On Wednesday, January 29, 2020 at 12:01:19 AM UTC+1, Usha Nayak wrote:
> Hello,
>
> Adding few more details to this issue we are facing in regards to NSS.
> Please note: this was not an issue with NSS3.42.1. We are looking to upgrade
> to NSS3.47.1 and have noticed it from then on. We approached IAIK aswell in
> regards to this after debugging their pkcs#11wrapper module. Please see their
> response at the below of the post.
>
> We created sample Java client that uses IAIK PKCS#11 Wrapper 1.4 to connect
> to NSS
>
> Module pkcs11Module = Module.getInstance( library ); // library
> -> softokn3.dll
> .....
> pkcs11Module.initialize(arguments); // arguments -> maps to
> initializeArguments
> ....
> session = token.openSession(Token.SessionType.SERIAL_SESSION,
> Token.SessionReadWriteBehavior.RW_SESSION, null, null);
> ...
> session.login(Session.UserType.USER, pin.toCharArray()); //
> login is fine
> ...
>
> // set the general attributes for the public key
> rsaPublicKeyTemplate.getToken().setBooleanValue(Boolean.TRUE); ///
> this is source of problem . If set to False ( meaning session object), client
> works fine.
> ...
>
> // set the general attributes for the private key
> rsaPrivateKeyTemplate.getToken().setBooleanValue(Boolean.TRUE);
> /// this is source of problem . If set to False ( meaning session object),
> client works fine.
> ....
>
> KeyPair generatedKeyPair = null;
> try
> {
> generatedKeyPair =
> session.generateKeyPair(keyPairGenerationMechanism,rsaPublicKeyTemplate,
> rsaPrivateKeyTemplate);
> }
> catch (TokenException e)
> {
> String msg = "Failed to generate RSA key pair on token: " +
> e.getMessage();
> throw new Exception( msg, e );
> }
> ...
>
> Input file for the sample client :
> library=softokn3.dll
>
>
> initializeArguments=configDir='sql:D:/workdir/devunit/KMDemo/NSS/db'
> certPrefix='' keyPrefix='' secmod='' flags='readWrite' updatedir=''
> updateCertPrefix='' updateKeyPrefix='' updateTokenDescription=''
>
> pin=XXXXX
>
> slot=1
>
> libPath=D:/workdir/devunit/KMDemo/NSS-3.49/lib
>
>
> libList=libnspr4.dll,libplc4.dll,libplds4.dll,sqlite3.dll,nssutil3.dll,softokn3.dll
>
>
> Steps I've been following ::
>
> 1) I cleanup NSS db directory.
> 2) Prior to executing the client code, I recreate the NSS db.
> a) Create NSS db ---> modutil -create -dbdir
> sql:D:\workdir\devunit\KMDemo\NSS\db
> b) Provide password ---> modutil -dbdir
> sql:D:\workdir\devunit\KMDemo\NSS\db -changepw "NSS Certificate DB"
> c) Check content of the db --> certutil -K -d
> sql:D:\workdir\devunit\KMDemo\NSS\db ( displays no keys )
> 3) Run the Sample client code. Saw exception
>
> ################################################################################
> PKCS#11 session login successful
>
> ################################################################################
> Generating new 2048 bit RSA key-pair...
> java.lang.Exception: Failed to generate RSA key pair on
> token: CKR_GENERAL_ERROR
> at
> demo.pkcs.pkcs11.GenerateKeyPair.main(GenerateKeyPair.java:110)
> Caused by: iaik.pkcs.pkcs11.wrapper.PKCS11Exception:
> CKR_GENERAL_ERROR
> at
> iaik.pkcs.pkcs11.wrapper.PKCS11Implementation.C_GetAttributeValue(Native
> Method)
> at
> iaik.pkcs.pkcs11.objects.Object.getAttributeValue(Object.java:716)
> at
> iaik.pkcs.pkcs11.objects.Key.readAttributes(Key.java:622)
> at
> iaik.pkcs.pkcs11.objects.PublicKey.readAttributes(PublicKey.java:398)
> at
> iaik.pkcs.pkcs11.objects.RSAPublicKey.readAttributes(RSAPublicKey.java:242)
> at
> iaik.pkcs.pkcs11.objects.Object.<init>(Object.java:223)
> at
> iaik.pkcs.pkcs11.objects.Storage.<init>(Storage.java:105)
> at
> iaik.pkcs.pkcs11.objects.Key.<init>(Key.java:321)
> at
> iaik.pkcs.pkcs11.objects.PublicKey.<init>(PublicKey.java:119)
> at
> iaik.pkcs.pkcs11.objects.RSAPublicKey.<init>(RSAPublicKey.java:96)
> at
> iaik.pkcs.pkcs11.objects.RSAPublicKey.getInstance(RSAPublicKey.java:118)
> at
> iaik.pkcs.pkcs11.objects.PublicKey.getInstance(PublicKey.java:156)
> at
> iaik.pkcs.pkcs11.objects.Object.getInstance(Object.java:262)
> at
> iaik.pkcs.pkcs11.Session.generateKeyPair(Session.java:1260)
> at
> demo.pkcs.pkcs11.GenerateKeyPair.main(GenerateKeyPair.java:105)
>
> ################################################################################
> Close Session...
> PKCS#11 session logout successful
>
> 4) Check the NSS key db store for the contents:
> D:\workdir\devunit\KMDemo>certutil -K -d
> sql:D:\workdir\devunit\KMDemo\NSS\db
> certutil: Checking token "NSS Certificate DB" in slot
> "NSS User Private Key and Certificate Services"
> Enter Password or Pin for "NSS Certificate DB":
> < 0> rsa
> "60b0df57-df82-4a73-b1c9-7fc17204e1d0;157" KMRootCA
>
> NOTE: I see the exception in the console as well as notice that
> NSS store having the key.
>
>
> Debugged IAIK:
> • Enabled debugging of IAIK PKCS#11 Wrapper module.
>
> 01/23/20 19:38:18 ERROR: got 5 instead of CKR_OK, going to raise an
> exception (in
> Java_iaik_pkcs_pkcs11_wrapper_PKCS11Implementation_C_1GetAttributeValue)
>
> • I decided to build/debug the native pkcs11Wrapper code with the Java
> sample client.
>
> JNIEXPORT void JNICALL
> Java_iaik_pkcs_pkcs11_wrapper_PKCS11Implementation_C_1GetAttributeValue
> (JNIEnv *env, jobject obj, jlong jSessionHandle, jlong jObjectHandle,
> jobjectArray jTemplate, jboolean jUseUtf8)
> {
> .....
> rv = (*ckpFunctions->C_GetAttributeValue)(ckSessionHandle,
> ckObjectHandle, ckpAttributes, ckAttributesLength);
> ...
>
> }
> Values in the variable when this failure occurred ..
>
> rv = 5
>
> + ckpAttributes 0x0000000017e7cb00 {type=1073742353 pValue=0x0000000017e76980
> ulValueLen=240 } CK_ATTRIBUTE *
> ckObjectHandle 2357156729 unsigned long
> + ckpFunctions softokn3.dll!0x00007ffee9b0c620 (load symbols for additional
> information) {version={major=1 '\x1' minor=...} ...} CK_FUNCTION_LIST *
> ckSessionHandle 16777217 unsigned long
> ckAttributesLength 23 unsigned long
>
>
> • The above highlighted code does make a call to NSS ( softtokn3 ) and
> receives 5 ( which stands for CKR_GENERAL_ERROR ) for the ckpAttributes
> type=1073742353.
>
> I approached IAIK, here’s the response they provided …
>
>
> On Fri, Jan 24, 2020 at 3:12 AM SIC/IAIK <XXXX> wrote:
> The ckpAttributes that you have viewed in the debugger is actually an array
> with multiple ckAttributes. Specifically 1073742353 is the CKA_WRAP_TEMPLATE
> attribute.
> I traced the error down to this NSS git commit [1]. There is seemingly a
> problem when querying ArrayAttributes. It produces an sqlite_error in the NSS
> code.
> However, I'm pretty sure that this error is an actual NSS error and cannot be
> fixed from our side. I would suggest to file a bug report.
> [1]:
> https://github.com/nss-dev/nss/commit/f572a15e45c5c4a26a0ada7ee008843ad19ec202
>
>
> Please let us know ..
>
> Thanks..
Hi Usha,
Thanks for the additional information. Unfortunately, we've not been able to
reproduce this. More details (minimally, all arguments passed in each NSS
function call) would be helpful. A C/C++ reproducer would be ideal.
Thanks,
Kevin
_______________________________________________
dev-security mailing list
dev-security@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security
