my primary Firefox profile for work purposes.
It has been migrated from old profiles long ago.
I have been using it in a shared configuration with Thunderbird.

I traced through NSS in order to find the point of failure.

#0  import_object (tok=0xa5618018, sessionOpt=0x0, objectTemplate=0xbfff782c, otsize=11) at devtoken.c:246
#1  0x0396dc38 in nssToken_ImportTrust (tok=0xa5618018, sessionOpt=0x0, certEncoding=0xa2b660a8, certIssuer=0xa2b660b0, certSerial=0xa2b660c0, serverAuth=nssTrustLevel_ValidDelegator, clientAuth=nssTrustLevel_ValidDelegator, codeSigning=
    nssTrustLevel_ValidDelegator, emailProtection=nssTrustLevel_ValidDelegator, stepUpApproved=0, asTokenObject=1) at devtoken.c:1143
#2  0x0396aed6 in STAN_ChangeCertTrust (cc=0xa26bc010, trust=0xbfff79f8) at pki3hack.c:1165
#3  0x0395b50d in CERT_ChangeCertTrust (handle=0xa5614018, cert=0xa26bc010, trust=0xbfff79f8) at stanpcertdb.c:261
#4  0x01f16589 in nsNSSCertificateDB::SetCertTrust (this=0xa2ea7710, cert=0xa28f7580, type=1, trusted=0) at /plaindata/moz/mocent/mozilla/security/manager/ssl/src/nsNSSCertificateDB.cpp:1028

241         if (session == NULL) {
242             nss_SetError(NSS_ERROR_INVALID_ARGUMENT);
243             return NULL;
244         }
245         nssSession_EnterMonitor(session);
246         ckrv = CKAPI(epv)->C_CreateObject(session->handle, 
247                                           objectTemplate, otsize,
248                                           &handle);
249         nssSession_ExitMonitor(session);
250         if (ckrv == CKR_OK) {

after line 246

(gdb) print ckrv
$25 = 257

=> return null, failure

cert9.db and key4.db have both read/write permissions.

FWIW, I am able to make other changes to the database, e.g. removing certificates.

In preparation to give you my cert9.db file for testing purposes,
I've removed all non-CA certs from the database using cert manager.
$25 = 257 = 0x101 = User not logged in.

In the new database you can't change the trust if you aren't logged in. Did PSM get a 'not logged in' failure? certutil now prompts for a password if it get's this error when dealing with the certdb.

(In reply to comment #1)
> $25 = 257 = 0x101 = User not logged in.
> In the new database you can't change the trust if you aren't logged in.

I didn't know about this new requirement!

I confirm that Master password set + logged in => works

However: Database without master password => does not work.

> Did PSM get a 'not logged in' failure?

I haven't seen anything.
How would you expect this to be reported from NSS to PSM?

If NSS requires that we're logged in,
shouldn't NSS trigger the "authentication callback"
that would bring up the prompt to login ?
Attached patch psm test patchSplinter Review
Bob, I made this quick patch for PSM with the following change:

Prior to calling CERT_ChangeCertTrust, 
check if login is needed.
If needed, call PK11_Authenticate.

For "check if login is needed", I copied existing code from another PSM function.

However, the patch does not help to fix this bug.
Blocks: 645499
You need to log in before you can comment on or make changes to this bug.