Closed Bug 72290 Opened 23 years ago Closed 6 months ago

pk12util reports the same generic error for different cases

Categories

(NSS :: Tools, defect, P2)

Product:
NSS
Component:
Tools
Type:
defect

Tracking

(Not tracked)

Status:
RESOLVED INACTIVE

People

(Reporter: julien.pierre, Unassigned)

Details

doing this :

(iws-perf)/home/jpierre/60dbg/alias{55} pk12util -i 
/u/jpierre/pk12util/wildcard.p12 -h ncipher -d . 
-P https-iws-perf.red.iplanet.com-iws-perf- 
Enter Password or Pin for "ncipher":
Enter password for PKCS12 file: 
pk12util: PKCS12 decode validate bags failed.

In fact, there was nothing wrong with the pk12 file I was trying to import into 
my ncipher token. The problem was that the token will only allow import if 
logged in as root. But the feedback I get from pk12util is that there is 
something wrong with the p12 file instead.
FYI, the same generic message is displayed when importing a cert/key that 
already exists in the token. There should be separate error messages for all 
these cases.
Summary: pk12util reports incorrect error → pk12util reports the same generic error for different cases
Priority: -- → P2
Target Milestone: --- → 3.3
This is going to be way to much work to fix at this stage. I definately won't be
able to fix this bug and work on the other stuff at the same time. I'm moving
the target to 3.3 and it won't make 3.2.


bob
How about this :
You call your same error function that you currently have (displaying "decode 
validate bags failed") after you read the p12 file unsuccessfully. 

For all other cases, you call a different function that displays a generic NSPR 
/ NSS error and OS code (and corresponding message text, if available).

This should be a small change - just copy/paste your current error function to 
"p12_error". Change the current error function implementation to display 
the generic error code. Then, look for the place where you read the P12 file and 
call the new function. You don't have to look for all the other specific error 
cases.
Status: UNCONFIRMED → NEW
Ever confirmed: true
Bob, should we move the target to NSS 3.4?

(NSS 3.3 has been redefined to deliver only the
JSS/NSS integration feature.)
Target Milestone: 3.3 → 3.4
Yes, I'm not sure it's actually possible to fix without hacking up the pkcs12
and pkcs7 code pretty seriously. (the errors in these cases occur so deeply in
the parsing it becomes pretty difficult to get the correct error code out.

bob
Bob,

Isn't there a way for you to see when the error is not happening in the file 
parsing ? I don't know the code but it seems to me you have to parse the file 
first and then import to the token - for this specific error code bug I reported 
at least. Or is there a very high level code where you say in one shot "open the 
file and import it to this token" - and then you can't get the proper error code 
from that ?

As far as getting the error code out, unless I'm missing something, why can't 
you use PR_SetError deep down in the code, and simply have pk12util check it 
with PR_GetError ?

No, it's all integrated. The call to load the stuff comes out of callbacks in
the file parsing code. It's really complicated and really painful to get error
codes back.

bob
Bob, is this going to get fixed eventually ? What's the schedule for 3.4 ?
I need to know to update status for the corresponding iWS bug.
It's a really low priority because it's a fair amount of work and significantly
less important than, say, trying to get two copies of the same cert in different
tokens to work well.

bob
This defect blocks NES Blackflag defect 541707. Any ETA?
I'm not sure it's going to get fixed anytime soon. Last time I tried to look at
this problem, it turns out that it's a more fundamental problem with the PKCS
#12 code. Detecting exactly what failed when is difficult. It may require a
complete rewrite of the PKCS #12 code to make any headway.

At this point the best we can do is print a more generic error from pkcs #12 (sigh).
Is this going to be included in NSS3.4?
Unfortunately no. At this time, only P1 bugs are being worked on for the 3.4 RTM.

Changed the QA contact to Bishakha.
QA Contact: sonja.mirtitsch → bishakhabanerjee
I know that PK12util reports much better errors than Communicator or Netscape 6,
but I'm sure it still falls short.
Target Milestone: 3.4 → 4.0
Add self to cc list.
Seems like it ought to be able to report a failure of IMPORT rather than
of DECODE.  I'll look at this.
We need to revisit this one before 4.0, as it continues to hurt our customers
and ourselves, as we have to basically debug any PKCS#12 file that doesn't work
with pk12util to find out what's wrong. Putting it on the 3.10 radar.
OS: Solaris → All
Hardware: Sun → All
Target Milestone: 4.0 → 3.10
QA Contact: bishakhabanerjee → jason.m.reid
Target Milestone: 3.10 → 3.12
QA Contact: jason.m.reid → tools
Assignee: rrelyea → neil.williams
Assignee: neil.williams → nobody
Target Milestone: 3.12 → ---

In the process of migrating remaining bugs to the new severity system, the severity for this bug cannot be automatically determined. Please retriage this bug using the new severity system.

Severity: major → --
Status: NEW → RESOLVED
Closed: 6 months ago
Resolution: --- → INACTIVE
You need to log in before you can comment on or make changes to this bug.