Closed Bug 72290 Opened 24 years ago Closed 1 year ago

pk12util reports the same generic error for different cases

Categories

(NSS :: Tools, defect, P2)

Product:
NSS
Component:
Tools
Type:
defect

Tracking

(Not tracked)

Status:
RESOLVED INACTIVE

People

(Reporter: julien.pierre, Unassigned)

Details

doing this : (iws-perf)/home/jpierre/60dbg/alias{55} pk12util -i /u/jpierre/pk12util/wildcard.p12 -h ncipher -d . -P https-iws-perf.red.iplanet.com-iws-perf- Enter Password or Pin for "ncipher": Enter password for PKCS12 file: pk12util: PKCS12 decode validate bags failed. In fact, there was nothing wrong with the pk12 file I was trying to import into my ncipher token. The problem was that the token will only allow import if logged in as root. But the feedback I get from pk12util is that there is something wrong with the p12 file instead.
FYI, the same generic message is displayed when importing a cert/key that already exists in the token. There should be separate error messages for all these cases.
Summary: pk12util reports incorrect error → pk12util reports the same generic error for different cases
Priority: -- → P2
Target Milestone: --- → 3.3
This is going to be way to much work to fix at this stage. I definately won't be able to fix this bug and work on the other stuff at the same time. I'm moving the target to 3.3 and it won't make 3.2. bob
How about this : You call your same error function that you currently have (displaying "decode validate bags failed") after you read the p12 file unsuccessfully. For all other cases, you call a different function that displays a generic NSPR / NSS error and OS code (and corresponding message text, if available). This should be a small change - just copy/paste your current error function to "p12_error". Change the current error function implementation to display the generic error code. Then, look for the place where you read the P12 file and call the new function. You don't have to look for all the other specific error cases.
Status: UNCONFIRMED → NEW
Ever confirmed: true
Bob, should we move the target to NSS 3.4? (NSS 3.3 has been redefined to deliver only the JSS/NSS integration feature.)
Target Milestone: 3.3 → 3.4
Yes, I'm not sure it's actually possible to fix without hacking up the pkcs12 and pkcs7 code pretty seriously. (the errors in these cases occur so deeply in the parsing it becomes pretty difficult to get the correct error code out. bob
Bob, Isn't there a way for you to see when the error is not happening in the file parsing ? I don't know the code but it seems to me you have to parse the file first and then import to the token - for this specific error code bug I reported at least. Or is there a very high level code where you say in one shot "open the file and import it to this token" - and then you can't get the proper error code from that ? As far as getting the error code out, unless I'm missing something, why can't you use PR_SetError deep down in the code, and simply have pk12util check it with PR_GetError ?
No, it's all integrated. The call to load the stuff comes out of callbacks in the file parsing code. It's really complicated and really painful to get error codes back. bob
Bob, is this going to get fixed eventually ? What's the schedule for 3.4 ? I need to know to update status for the corresponding iWS bug.
It's a really low priority because it's a fair amount of work and significantly less important than, say, trying to get two copies of the same cert in different tokens to work well. bob
This defect blocks NES Blackflag defect 541707. Any ETA?
I'm not sure it's going to get fixed anytime soon. Last time I tried to look at this problem, it turns out that it's a more fundamental problem with the PKCS #12 code. Detecting exactly what failed when is difficult. It may require a complete rewrite of the PKCS #12 code to make any headway. At this point the best we can do is print a more generic error from pkcs #12 (sigh).
Is this going to be included in NSS3.4?
Unfortunately no. At this time, only P1 bugs are being worked on for the 3.4 RTM.
Changed the QA contact to Bishakha.
QA Contact: sonja.mirtitsch → bishakhabanerjee
I know that PK12util reports much better errors than Communicator or Netscape 6, but I'm sure it still falls short.
Target Milestone: 3.4 → 4.0
Add self to cc list. Seems like it ought to be able to report a failure of IMPORT rather than of DECODE. I'll look at this.
We need to revisit this one before 4.0, as it continues to hurt our customers and ourselves, as we have to basically debug any PKCS#12 file that doesn't work with pk12util to find out what's wrong. Putting it on the 3.10 radar.
OS: Solaris → All
Hardware: Sun → All
Target Milestone: 4.0 → 3.10
QA Contact: bishakhabanerjee → jason.m.reid
Target Milestone: 3.10 → 3.12
QA Contact: jason.m.reid → tools
Assignee: rrelyea → neil.williams
Assignee: neil.williams → nobody
Target Milestone: 3.12 → ---

In the process of migrating remaining bugs to the new severity system, the severity for this bug cannot be automatically determined. Please retriage this bug using the new severity system.

Severity: major → --
Status: NEW → RESOLVED
Closed: 1 year ago
Resolution: --- → INACTIVE
You need to log in before you can comment on or make changes to this bug.