Hello, Adding few more details to this issue we are facing in regards to NSS. Please note: this was not an issue with NSS3.42.1. We are looking to upgrade to NSS3.47.1 and have noticed it from then on. We approached IAIK aswell in regards to this after debugging their pkcs#11wrapper module. Please see their response at the below of the post.
We created sample Java client that uses IAIK PKCS#11 Wrapper 1.4 to connect to NSS Module pkcs11Module = Module.getInstance( library ); // library -> softokn3.dll ..... pkcs11Module.initialize(arguments); // arguments -> maps to initializeArguments .... session = token.openSession(Token.SessionType.SERIAL_SESSION, Token.SessionReadWriteBehavior.RW_SESSION, null, null); ... session.login(Session.UserType.USER, pin.toCharArray()); // login is fine ... // set the general attributes for the public key rsaPublicKeyTemplate.getToken().setBooleanValue(Boolean.TRUE); /// this is source of problem . If set to False ( meaning session object), client works fine. ... // set the general attributes for the private key rsaPrivateKeyTemplate.getToken().setBooleanValue(Boolean.TRUE); /// this is source of problem . If set to False ( meaning session object), client works fine. .... KeyPair generatedKeyPair = null; try { generatedKeyPair = session.generateKeyPair(keyPairGenerationMechanism,rsaPublicKeyTemplate, rsaPrivateKeyTemplate); } catch (TokenException e) { String msg = "Failed to generate RSA key pair on token: " + e.getMessage(); throw new Exception( msg, e ); } ... Input file for the sample client : library=softokn3.dll initializeArguments=configDir='sql:D:/workdir/devunit/KMDemo/NSS/db' certPrefix='' keyPrefix='' secmod='' flags='readWrite' updatedir='' updateCertPrefix='' updateKeyPrefix='' updateTokenDescription='' pin=XXXXX slot=1 libPath=D:/workdir/devunit/KMDemo/NSS-3.49/lib libList=libnspr4.dll,libplc4.dll,libplds4.dll,sqlite3.dll,nssutil3.dll,softokn3.dll Steps I've been following :: 1) I cleanup NSS db directory. 2) Prior to executing the client code, I recreate the NSS db. a) Create NSS db ---> modutil -create -dbdir sql:D:\workdir\devunit\KMDemo\NSS\db b) Provide password ---> modutil -dbdir sql:D:\workdir\devunit\KMDemo\NSS\db -changepw "NSS Certificate DB" c) Check content of the db --> certutil -K -d sql:D:\workdir\devunit\KMDemo\NSS\db ( displays no keys ) 3) Run the Sample client code. Saw exception ################################################################################ PKCS#11 session login successful ################################################################################ Generating new 2048 bit RSA key-pair... java.lang.Exception: Failed to generate RSA key pair on token: CKR_GENERAL_ERROR at demo.pkcs.pkcs11.GenerateKeyPair.main(GenerateKeyPair.java:110) Caused by: iaik.pkcs.pkcs11.wrapper.PKCS11Exception: CKR_GENERAL_ERROR at iaik.pkcs.pkcs11.wrapper.PKCS11Implementation.C_GetAttributeValue(Native Method) at iaik.pkcs.pkcs11.objects.Object.getAttributeValue(Object.java:716) at iaik.pkcs.pkcs11.objects.Key.readAttributes(Key.java:622) at iaik.pkcs.pkcs11.objects.PublicKey.readAttributes(PublicKey.java:398) at iaik.pkcs.pkcs11.objects.RSAPublicKey.readAttributes(RSAPublicKey.java:242) at iaik.pkcs.pkcs11.objects.Object.<init>(Object.java:223) at iaik.pkcs.pkcs11.objects.Storage.<init>(Storage.java:105) at iaik.pkcs.pkcs11.objects.Key.<init>(Key.java:321) at iaik.pkcs.pkcs11.objects.PublicKey.<init>(PublicKey.java:119) at iaik.pkcs.pkcs11.objects.RSAPublicKey.<init>(RSAPublicKey.java:96) at iaik.pkcs.pkcs11.objects.RSAPublicKey.getInstance(RSAPublicKey.java:118) at iaik.pkcs.pkcs11.objects.PublicKey.getInstance(PublicKey.java:156) at iaik.pkcs.pkcs11.objects.Object.getInstance(Object.java:262) at iaik.pkcs.pkcs11.Session.generateKeyPair(Session.java:1260) at demo.pkcs.pkcs11.GenerateKeyPair.main(GenerateKeyPair.java:105) ################################################################################ Close Session... PKCS#11 session logout successful 4) Check the NSS key db store for the contents: D:\workdir\devunit\KMDemo>certutil -K -d sql:D:\workdir\devunit\KMDemo\NSS\db certutil: Checking token "NSS Certificate DB" in slot "NSS User Private Key and Certificate Services" Enter Password or Pin for "NSS Certificate DB": < 0> rsa "60b0df57-df82-4a73-b1c9-7fc17204e1d0;157" KMRootCA NOTE: I see the exception in the console as well as notice that NSS store having the key. Debugged IAIK: • Enabled debugging of IAIK PKCS#11 Wrapper module. 01/23/20 19:38:18 ERROR: got 5 instead of CKR_OK, going to raise an exception (in Java_iaik_pkcs_pkcs11_wrapper_PKCS11Implementation_C_1GetAttributeValue) • I decided to build/debug the native pkcs11Wrapper code with the Java sample client. JNIEXPORT void JNICALL Java_iaik_pkcs_pkcs11_wrapper_PKCS11Implementation_C_1GetAttributeValue (JNIEnv *env, jobject obj, jlong jSessionHandle, jlong jObjectHandle, jobjectArray jTemplate, jboolean jUseUtf8) { ..... rv = (*ckpFunctions->C_GetAttributeValue)(ckSessionHandle, ckObjectHandle, ckpAttributes, ckAttributesLength); ... } Values in the variable when this failure occurred .. rv = 5 + ckpAttributes 0x0000000017e7cb00 {type=1073742353 pValue=0x0000000017e76980 ulValueLen=240 } CK_ATTRIBUTE * ckObjectHandle 2357156729 unsigned long + ckpFunctions softokn3.dll!0x00007ffee9b0c620 (load symbols for additional information) {version={major=1 '\x1' minor=...} ...} CK_FUNCTION_LIST * ckSessionHandle 16777217 unsigned long ckAttributesLength 23 unsigned long • The above highlighted code does make a call to NSS ( softtokn3 ) and receives 5 ( which stands for CKR_GENERAL_ERROR ) for the ckpAttributes type=1073742353. I approached IAIK, here’s the response they provided … On Fri, Jan 24, 2020 at 3:12 AM SIC/IAIK <XXXX> wrote: The ckpAttributes that you have viewed in the debugger is actually an array with multiple ckAttributes. Specifically 1073742353 is the CKA_WRAP_TEMPLATE attribute. I traced the error down to this NSS git commit [1]. There is seemingly a problem when querying ArrayAttributes. It produces an sqlite_error in the NSS code. However, I'm pretty sure that this error is an actual NSS error and cannot be fixed from our side. I would suggest to file a bug report. [1]: https://github.com/nss-dev/nss/commit/f572a15e45c5c4a26a0ada7ee008843ad19ec202 Please let us know .. Thanks.. _______________________________________________ dev-security mailing list dev-security@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security